Last week at Econsultancy we held our annual roundtable event, with the GDPR (General Data Protection Regulation) one of the topics up for discussion.
Here’s a flavour of what was said, along with some pointers for marketers who might be tempted to panic as the May 2018 deadline draws near.
Don’t panic, complying with the DPA is a good start
First off, it’s important to find some perspectice when considering the GDPR. Those companies that already have their houses in order when it comes to complying fully with the existing Data Protection Act (DPA) will quite obviously have less to worry about than those who are not whiter than white.
Even on the issue of ‘legitimate interest’ as a condition for data processing, which has caused some debate and may be confusing for marketers, the GDPR is only a reformulation of what is set out in the DPA. The GDPR mentions that such processing should not just be about preventing prejudices against individuals’ rights or freedoms but their broader interests, too.
Compliance and deliverability director at RedEye, Tim Roe puts it best in a recent Econsultancy blog post:
What GDPR relates to, is being able to process data for the purposes of direct marketing, which includes storage, segmentation, profiling, matching, sending direct mail, making marketing phone calls and electronic marketing in the B2B sector.
It will be a balanced relationship too, with the use you put the data, compatible and relevant to the relationship you have with the individual. At least it should be. If not, you are breaking the law now; and you don’t need to wait until May 18 to have sleepless nights. – Tim Roe, Redeye
What has changed is the meaning of words like accountability and transparency, meaning more documentation and greater consideration of the end user. Not too scary on the face of it.
The GDPR of course carries high penalties for non-compliance (nothing like a big stick to grab people’s attention) and supervisory authorities like the ICO have the support of the law – nevertheless, there is much that companies can do to show steps towards compliance.
The last thing marketers should be doing is panicking and throwing data away for fear of their ability to use it (delegates were well aware of the high profile case of Wetherspoons deleting its email database rather than think about compliance).
Start sharing knowledge
In light of what I’ve written above, it’s debatable whether companies should undertake an enormous overhaul of data governance and aim to change company culture. There are sectors, however, such as charities, where high profile news stories around assumed consent for data processing have led to nervousness.
In other sectors, listening to marketers discuss the GDPR, there were some who had not yet had contact with their compliance teams, and this seems like a missed opportunity.
If marketers are to design for privacy, to ensure that where they rely on individuals’ consent it is active and fully informed, and to have consideration for balancing the company’s interests in data processing with the impact on the individual – all these issues necessitate knowledge of the regulation and best practice examples.
To develop this knowledge, it doesn’t hurt to discuss awareness of the GDPR. Though training may only be necessary for a few, a bit of reading should be encouraged in the marketing team. After all, demonstrating you comply “may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.”
Organisations that are particularly strong on interaction and service design may be getting the message out sooner. Co-op is using some simple posters to explain what rights the GDPR affords individuals, as well as an internal Slack channel.
A blog post by the digital team states the aim of the posters is “to make colleagues in Digital aware that the regulation is coming [and] to explain what it means in plain language.”
Appoint a data protection officer
Okay, larger companies will already have one. If you don’t, and you have more than 250 staff, then you’ll need to hire one.
Smaller companies may assign the role to an existing and appropriate staff member, as long as no conflicts are evident with their current role.
The importance of a data protection officer (DPO), partly speaks to the issue raised above about knowledge of practices across the organisation. The DPO’s role is integral to accountability, with privacy impact assessments (PIAs) a good example. These are done each time a company does something new with user data, such as changing CRM platform. Director of iCompli, Duncan Smith (leader of Econsultancy’s GDPR training course) explains the role of the DPO in this instance:
So how is that [PIA] going to happen? I don’t even know what new systems and processes are coming into place, such as marketing, HR, CCTV, badge scanning, IT – there’s all sorts of new systems coming into place, so whose job is it to remember to do an assessment?
That’s where this accountability thing, all these horizontal management control processes, means you need somebody with the title ‘data protection bod/person/guru’ who is essentially cracking the whip and making sure everyone is doing the right stuff.
Smith says there is absolutely the need to hire someone new, perhaps not at the level of a DPO (£60k-£100k a year), but that “you might be looking to hire someone at a £25k to £40k level, a lower-level manager role, whose job is compliance officer or something along those lines.”
Start documenting and auditing
Start documenting the data that you have, the processing you are undertaking, and the conditions for processing.
The majority of marketers I spoke to at our roundtable had begun this process. Again, take heed of some simple questions posed by RedEye’s Tim Roe.
- What have you got and what do you use it for?
- Have you got more than you need?
- Do you keep it longer than you should?
- Is what you use it for likely to be reasonably expected by the individual, based on their relationship with you?
- Do you match data obtained from elsewhere?
This act of auditing your data is evidence of moving towards compliance.
Ask whether your customer expectations are reasonable
Under the GDPR there are six lawful grounds for data processing, but the two most pertinent and most commonly relied upon for marketers are consent and legitimate interests.
Consent looks a fair bit different under the GDPR – it needs to be via active opt-in, unbundled from other T&Cs, to a named organisation, granular (for different types of processing), and easy to withdraw.
Legitimate interests, as discussed previously, must be real and not too vague, with marketers balancing the interests of their company with the effect on individuals. Data processing that already happens on the condition of legitimate interests, and will likely continue to under the GDPR, includes direct marketing via post and digital personalisation (e.g. website and emails based on behavioural data).
Individuals can object to processing for legitimate interests, and this is one of the things data controllers need to make clear.
But the bigger question for marketers thinking about legitimate interest assessments (read more here) is ‘what does the customer expect?’ Marketers may find that if they cease a particular activity covered by legitimate interests and seek to gain consent that those who do not consent go on to suffer an inferior customer experience as a result.
Of course, customer expectations are influenced by your marketing communications, so there is some degree of chicken and egg here. Conducting a legitimate interest assessment is important where marketers are unsure.
Make the word ‘clarity’ your mantra
Likewise, clarity on objecting to processing or withdrawing consent is important.
However, emailing customers who have already opted out of electronic marketing to tell them about processing under legitimate interests is not allowed, so don’t let a mad dash for transparency lead you down the wrong path.
One of the issues marketers face is that their mantra has previously been ‘collect more data’, when the GDPR, in mentioning privacy by design, dictates that marketers should only collect the very minimum amount of data required to achieve their aims and ambitions.
Roundtable delegates were quick to mention this conflict. Duncan Smith comments that privacy by design is a nebulous concept:
If you’re a data-driven marketer the concept of minimum data is a complete anathema. I want to know everything about you.
How will it impact the Internet of Things? The idea of the quantified self, where every bit of your personal data is collected and potentially shared with other devices, how does this adhere to privacy by design? The same applies to anything to do with location-based marketing or omnichannel profiling.
The answer is that where marketers are collecting and processing data they will have to say so, and as Tim Roe points out, if that means signs indicating the presence of bluetooth beacons, then so be it.
Smith comes back to the idea of writing all this down in the right way. “A lot of work needs to be done to create privacy notices that clearly and concisely explain how businesses plan to use customers’ data. The privacy notice has to explain all that in a way that my mum understands.”
We didn’t cover everything GDPR-related in our roundtable discussion, with each marketer at a slightly different stage in their journey to compliance. While the steps in this article are important, there’s more to consider, and readers should consult the ICO and its 12 steps to take now (see below).
(Click to enlarge, or download the PDF here)
Note that this article is not intended to construe legal advice or offer comprehensive guidance.