The opportunities of the GDPR for Digital Marketers, and a preview of the legislation itself (PDF download)
What lies at the heart of the General Data Protection Regulation (GDPR), or EU data law, is that the current level of consumer opt-in consent used in nearly all consumer contact will not be sufficient under the new regulations. It will render data unusable, or there is the prospect of proposed fines running to tens of millions of Euros. Also, the consent terms used when seeking consumers’ permission for the collection and use of their information will have to be far more clearly defined. This article reviews the implications for marketers of the GDPR concluded on 15th December 2015 with the final agreement defined at the Data protection Trilogue negotiations which took place between the European Commission, European Parliament and Council of Ministers.
Key components of the GDPR
GDPR covers areas such as personal privacy and security, but from a marketing perspective it is about the new consumer opt-in permission rules. It means all data will have to be audited against the new standards, and where it does not conform then it will need to be refreshed by asking for enhanced consumer consent. There is also a need to create an effective storing system for individual consent forms, and a method through which consumers can ask and have information on them removed.
The implications for Digital Marketers?
For digital advertisers and agencies there is still a need to establish clarity on how the law will be interpreted in the case of pseudonymous data. The submissions of the EU Parliament, Council and Commission to the working document upon which the law will be drafted are not clear on this point.
What may be just as important is the way the Information Commissioners Office (ICO) interprets and applies the law in the UK. However, what is clear is that any attempt to append additional information to pseudonymous data in order to identify individuals without their permission will not be allowed.
As far as all other forms of digital communication are concerned, GDPR means facing up to the challenges that other data marketers face.
These are not insignificant tasks, and they will not be quick to implement. But no matter the level of frustration generated there is no substitute for becoming compliant other than to accept databases will have to be written off. However, there is potentially positive news in all of this. If you have to contact customers and prospects to renew consent, it can be used to gain new data on a large and detailed scale, and at the same time make offers direct. The benefits can actually be made to outweigh the negatives.
Of course, there is a temptation to look for a shortcut, or to delay aspects of the compliance process, but really they only delay the inevitable, and are more costly in the long run. All companies at some stage will come under scrutiny from the Information Commissioners Office (ICO), or members of the public, and the combination of hefty fines and consumers having the ability to claim damages for misuse of information is difficult to ignore. There could even be the possibility of a PPI type move towards the public demanding compensation on a large scale, plus of course, harm to brand reputation.
Seek help to manage the task of compliance
From the start, it is advisable to seek help. Few brands or agencies are equipped to manage the compliance task, and there are more than a few data suppliers that struggle to understand what is involved in GDPR. So when seeking support make sure it comes from established reliable sources. A compliance heritage is a must, and also ask detailed questions about the forthcoming regulations. If there is hesitate look elsewhere. Inevitably a small industry of compliance advisors will emerge, so make sure the right one is sourced.
The other job at the top end of the to-do list is to appoint someone to be responsible for overseeing the compliance process. If nobody is given ownership there is a possibility that job will get pushed back and forth and ultimately not get done, or implemented badly. Either way the result could be costly.
Whoever takes charge their responsibilities should include the production of written guidelines on GDPR, and distributing them to all relevant personnel. The guide should set out what is, and what is not allowed in terms of consumer data so that individuals can do their jobs safe in the knowledge that they are not breaking the new law.
Data audits and changes to data protocol are not things that can be rushed, and may take months of work, including changes to software. Currently, for example, there are very few CRM software systems with a storage function for keeping consent forms.
Even though the new EU law may not be introduced until the end of 2017, or even later, the lawmakers and bureaucrats in Brussels are perfectly capable of acting more quickly than predicted. More importantly, it may take some data owners more than a year or more to prepare. Even starting work on compliance today will be too late for some. Delay is a risky strategy given the potential financial penalties, but also the investment needed in any last minute intensive bid to play catch up.
To continue to use data there are four key tasks that have to be completed. They are establishing whether or not the current level of opt in permission used meets the new unambiguous terms required, amending the consent terms, contacting consumers to upgrade the consent level to the new standard, and storing consent forms from every consumer, whether in electronic or paper form.
Consumer consent is key
There is widespread confusion about the definition of the ‘unambiguous’ permission criteria to the forthcoming law. A good illustration is that it will be like a traffic light system. Consumer consent will have to be sought and provided if you want to convey information about a given subject to a customer or prospect through a given communication channel. Later you may wish to communicate about another subject in another way, and that would be like stopping at another set of traffic lights at which fresh permission must be asked in order to move forward once more.
Storing consent forms is something that most data owners have never had to do before, but in future all forms will have to be presented if requested to do so by the ICO. Creating a storage facility is therefore a key element of compliance.
The other task is to enable consumers to have their data removed quickly if they request it. The ‘take down’ clause as it is becoming known, means having to provide a clearly identifiable route for members of the public to make contact and make their request known and acted upon.
Develop a new data regime
What is almost of equal importance to becoming GDPR compliant is maintaining a new data regime. Regular reviews will put any emerging problems right, and remove the risk of sanctions, or having to undertake data overhauls. The use of qualified third parties will be able to make objective assessments, and also give advice on making improvements to data protocol, and use of data.
If it is necessary to refresh opt consent levels by contacting consumers it is possible to use that contact to learn a great deal more about them, discover their real buying potential, purchasing triggers, and during that process sell or make offers directly to them. The compliance process can be used as an opportunity for improving market knowledge, driving sales or recruiting more customers.
The ICO recently made it clear that any organisation that was not fully compliant when GDPR is enacted will not necessarily be sanctioned if it could demonstrate that it had made a real attempt to prepare for it. This is more to do with the technicalities of compliance than the level of effort, and what was emphasised was that token gestures would not be accepted. You either prepare for the new law, or you do not.
The legislation
This PDF on the implications gives a breakdown of the law in its current draft state, showing the differences between the law as adopted by the European parliament and the amendments of the European Commission and Council. It is not a quick read and is written for legal purposes so the language is somewhat dense. However if you are a large company who the GDPR will affect then it is worth getting your legal department to have a look so they can understand how the law is shaping it.
Thanks to
Anthony Hawkins for sharing their advice and opinions in this post. Anthony Hawkins is Managing Director of
Verso Group You can connect with him on
LinkedIn.