In this month's issue, we look at a rather wonderful example of gamification by WHSmith, consider whether crowbarring lofty ideals into products is always such a good idea, and highlight the importance of having an innovation strategy.
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules – not just for governments, but for private companies.
– Bill Gates
Back in 2013, Bill Gates may have been referring to balancing surveillance and security in light of the Snowden leaks, but his words aptly reflect the subsequent aims of the European Union to harmonise data protection law across member states, providing enhanced privacy rights for individuals.
This desire has led to the EU General Data Protection Regulation, due to be enforced on 25 May 2018. The GDPR ushers in a swathe of new rules and its scope is broad – affecting anyone who processes EU citizens’ data, whether they are situated within the EU or not. Whatever your sector, you need to be prepared for the Regulation – the fines for breaches are substantial.
What does the GDPR mean for marketers?
Under the Regulation, organisations must process personal information under one of six legal bases (GDPR Article 6.1). One of these conditions, which marketers have traditionally relied on, is consent. Under the GDPR, consent must be ‘unambiguous’ and collected by a ‘clear and affirmative action’.
The bolstered definition of consent and transparency requirements mean privacy notices need to be reviewed and the business impact of ‘opt-in’ should be assessed. I believe those who look to optimise the wording of permission statements and test them have an increased chance of reaping the benefits.
Significantly, in the UK regulator’s recently published draft guidance on consent, there is a stark warning for those who share data with third parties and/or who buy in third party lists. Many believed it would be sufficient to provide sectors with whom the data might be shared, but the ICO is clearly indicating there will be a requirement for ‘named’ consent. I suspect this will be challenged during the ICO’s consultation on the draft, but if it remains unchanged it will undoubtedly present difficulties when collecting third party consent.
GDPR will challenge current database structures. As well as proof of consent for direct marketing and channel preference, multiple further fields may be needed. For example: consent for profiling; processing under legitimate interests; explicit consent for sensitive data processing; and – where relevant – parental consent. Combine this with the requirement to store direct marketing opt-outs, objections to processing under legitimate interests and profiling, and there’s quite a technical hurdle to overcome.
To comply with GDPR, you need to ask key questions about the type of profiling techniques your organisation uses. Do they require consent? How might you obtain this consent and have you informed your customers about all profiling? Further guidance is expected at a European level on this and, for many marketers, can’t come soon enough.
What happens to the data you have collected under existing laws when GDPR is enforced? Many commentators believed there may be leniency, but I wouldn’t count on it. The Regulation is clear that where consent has been given under the Data Protection Directive, it will only be valid if it also meets the requirements under GDPR. Steve Wood, the UK’s Information Commissioner’s Office Head of International Strategy and Intelligence recently commented at an IAPP event: “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” He continued: “What you will see is a common-sense, pragmatic approach to regulatory principles.”
Be warned if a customer complains after 25 May 2018, about receiving a marketing communication and you can’t prove you have adequate consent; this complaint could be escalated to the Regulator and you will be in breach.
If the GDPR wasn’t enough for marketers to get to grips with, crucially we are anticipating the final text of the proposed ePrivacy Regulation (repealing the 2002 ePrivacy Directive). The European Commission aims to implement this Regulation in line with the GDPR on 25 May 2018. Following a draft text earlier this year, clarification is hotly awaited specifically surrounding soft opt-in (which is likely to remain, but with tighter limitations on its use) and whether there will be a clear distinction made for B2B communications. Cookie consent is also set to get tougher.
With two new Regulations to contend with, data-centric marketers can’t take a back seat – they need to be prepared.
Rosemary Smith is speaking at the forthcoming MINT Global in Amsterdam (April 3-4, 2017): a conference that is unlike any other; offering delegates an unforgettable experience as well as top-level insight into the very latest marketing expertise. She is also running a workshop on the Monday of that event, looking at how GDPR and ePrivacy will impact on marketing.
Places are limited, so book your seat now at this unique event and don’t miss the boat (which is a hefty clue about that ‘unforgettable experience’)!
Please register below to unlock this article.
An email will be sent to you with your membership details.