What made you decide to write the book?
I felt there was a need to write a book for a marketing and communications audience. Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, the issue of data protection has been at the forefront for many marketing teams. Most of the texts currently available are aimed more at legal or compliance practitioners. I wanted to provide marketing professionals, as one of the largest users of personal data within organisations, with a practical, straightforward publication that covered the key aspects of data protection along with useful case study examples relevant to the work they undertake.
At a broader level, I have penned many articles on data protection, strategy and marketing over the past number of years. Writing a book seemed a natural evolution of this process. To provide something that could contribute in a helpful and meaningful way to the greater adoption of data protection best practice.
What are the key take-outs from the book?
The book seeks to provide an overview of the key aspects of GDPR. For example, it looks at what constitutes personal data, the lawful bases for processing, the responsibilities of data controllers and processors, and the data protection principles underpinning the regulation.
In addition, I provide readers with a background to the history of data protection, and the different approaches to data privacy in jurisdictions such as the EU and USA. I also look at some of the challenges the Regulation is currently facing and may face in the future, as well as proposing mental models teams can apply when seeking to build a strong data protection culture.
For a marketing leader or team wishing to upskill in data protection, where should they start?
For teams seeking to increase their data protection competence, the best place to start is with a solid understanding of the legal bases for processing and the seven core data protection principles. These form the bedrock on which the GDPR is built. Following on from there, I emphasise throughout the book the importance of ongoing training, both for new and existing staff. This allows a team to iteratively develop their understanding of privacy best practice. Many firms undertook once-off training in the run-up to the introduction of GDPR; the real benefit is from a long term commitment to upskilling in this area.
Lastly, having clarity on how to respond to subject access requests and other means by which consumers can exercise their data protection rights is key. Putting in place good processes, with clearly defined owners, is one of the best ways of ensuring that a company can respond within the time limits set by the GDPR.