Designed to make sense of how to stay compliant while using data to inform business decisions.
Compliance
·
10 min read
Share
Celestine Bahr & Tilman Harmeling
Director Legal, Compliance and Data Privacy & Senior Expert Privacy, Usercentrics
Celestine Bahr: Small companies or startups usually have great expertise in their specific area of business. They are experts in setting up their business strategy. Often there is also a great marketing and social media affinity and nowadays great technical know-how — especially in ecommerce or SaaS. However, small companies usually don’t have the knowledge, resources or financial means (e.g. data protection experts, lawyers, information security experts) to review their data-based business strategy from a legal, data protection and IT security perspective.
This can lead to a situation where the marketing and sales-driven strategy works great, but there are significant gaps in data protection and IT security. Such companies then start with a questionable concept for the reasons mentioned above, and all further processes and structures are then built on this.
As a result, small companies have a significant risk of not growing in a data protection-centered or IT security-compliant manner. If legal or other advisors with the necessary know-how are brought in later, it can be very difficult and complicated to break up existing structures and processes to change them in a data protection-compliant way.
As a lawyer and Legal Counsel for companies, I would always recommend that small companies do not cut corners in the founding phase of their business, but get expert advisors on board to help implement compliant processes right from the beginning. It also helps to implement professional tools to achieve necessary and compliant scalability. This helps ensure small companies are compliant right from the start, and helps them to grow homogeneously. These processes and structures should also be reviewed regularly by experts, especially when small businesses are still in the growth phase and in constant flux.
Tilman Harmeling: It’s not that easy to answer. Because of the high complexities of the GDPR itself and the changing market environment there are many potential pitfalls.
A good example is the end of third-party cookies. Historically many companies have relied on third-party cookies. Their adtech strategies are built on them. It is complicated to change that now into a data strategy, for example first-party solutions.
This can especially be challenging for smaller companies for many reasons. They have a smaller audience than big companies, so they receive less data. They also usually don’t have the internal resources to handle this kind of data.
Bite Mark
Tilman Harmeling
Senior Expert Privacy, Usercentrics
Tilman Harmeling: I wouldn’t necessarily say that the benefits of data have changed. Companies still want to sell more products, understand user’s behavior, or improve the website, app or product. We can still see a lot of third-party technologies integrated into our customers’ martech stack. But this will change.
Bite Mark
Tilman Harmeling
Senior Expert Privacy, Usercentrics
Celestine Bahr: In the online advertising industry, when using personalized ads it is important to explain to users how data about their online activities will be used to improve the ads presented to them. Users must also be given meaningful choices about how this data is used.
Personalization and data protection are often seen as opposites: you can't have both and have to choose one or the other. I don't necessarily agree with this. Rather the opposite is or can be the case.
On one hand, our society is becoming more and more digital and data-driven. On the other hand, many people become uncertain while using these offers, combined with a fear of losing track of or control over their data. We hear about dark patterns, data scandals, data brokerage, and much more.
At the same time, more and more regulations are being developed to address this, setting global and European standards (such as the GDPR and ePrivacy Directive, or the BDSG and TTDSG in Germany). These laws strengthen the fundamental rights of citizens in general and the quasi-definition of a fundamental right to data protection in particular, as well as providing elementary social mechanisms and future technologies with rules built in.
By collecting data at various points, the clearest possible picture can be created within an overall view. This includes, for example, online behavior, shopping habits, requests to a virtual assistant, or even a vehicle’s pattern of movement. In the context of online advertising, an attempt is then made to use such a profile and the associated targeting to bring the playout of advertising as close as technically possible to the ideal situation described above.
If used correctly, this can be done in a way that complies with data protection laws and benefits users, since they are shown advertising that matches their interests.
Bite Mark
Celestine Bahr
Director Legal, Compliance & Data Privacy, Usercentrics
Tilman Harmeling: They can and should. We see many attempts in the market from companies that are trying to find solutions that make this coexistence possible. An example would be grouping of persons or cohorting. We don’t necessarily need so many personal attributes. Sometimes it is sufficient to only aggregate non-personalized data to fulfill a data strategy. The keyword is data minimization.
But next to the question of how much data is actually required is the question of what companies are offering in exchange for data. In general, users would like to have relevant recommendations, special offers, great user experience, or all of these. When the data exchange can offer that, then both sides can be happy. But of course it needs to be compliant and transparent.
Celestine Bahr: Clean processes and structures, regular reviews of the existing organization, and appropriate technical tools can help to keep compliance at a high level and build a good basis for scalability.
Celestine Bahr has been Director Legal, Compliance & Data Privacy at Usercentrics since June 2022. In this role, she is responsible for all legal issues at the company, especially in the areas of IT and data protection law, compliance, contract law and competition law. Previously, she worked as Director Legal, Compliance & Data Privacy at AMORELIE in IT and data protection law, compliance, contract law, competition law, employment law and product law. She also worked for four years in Deutsche Telekom AG’s legal department, and four year atSTRATO AG, where she specialized in IT and data privacy law. Celestine has been a licensed attorney since 2009 and runs her own law firm in Berlin, where she mainly handles IT and data protection law, as well as employment law matters.. She was trained as a data protection officer at TÜV, is a mediator, and has completed specialist attorney training in the areas of IT law and employment law.
Having focused on the business and technical complexities of privacy throughout his career, Tilman has gained a variety of experience about how privacy markets work. He joined Usercentrics in 2018, and as Senior Expert Privacy, his goals are to understand the privacy landscape and find opportunities for innovation. He works with global enterprises and universities, and is also a sought-after speaker on current privacy topics at events like PrivSec Global, OMR, DMEXCO, BCG MarTech Series and Leadership Beyond Borders.
Usercentrics is a global market leader in the field of Consent Management Platforms (CMP). Usercentrics enables businesses to collect, manage and document user consents on websites and apps in order to achieve full compliance with global privacy regulations while facilitating high consent rates and building trust with their customers.
Usercentrics believes in creating a healthy balance between data privacy and data-driven business, delivering solutions for every size of enterprise. Helping clients like Daimler, ING Diba and Konica Minolta achieve privacy compliance, Usercentrics is active in more than 180 countries, with 2000+ resellers, and handles more than 100 million daily user consents.
Learn more on https://usercentrics.com/
Subscribe to our Bites Newsletter and get inspiration and the latest trends delivered to your mailbox.
Ryte Bites offers a unique perspective on the digital industry, making it the new digital destination for web changers. It's designed to reveal the true success drivers of an ever-changing digital world. Encouraging readers to change the web for the better.