Commentary

The Scary Links Among AI, Data, Privacy -- And A $24M Fine

In other contexts, I write a lot about cybersecurity. So, when I saw the acronym “GDPR” in one of Kantar Millward Brown’s 2018 predictions, very near this sentence: “The question that remains to be answered in the field of marketing AI will be one of privacy and control,” I shuddered involuntarily.

I’ve written in this space before that data is the oxygen of modern marketing. As artificial intelligence hype skyrocketed in the past year, many others began to recognize that large mountains of good, clean data are key to success if you want to use AI in your marketing.

That’s a major challenge for most organizations, because until the Big Data era came suddenly upon us, the vast majority of companies sucked at what the IT folks call “data hygiene.” Since the arrival of Big Data is so recent, these companies still do.

Let’s say you get past that challenge.

Then the best kind of data to have is data about your audience of prospects — the more detailed, the better. And, of course, the more personal, the better. That means personally identifiable data, or what the cyber experts call PII. Marketers can use AI to analyze that data and better understand individual prospects, at scale.

Therefore, collecting PII on large audiences, and feeding that Big Data into machine-learning algorithms, offers marketers great power.

You know the rest. Repeat after me: With Great Power, Comes Great Responsibility. You must keep people’s data safe.

Now the European Union has put a price on that cybersecurity responsibility: €20 million, or $23.6 million (when I checked the exchange rate late last night).

This may sound confusing at first (I’ll show the math in two paragraphs), but that’s the lowest possible mandatory maximum fine that can be levied against your company by the EU if you fail to protect people’s data, or if you don’t properly manage your data according to the rules laid out in the EU’s General Data Protection Regulation (GDPR).

There are actually a complex variety of different fines and levels and whatnot, but the maximum fine is €20 million or 4% of your company’s global revenue, whichever is greater. GDPR becomes effective on May 25.

And don’t think because yours is a U.S. company, GDPR won’t apply. A lot of smart folks mistakenly believe the “G” in GDPR stands for global, because the EU has made clear that it will apply these rules to any company, headquartered in any jurisdiction, that does any business with any person or persons in any EU country. What with soaring levels of cross-border ecommerce, and the internet’s more general ability to put buyers and sellers in touch across national borders, who isn’t doing business with EU customers?

Do the math. If a company generates $1 billion in global revenue, its maximum possible fine under GDPR regulations is $40 million. At $2 billion, it’s $80 million, and so on.

Apple’s trailing 12-month revenue at the end of the third quarter of 2017 was $229.2 billion, so its maximum potential GDPR fine, should it earn one, would be $9.2 billion, with a “b.”

Here are just a few key GDPR requirements:
-- Companies must name a “lead supervisory authority” within the EU (that is, a given country’s cyber regulatory agency, presumably the country where you do the most business, but not necessarily) and report any data breaches to that authority within 72 hours.
-- Companies must get the proactive consent of whoever’s data they have.
-- Companies must be able delete anyone’s data upon their request — an extension of the EU’s “right to be forgotten” law.
-- Companies can only use data for the “original purpose” for which they collected it.
-- They must appoint a DPO (data protection officer).

In a study earlier this year sponsored by data security firm Veritas, 21% of 900 global respondents feared fines for noncompliance with the GDPR could lead to layoffs, and 18% believed the fines could be significant enough to put them out of business. Respondents all had 1,000 or more employees.

If you’re a marketer with customers in an EU country, and you want to use AI to enhance your efforts, you’re going to need a large lake of data. And you’re going to have learn how to keep that data safe — or pay a very steep price.

Next story loading loading..