Rules and administrative processes don’t lend themselves to creative marketing, but the General Data Protection Regulation (GDPR), the forthcoming EU data law, is not something that digital marketers can ignore. Fail to respond to it and there is a good chance every database used will have to be erased. And there could be a fine of up to 100m Euros.
The GDPR will come into effect between now and sometime at the end of 2017, and the new required compliance standards contain several key points that apply to digital marketing:
- In the case of personalised communication, consumers must give permission for their personal behavioural and preference data to be used. (This does not apply to anonymised data.)
- Permission will need to be obtained when adding consumers to a database, or sending marketing communication.
- Businesses need to prove they have permission consent from all subscribers.
- Consumers will have the right to have their data removed.
This may sound fairly straight forward, but within these points there are some consideration that are going to present digital marketers with one or more challenges.
What might seem like the simplest element of regulation may be the biggest problem for many. Proving consent, even if it was correctly obtained and meets the forthcoming data compliance standard, may be impossible.
Having a copy of opt in text used when gaining permission, plus the accompanying data file marked ‘opt in’ is unlikely to be considered as having met the required level of proof. A completed consent form will be the only way to demonstrate unambiguous permission has been given.
With existing data there is also the question of the level of permission obtained, and whether it accurately reflects the purpose for which it is now used, or plans for its further use. There is a lot of mature opt in data that is still accurate, however, the text used when asking permission to use it may be too narrow or too vague in its scope for the purposes it is used for currently, or in the future. This leads to a situation in which many will think have got legitimate opt in data when they have not.
The older the data captured the more chance there may be a problem. But there could also be a more fundamental flaw. The Information Commissioner’s Office (ICO) recently found Virgin broke the existing data directive by using permission request copy designed to have a personable feel. The matey style of the copy was clear in its proposition, but it did not meet the technical requirements of the ICO, and consequently was found to be a breach of the current rules. With likelihood of GDPR bringing with it enhanced levels of scrutiny any flaws are likely to be picked up on.
In recent years the ICO has been getting tougher on enforcing the existing compliance directive, but GDPR will not be a directive. It will be law. As the UK’s national data regulatory authority, the ICO will be given leeway on how it implements its new powers, but it is unlikely to be a soft touch, and the sanctions it can impose will be very considerable.
In addition, the EU legislation may include the ability of consumers to claim damages for misuse of data. If a precedent is set and the amount involved is significant, it could create a trend similar to that of PPI. Combined with the big stick the ICO will wield it means not being GDPR compliant is a high risk gamble not only in terms of punishment, but also in damage to brand equity.
The new law is unlikely to be introduced much before mid 2017, but even this will not be enough time for some companies to be prepared. In some cases new staff and agencies will have to be taken on, and there may be a requirement for new software.
There are two basic process to be undertaken in becoming compliant. This first is a review in which all consumer data is examined for opt in status. Based on the results permission should be refreshed as necessary, and new compliance protocols introduced.
Unquestionably the compliance process is one that all digital marketers could do without. But if permission does need refreshing it can be used as an opportunity to improve dialogue with consumers and capture additional information. If you are asking for different opt in terms then it is logical to extend the conversation, and find out more about consumers’ buying potential.
It is understood that there is likely to be a ruling that allows companies to keep and use data collected in the three years prior to the new regulation being introduced even if it does not meet the new terms required. All other data collected before then that does not meet GDPR criteria will have to be erased.
The actual law behind GDPR has yet to be passed, and the EU Parliament, Council and Commission each have different agendas, and have to agree on the final wording. Nevertheless, the core elements of the regulation as described above are accepted as the baseline on which new data compliance will be based. Knowing this information allows for essential preparation.
It is probable that companies involved in digital marketing will come under GDPR scrutiny. Apart from anything else, consumers are becoming more aware and informing the ICO of their experiences more often. To guard against this a last minute scramble for compliance is an approach many will inevitably take, and others will adopt half measures and risk the penalties. Those that consider brand guardianship as well as promotion is part of their remit will undertake compliance reviews, and implement new processes. It will enable them to work freely within GPPR without having to look over their shoulders.
By Jeremy Whitaker, Chairman of Verso Group.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus