Editor’s Note: Today’s post is by Anne Stone, Senior Manager, TBI Communications. Anne joined TBI in 2016 as a marketing consultant serving the publishing and research ecosystem. She has worked in marketing and publishing for over 20 years at organizations including Wiley, Blackwell, Pearson, and Constant Contact.

Over the last several weeks, most of us have been inundated with requests to (re) opt-in to receive emails from organizations that we have interacted with in the past. We have opted in again to our favorites (after receiving a notice or two) and probably also unsubscribed from others – or at least tried to, hoping the new preferences ‘stick’ in the system. Some of us may also have developed a compulsion to eat cookies after reading so many pop-up notices!

GDPR Post it note

Why the barrage of notices? The GDPR (General Data Protection Regulation), enforced by the EU and UK Information Commissioner’s Office (ICO), goes into effect today, May 25, 2018. The data covered by this regulation may be as simple as an email or IP address or as sensitive as individual biometrics, stored in the cloud by your personal fitness tracker app, or via patient electronic health records. The GDPR promises EU citizens greater control over their data while requiring those who process personal data in the EU, or about its citizens, to take responsibility for its protection.

Not since the Data Protection Act of 1998 and the CAN SPAM ACT of 2003 have so many resources been directed to updating privacy policies, opt-in notices, and email lists. But, despite having over two years to prepare, not everyone is ready for GDPR. Early in 2018, Forrester Research predicted that 80% of firms affected by GDPR will not comply by the deadline. Of those, they estimated that, while 50% will try and fail, the other 50% will intentionally fail to comply after weighing the risks and costs. Responses to the International Association for Privacy Professionals 2017 survey of practitioners indicated that only 40% would be compliant by May 2018. The results also suggest that Fortune 500 companies will spend a combined $7.8 billion on compliance – an increase per employee across all organization sizes of 18%, from $124 in 2016 to $147 in 2017. Survey results indicated that organizations expect to add more than two full-time employees just to help with GDPR compliance.

What are the risks?

Under GDPR, the fines for non-compliance can be significant — €10 million, or 2% of worldwide annual revenue at lower levels of infringement, increasing to €20 million / 4% for more serious breaches, based on several criteria. Veritas, a Silicon Valley provider of security services, conducted a survey of over 900 global organizations in April 2017. The respondents’ biggest concern about GDPR was that these high penalties could impact their business. Devalued brands and a loss of customers due to negative social media exposure were the other major concerns. Since then, of course, Cambridge Analytica and its parent company, SLC Elections, have been shuttered, filing for bankruptcy in the US on May 18, 2018, and Mark Zuckerberg has testified to a cool reception by EU Parliament and to Congress, anticipating increased US regulation – which could not have been predicted at the time of the Veritas survey, but would likely change the results if it were carried out again now.

It is difficult to predict how the new regulation will be enforced. Dr. Alison Cool, Assistant Professor of Anthropology and Information Science at the University of Colorado, Boulder, discusses some of the ambiguity and complexity in her recent New York Times opinion piece. She notes that each country has, “different historical experiences and contemporary attitudes about data collection. Germans, recalling the Nazis’ deadly efficient use of information, are suspicious of government or corporate collection of personal data; people in Nordic countries, on the other hand, link the collection and organization of data to the functioning of strong social welfare systems.” While, in the course of interviewing scientists, data managers, legal scholars, lawyers, ethicists and activists in Sweden: “I learned that many scientists and data managers who will be subject to the law find it incomprehensible. They doubted that absolute compliance was even possible.”

Data protection and the leading edge of research

The UK’s ICO web site makes it simple for anyone to “report a concern.” The UK Commissioner also has a very transparent way of communicating about transgressors and consequences, putting organizational brands and personal reputations in the spotlight.

For example, in the “Action We’ve Taken” section, it is easy to find an investigation into the UK’s Royal Free NHS Foundation Trust, which in 2015 entered into an agreement to provide data from around 1.6 million patients to Google DeepMind as part of a trial to test an alert, diagnosis, and detection system for acute kidney injury.

In 2016, in response to media coverage, the UK ICO launched an investigation into this agreement under the 1998 Data Protection Act. The findings indicated “several shortcomings in how the data was handled.” It found that pseudonymization of patient identifiable data was not undertaken, because the Trust held the view that the real patient data should be made available to demonstrate clinical safety of new technology and for direct patient care. Elizabeth Denham, UK Information Commissioner, did not doubt “the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.” Denham expanded on four lessons learned from this case. Had the GDPR been in effect when this case was investigated, these lessons might have been costly for The Royal Free NHS Foundation Trust, as the data controller, because the data falls into the category of ‘sensitive.’ However, in this case, they were not asked to pay fines but instead to conduct a prescribed “undertaking” to bring data processing into compliance.

The Financial Times recently reported that Denham has now secured budget to increase her staff by one third, to about 720 by 2020. In the first year, she plans to increase staff by 40% in Dublin where many US companies have European headquarters, recruiting for criminal lawyers and staff with investigative experience. “To use the big corrective powers that really bite we will have to be demonstrably showing we’ve followed fair process,” she says. However, the EU’s European data protection officer, Giovanni Buttarelli, warned in 2015 that even his staff — of 2,500 — was not enough to supervise compliance with a complex law. Jacob Kohnstamm, former chair of the Netherland’s data protection authority said in 2015 that, “the chance of having the regulator knock on your door is less than once every thousand years.” It is no wonder many organizations are focusing more on risk management instead of compliance!

But GDPR won’t just impact data protection in Europe. For example, the NIH is currently seeking to enroll one million volunteers in the All of Us Program, part of the Precision Medicine Initiative (PMI). Volunteers share their medical information to be used by researchers with the goal of speeding breakthroughs. Protecting privacy is a first principle – critically, since the initiative addresses advances in genomics, big data, and health care technology. The PMI Privacy and Trust Principles and the PMI Data Security Policy Principles and Framework specifically address security and de-identification — the removal of identifying information (such as name, date of birth, address, social security number) from a dataset, so that information is not directly or indirectly linked with specific individuals. Anyone living in the US is eligible to participate so, should any EU citizen living in the US participate, their personal data protection rights under GDPR must be supported by the NIH’s privacy practices, since GDPR affords EU citizens’ their rights no matter where the organization is located or the citizen lives.

Data protection and industry initiatives for data sharing and openness

For the research and publishing communities, data protection requirements intersect with initiatives to increase transparency, openness and reproducibility. At the ISMTE 2016 meeting, Brooks Hanson, now Vice President of Science, at American Geophysical Union, presented “Best Practices Around Data for Journals, and How to Follow Them.” He addressed industry alignment around making data, software, and computational methods available among publishers, repositories, funders, and non-profit industry organizations. This includes the Transparency and Openness Promotion (TOP) Guidelines (now with more than 5,000 signatories), which are a widely used tool for implementing open science practices, including sharing data sets as part of the publication process. Increasing awareness and education on best practices of data collection, storage, and sharing can mitigate the risk of publishing datasets that do not have appropriate consent or may expose sensitive data.

More immediate consequences – will journal usage decline?

Each month, millions of content alerts are emailed by publishers. While search is the predominant path to journal article discovery, email alerts are still valuable to readers, according to the latest version of Gardner and Inger’s report, ”How Readers Discover Content in Scholarly Publications”, published in 2016. When asked “How did you discover the last journal accessed?” respondents in 2015 ranked “following a link from a journal issue/topic alert” ahead of social media across all sectors, though social media had gained traction since 2012. Only search consistently ranked more highly than e-alerts and recommendations.

As the authors commented:Email based alerts, whether table of contents alerts, or saved search alerts have an advantage because they are under user control, and most likely are set up for content that the user knows he has access rights to use. The resource has gained the user’s trust.”  The much-anticipated update to the report, based on their 2017 survey, will be released during the SSP meeting in Chicago next week, when we will see if email still holds a top position for discovery.

There’s no doubt that email alert subscribers are likely to be among your most loyal readers – and members, for society publishers. In market research conducted for diverse clients, my organization (TBI Communications) consistently finds that researchers say they start their discovery process by going to the trusted journals in their specific field.

Email alerting systems are, most often, automated systems to increase reliable delivery as soon as new content is available online. But building a loyal reader base and strong email lists takes ongoing effort – it’s not ‘set it and forget it’ marketing. E-alerts are extremely efficient compared to social media, where there is little control over who sees the post and messages must be crafted.

If you currently deploy e-alerts, a health check may be worthwhile, to assess whether they’ve been impacted by GDPR.  Questions to ask include:

  • How big were your e-alert lists before GDPR efforts started?
  • What were the open/clickthrough rates?
  • How did that convert to readership/usage?
  • What percentage of site usage has been attributed to e-alerts?
  • Are changes in this usage corresponding to changes in the list size?
  • Or, are the loyal readers/members signed up for e-alerts continuing to behave the same way?
  • What are the long-term trends in e-alert sign up rates?

Depending on the answers to these questions, re-engagement campaigns may become a 2018 priority for many publishers. This includes taking a fresh look at the complete user experience and communications around alerts and email preferences. For example, some publishers are investing in direct outreach to their EU library customers, including telemarketing to ensure that proper consent is obtained to store customer contact information in Customer Relationship Management systems (CRMs) and that communication preferences for individuals are logged. Telemarketing also affords the opportunity to update incorrect or out-of-date information, without requiring customers to interact with a system or remember a password.

Whether via telemarketing, emails, e-alerts, or any other form of communication, anyone who interacts with publishers and societies – as an author, editor, reader, or member – can expect more opportunities to choose whether and, if so, how you want to continue those interactions. Don’t wait any longer, update your email preferences! Because ready or not, here comes GDPR.

Discussion

5 Thoughts on "Guest Post: GDPR Day Is Here – What Happens Next?"

There are a couple of errors in this article. Firstly, “enforced by the EU and UK Information Commissioner’s Office (ICO), goes into effect today” is misleading. Each EU Member State has its own enforcement office. The EU doesn’t run one, and the UK is just one of the 20+ Member States to have one. Also, it is worth noting that in the UK, has GDPR has been converted into an Act of Parliament, the Data Protection Act 2018.

The statement about fines is also incorrect. ” €10 million, or 2% of worldwide annual revenue at lower levels of infringement, increasing to €20 million / 4% for more serious breaches”. The figures quoted are absolute maxima, and the vast majority of fines, when they come about, will be much smaller.

Of course, you are correct, Charles. I did call out the UK ICO, but not point to the several data protection agencies within the EU. In Germany, for example, the Bavaria Data Protection Authority for the Private Sector https://www.lda.bayern.de/en/duties.html. Another example is the Dutch Data Protection Authority https://autoriteitpersoonsgegevens.nl/en. I recommend the Financial Times article for a brief discussion of the complexity of which authority is responsible for governance based on the case and the European presence of the organization involved.

Regarding fines, the link to the several criteria about how fines are determined is a starting point for understanding the risk of fines. The data protection authorities may be more interested in rectification of the problems, but that still can come with costs. The best advice I’ve seen is to keep watch on the cases as they advance. The Dutch DPA site currently features an update about their case against Microsoft. Microsoft was collecting telemetry data from Windows 10 Home and Windows 10 Pro users contradictory to privacy legislation. There is no mention of fines, but the action required was an update to Windows in April 2018, which must have had costs if only in terms of resources – and in terms of time for the millions of people who had to download the update.

Nice summary, Anne! At the STM meeting in April, Reggie Henry, CIO of ASAE, had a good line wrt to today’s deadline: “When somebody asks me what they should be doing about GDPR, I tell them they should get an attorney.”

Comments are closed.