The advances and take-up of new technology have driven the development of ever more complex ways of identifying, profiling and marketing to individuals - in ways that many people are not even aware are happening. Our Head of Digital Jon Parsons, who has been running workshops with clients, outlines how the new General Data Protection Regulation (GDPR) will update the current law to take into account these huge advances that have happened since the 1995 Data Protection Directive was implemented.
The increasing use of personal data within marketing has led to an increase in customer concern, and individuals are becoming more wary of sharing their data. Recent high-profile data breaches and cyber hacks have done little to reassure them, resulting in more than 50% of individuals now being either data sceptics or non-sharers.
Persuading customers to share their data for legitimate purposes is becoming more challenging. Organisations that rise to the challenge and follow the GDPR principles of being transparent about what personal data they collect, what it will be used for and allow customers to have greater control of their own data and its use, will help built this trust level.
In addition to the right to object to marketing, individuals will also have new rights under the GDPR. These include “the right to erasure” that allows them to be forgotten, “the right to data portability” to aid account switching and “the right to subject access request”, where individuals can demand to see the data held about them.
Individuals, through the GDPR, will also find it easier to file a complaint against an organisation and the misuse of their data. The resulting fines for organisations have increased to up to 20 million euros or 4% of annual turnover, compared to a £500,000 fine under the current UK Data Protection Act.
The new GDPR will raise consumer awareness of best practice in data processing and will set an expectation of how organisations should be reassuring and informing them about how their data is being managed. This should be a wake-up call for all marketers to ensure that they properly address this culture change and ensure that they comply with the new regulations.
A key element of GDPR for marketers to focus on is informed consent, and in particular the need for opt-in consent at the point of data capture. Article 4 of the GDPR text states:
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In other words, at the point an individual gives an organisation their data, they will need to see transparency about the marketing communications they will receive, information on how their personal data will be managed, all to be accepted with a freely given opt-in. This means no more pre-ticked boxes or unticked boxes with a need to opt-out.
This change has a lot of marketers concerned about opt-in conversion rates, and in fact whether the consent of existing customer data was obtained legitimately. As a result, marketers are looking at their contact database numbers seriously dwindling.
This isn’t all bad news, however, as this new level of clarity in the marketing communications an individual is signing up for, and organisations getting a clear affirmative action from their customers confirming their consent, will result in a more engaged and responsive community of customers. This benefits both parties and should be what marketers are striving for anyway.
The new GDPR is going to have a massive impact on the processes, policies, contracts with suppliers, management, access, transportation, cleansing and usage of personal data. The regulations will be implemented on 28th May 2018 and many organisations are now investing heavily in time and resources to make the organisational-level changes required to ensure compliance.
Information is available online with webinars, training sessions and specialist consultants all helping organisations to understand GDPR and specific implications for their organisation and their customers. Mobas has also undertaken official qualifications and has been running training sessions with clients. Under the new GDPR both data owners and data processors are jointly-liable for any issues, meaning that in the marketing sphere agencies and clients should already be in discussion about each other’s data processes to ensure compliance across the board.
A good starting point is to look at the guidance from the Information Commissioners Office (ICO) and use the reference information contained in the Articles and Recitals of the GDPR. Whilst many parts of the GDPR are clearly black and white, there are others that remain grey. This means that giving advice and making decisions on the best approach can be very difficult.
Put simply, GDPR is all about acting responsibly with personal information in its widest sense. In broad terms, compliance with GDPR will require you to:
Wherever it is (databases, file shares, email systems, storage boxes) and in whatever format it is.
And isn’t this what good marketers should be doing anyway?