The General Data Protection Regulation (GDPR) will apply from 25th May 2018, less than a year from now.
Whilst there is still some ambiguity in the guidance offered on GDPR in the UK by the Information Commissioner’s Office, savvy marketers that understand their customers shouldn’t have too much to worry about.
Best practices that have been identified for some years will likely be enough for marketing to fall in line, alongside one or two changes to your data strategy.
But many businesses don’t feel ready
As pointed out in Marketing Week, only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant come May 2018. This may partly be due to ICO definitions when it comes to lawfulness of data processing.
The GDPR sets out a number of legal bases available for processing personal data (read them here). One of these states that data processing is lawful if ‘necessary for the purposes of legitimate interests….’
The question is – what does ‘legitimate interests’ mean? GDPR states that direct marketing is indeed a legitimate interest, though the ICO has given no further guidance. The ICO and GDPR do make clear, though, that where consent was sought under previous EC regulations ‘you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR.’
In short, using personal data to power direct marketing shouldn’t be a problem if you have already communicated with the consumer in the right way.
Plain language FTW
So, what is the right way to communicate with people? The right to be informed means that users should be supplied with a whole raft of information about how their data may be processed (read the list here).
Much of this is unchanged, but in a neat summary of GDPR advice for small businesses, the EC makes clear that what is important here is the use of plain language – telling the user who you are, why you are processing their data, how long it will be stored and who receives it.
This is one of the important points of GDPR, which necessitates that information should be ‘concise, transparent, intelligible and easily accessible’, as well as ‘written in clear and plain language, in particular for any information directed towards a child.’
Marketers worth their salt will hopefully already have been working towards these ends, as well as demanding ‘clear affirmative action’ when a user gives specific and informed indication of their wishes.
Any marketers out there who are still persisting with checkboxes that come pre-clicked will need reminding of the penalties that failure to comply with GDPR can bring, not to mention the fact that the consumer expects better (though it should perhaps be noted that the fines widely reported of 4% of annual turnover are a worst case scenario for the biggest GDPR trangressions where no mitigation is attempted).
Data breaches pose a challenge
A recent survey of 187 marketing and advertising companies by Irwin Mitchell (conducted by YouGov) revealed that 70% of respondents were uncertain of their ability to detect a data breach. Only 37% said they would be equipped to notify users within the GDPR-required 72 hours.
There are criteria for what constitutes a breach (read them here) and the ICO advises businesses to ‘make sure that [their] staff understands what constitutes a data breach, and that this is more than a loss of personal data.’
Marketing as the voice of the customer may be able to play a role here in helping IT and data officers to communicate with the wider business about what is required.
Profiling regulations may guard against the dangers of AI?
GDPR dictates that any profiling using customer data that has a significant or legal effect, for example when processing loan applications, must give the customers the right to contest the decision. The business must also have a person, not a machine, checking the process if it ends in failure.
This doesn’t apply to all automated processes but is particularly pertinent where data is used or predicted about a person’s health, behaviour, location, movement, performance at work and similar.
There’s an important point here about the need for marketers and data officers to protect against the runaway efficiencies of machine learning. Where any algorithm is used with such personal data, marketers should understand and be able to explain the outcome.
These regulations are not particularly novel but they are becoming more and more relevant. Fairness is an important part of data processing, and the ICO includes a whole raft of guidance on big data and machine learning (read it here).
Behavioural targeting is a grey area
Targeted advertising is one area set to change under GDPR as the regulations say that behaviour tracking, even when users are pseudonymous (but are still served ads as unique users), uses personal data tied to IP addresses and cookies.
The guidance dictates that a data protection officer must be appointed if you carry out behaviour tracking on a large scale.
What does this mean for advertisers? Well, Osborne Clark reckons that ‘a business which pseudonymises all data may potentially find it easier to justify processing under the “legitimate interests”.’ However, writing for AdExchanger, David Raab argues that some businesses may be more cautious with their data and this could play into the hands of Google and Facebook.
Raab says that “stricter data regulations also will give the big companies even more reason to be cautious about sharing data they’ve gathered – data that marketers want to access in as much detail as possible for their own purposes. The result will be even greater reliance on the giant firms to select the audiences for advertisements because marketers will have less data to do the targeting themselves.”
This may be overdoing it a tad, but publishers will certainly have to work with adtech providers to make the right information available to users, whether in notifications (popups) or publicly available on site.
Privacy by design
Ultimately, what GDPR is pushing businesses towards is privacy by design. That is, understanding privacy as a central tenet of any project you undertake.
As such, the ICO provides a handy code of practice for a privacy impact assessment, designed to help businesses take account of anything that will impact on privacy during a new project, or to reassess the privacy of current systems.
The concept of privacy by design is nothing new and nor are these assessments, but they do now become mandatory for ‘organisations with technologies and processes that are likely to result in a high risk to the rights of the data subjects’. This is perhaps unlikely for a marketing campaign, but not unheard of.
There’s lots more to consider, but customer-focused marketers should follow their instincts
Data protection officers, the right to be forgotten, the right to data portability, new time limits on many requests – there’s no doubt there are challenges for organisations, both those in already highly regulated industries and those not.
However, the GDPR will be a boon for marketers who already put the customer first during onboarding and subsequent marketing. Yes, lawyers are set to make hay while the sun shines, but by passing the ICO overview to all of your marketing team, it’s not too late to get ahead of the game.