At Bora, we want to offer our clients the best possible experience and build trusted relationships. Our commitment to respecting and protecting their personal and sensitive information is part of these trusted relationships. Respecting our clients’ privacy is not just a matter of General What is Data Protection?Data protection refers to the practice of safeguarding sensitive information from unauthorized access, disclosure, alteration, or destruction. It involves implementing policies, procedures, and technologies to ensure that... More Regulation (What is GDPR? The General Data Protection Regulation (GDPR) is widely regarded as the world's strictest security and privacy law, promulgated by the European Union (EU) to regulate any organization... More) compliance; it is our ethos.
GDPR provides the guardrails for safeguarding personal data and aligning business processes with privacy requirements. Although we are professionals in creating engaging and successful What is Cybersecurity Content Marketing?Cybersecurity content marketing is a strategic approach focused on creating and distributing valuable, relevant, and consistent content to attract and retain a clearly defined audience within... More strategies, we are not privacy professionals. To make Bora a privacy-friendly marketing agency, we contracted Digital Law Experts (DLE), a niche technology law firm based in Athens, Greece.
We also thought sharing some insights with our audience on becoming a privacy-friendly organization would be helpful. Therefore, we asked DLE co-founder Konstantinos Kakavoulis, to join Tassos for a quick interview. Below is the edited transcript of this interview, which we hope will benefit all.
What is the importance of a marketing agency being a privacy-friendly organization?
Konstantinos: Being privacy friendly is intrinsic to the operation of any business entity and demonstrates that the organization respects the rights of individuals, its employees, clients, and suppliers. In the European Union, we have the richest legal framework for protecting privacy, which provides for important obligations for legal entities and gives individuals significant rights for their protection.
A marketing agency can benefit in many ways by complying with this framework. First, it will eliminate the risk of high fines or legal claims against it. But apart from this, which is the obvious consequence of being compliant, it may have many more benefits. One of these is the protection of its brand and the increase of its reputation. A privacy-friendly marketing agency can use this attribute to differentiate from any other marketing agency. Unfortunately, many marketing agencies lack compliance with the data protection framework. Therefore, a marketing agency that can demonstrate that it respects people’s rights can have a competitive advantage against its market competitors.
It is essential to highlight that GDPR is an opportunity rather than one more check-the-box obligation for companies. They can pioneer in their market and demonstrate they can perform their work equally well to other agencies while respecting individual rights.
What does it take for a company to become privacy friendly?
Konstantinos: We must state that this is a lengthy procedure. It’s more than just drafting and keeping some documents in a file or archive. First, it is about having a policy about how you treat data. Such a policy helps the organization understand how it processes data, meaning it will have a clear and articulate image of all its processes. Apart from this, it would be best to keep individuals informed about how you process their data. And this must be done in a very clear and transparent way. We do not have to have these long legal documents in place. Protecting personal data is more efficient when you provide individuals with clear and concise notices about how you will treat their data.
When you have all this in place, you should always seek the best associates when processing personal data. Every company nowadays cooperates with other companies and shares personal data with partners to perform everyday duties. You have to be very careful when choosing the companies you collaborate with. And finally, it comes to informing your employees that process personal data about its importance and that the company does not own this data. This data is owned by the individuals that have given this data to the company. It is essential to continuously train and maintain a high level of awareness in the company’s employees on handling personal data appropriately.
Can you highlight the steps an organization should follow to become privacy compliant?
Konstantinos: First, have a very clear data flow so that everybody knows the lifecycle of the data; where this data is collected from, where it is processed, how it is processed, who has access to it, and finally, if and how, and when it is deleted.
Then it is essential to keep track of all the data processors and other entities, either natural persons or legal persons, that will process personal data on behalf of your company or jointly with it. It is best to have stringent agreements with them on how they will process this data.
Third, you must provide privacy notices to all individuals on how the company will process their data. And after that, more technical documents may be required, such as a data protection impact assessment (DPIA), a What is a Data Breach? A data breach is a security incident in which unauthorized individuals access sensitive, confidential, or protected information. These breaches can occur through various means, including... More policy, or a CCTV policy if the company uses such a system for its protection.
How can privacy professionals like yourself help businesses and marketing agencies become privacy-friendly? What consultancy do you offer these companies?
Konstantinos: We live in an era where people tend to specialize more and more in their fields. Specialization is needed because things around us change a lot. We can see this in every industry and every field. It is also important to note that data protection and privacy is a new field. Although we have had legislation in the European Union since the nineties, GDPR, which came into force in 2018, is only a five-year-old child.
Just like babies evolve and change a lot every single day, the same is true for GDPR, with a significant difference. GDPR is a young child that is being shared by 28 states. Each of these states tends to translate it to implement it slightly differently. So it’s actually like having 28 different parents for this child. You can easily imagine that this child evolves even at a higher rate than an average child would.
So it is crucial to be aware of all the changes occurring in GDPR every single moment, not just every day. I would say that having a data protection specialist can help provide day-to-day advice on all these changes and how a company should implement them. With this specialization, it would be easier to keep up with all the updates taking place every day and every week.
Just like companies have marketing specialists for their marketing departments, financial specialists to handle their financial arrangements, or tax specialists when complying with tax obligations, they should also have to use a data protection specialist when it comes to protecting personal data.
Bora would like to thank Konstantinos Kakavoulis and Stefanos Vitoratos at DLE for all their hard work and cooperation!