Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

GDPR: learning lessons from the ICO’s first enforcement notice

By / / In Best practice /
It's been a few months since the GDPR came into force and still confusion remains. Fiona Salmon takes us through some of the key mix-ups which are leading data management companies to unnecessarily jettison user data. She also outlines a key lesson to learn from the recent ICO ruling and identifies the one key area where companies are consistently letting down consumers.   
GDPR regulation

Data regulators across Europe have rightly been giving all businesses a sensible amount of time and consideration to attend to their new responsibilities under the General Data Protection Regulation (GDPR). Even so, in September – just four months after the GDPR came into force – the UK’s Information Commissioner’s Office issued its first GDPR enforcement notice.

The target of the notice, Aggregate IQ, is alleged to have worked for organisations campaigning for the UK to leave the European Union and to have been involved with the scandal-hit Cambridge Analytica. (Aggregate IQ displays a prominent denial of any contractual relationship with Cambridge Analytica on the home page of its website.) The ICO’s notice effectively bans Aggregate IQ from processing personal data of EU citizen for digital advertising, or face one of those much feared GDPR fines of up to £20m.

If the ICO wanted a cost effective way to prominently signal that its patience with GDPR non-compliance is coming to an end, then targeting a data company mixed-up in a high profile scandal was an absolute gift. Businesses specialising in data processing are not the only ones in the firing line, though. The ICO’s notice made clear references to the brands associated with Aggregate IQ.

The reputations and successes of Vote Leave, BeLeave, Veterans For Britain and DUP Vote To Leave, and even the very legality of the Brexit referendum result have been tarnished by the notice.

A lesson from Brexit: take responsibility for third party data services

There are clear lessons for data marketers and brands from the case. They must ensure their third party providers of data services – whether data sources, collectors, managers or processors – have complied with the GDPR as well as ensuring their own internal processes are compliant.

If brands take a proper look at a range of data services companies, they will see various methods and levels of purported compliance with the GDPR. Opting for the best practice compliance methods is important to avoid the risk of brand damage caused by a GDPR notice sent to a supplier. However, it’s also important to protect the day-to-day commercial interests of the brand.

For example, an internal research exercise by 1plusX – which admittedly has limitations – discovered that eight out of nine of the market leading data management platforms (DMPs) conflate the exercise of consumers’ GDPR Opt-out and Data Deletion rights. That means that when these eight DMPs receive an Opt-out request from a consumer, they also delete that consumer’s data.

But wait!

Opting out does not mean wiping data

Opt-Out and Deletion are two different GDPR rights, two different instructions, and require two different actions.

Data marketers spend masses of time, effort and money to collect consumer data. The GDPR definitely hasn’t made data collection any easier, that’s for sure. Unnecessarily deleting that valuable data makes a marketer’s job far harder and more expensive than it needs to be.

Moreover, it impacts the consumer experience. There are consumers that never want to do any business with a brand ever again. Then there are other consumers who simply want to “opt-down” rather than “opt-out”.

Opting-down includes: pausing their profiling for a certain time period; reducing the frequency of communications from a brand; asserting preferences for certain formats, channels, brands or subjects of communications; or only wanting certain information about them to be collected and processed.

They may not want to receive a brand’s email newsletter, but they may still want to revisit their account information at a later date, continue to have a personalised experience on the brands’ website; or they may simply want to avoid filling in a profile form when they purchase from the brand at a later date.

Opting-down requires the brand to retain data about them. Conflating the exercise of the opt-out and data deletion rights is far too blunt a method of complying with the GDPR, and something data marketers should look out for when selecting a data services company.

Just one DMP in 1plusX’s research sample saves consumer data by recognising that…

although Data Deletion mandates Opt-out, a consumer’s request to Opt-out does not mandate Data Deletion.

The same DMP also gives consumers the nuclear option to exercise their Data Access, Opt-out and Data Deletion rights together with one single click. As each of those options are properly labelled it’s an extremely consumer-friendly function for those who decide that they never want to hear from a particular company ever again – at least until they choose to re-opt-in.

The GDPR flashpoint: consumer ease-of-use

If there is a flash point for complaints and allegations of non-compliance with the GDPR it’s where consumers attempt to exercise their data rights. On and after 25th May 2018 consumers were supposed to be given the following rights over the collection and processing of their data:

  • Opt-In, Opt-out, Data Access (a right to see the data collected)
  • Data Deletion
  • Data Rectification (the right to change the data held by data processors).

1plusX’s research found the functions DMPs deploy enabling consumers to exercise their GDPR rights have varying degrees of consumer friendliness.

When consumers find it difficult or confusing to exercise their rights – whatever those rights may be – their anxiety levels increase. With regard to GDPR rights, consumers are likely to feel most anxious when attempting to exercise their Data Access right.

For whatever reason – generally entirely legitimate reasons – a consumer may become concerned about the information a company knows about them and what that company is doing with their data. Even if a consumer isn’t anxious initially, when they can’t get fast, clear and transparent access to their data, their anxiety levels rocket.

However, 1plusX’s research found that the methods DMP’s deploy to comply with consumers’ Data Access requests are extremely laborious and inefficient. Some DMPs require consumers to fill in a form that must then be sent to the DMP. Sure, the GDPR gives companies up to 30 days to fulfil Data Access requests – but such a slow process will cause consumers unnecessary anxiety.

Some DMPs provide data access reports to consumers in a JSON data structure. Assuming that consumers understand the Java or C programming languages to access their data hardly smacks of a good consumer experience.

Other DMPs only display an on-screen report to consumers rather than a data table they can truly analyse.

Neither approach offers consumers the meaningful detail that will give them the sense of control and knowledge that the GDPR intended to confer upon them. These reports only contain general information. If the consumer is lucky, they might discover the audience or subject interests that the DMP has attributed to them. Nothing more.

Just one DMP in 1plusX’s research sample provides consumers with a directly downloadable spreadsheet file including a full time-series of their recorded interactions. Ensuring consumers can easily exercise their GDPR rights conveys transparency and trust to consumers. Fast and full access to data gives consumers a sense of empowerment and reassurance, but it’s also far more efficient for data controllers and processors, saving them significant costs.

Self-service data management

One final GDPR rights concern for data marketers: none of the market leading data management platforms seem to offer consumers a self-service Data Rectification function. Perhaps this isn’t surprising since the GDPR Rectification right is concerned with sensitive and personally identifiable data. Most DMPs’ were developed to process anonymous profile data, and thus avoid the legal, ethical, security and technical responsibilities of processing such data.

However, many data marketers gain great benefit from integrating their customer relationship management data with their DMP, including a single customer view of all the interactions each customer has with their brand. CRM data generally includes sensitive and personally identifiable data, such as the data subject’s name, age, email, home address, credit card numbers and even healthcare records, exposing those brands and DMPs to a data rectification responsibility.

There is no legal requirement for data collectors and processors to offer consumers a self-service data rectification function, of course. As long as oral and written data rectification requests are acted upon, the GDPR’s requirements are fulfilled. However, data marketers need to ensure that if they integrate CRM, personal or sensitive data with their DMP, there must be a method of updating that data quickly – ideally immediately – to minimise risk of non-compliance.

GDPR: a time of unpredictability

There was a lot of fear-inducing guff being spouted about GDPR enforcement prior to 25th May 2018 when the GDPR became effective. None of the GDPR guffers predicted that the ICO’s first GDPR notice would focus on data processing prior to that date.

Compliance and enforcement of the GDPR are in their infancy. Hence it is a time of unpredictability, exposing brands to risks. To lower risks of complaints, commercial loss and consumer anxiety, data marketers must ensure they and their collection and processing providers are implementing best practice.

Fiona Salmon
Author: Fiona Salmon

Fiona Salmon is UK MD of 1plusX (, an innovative, user-friendly profile platform developed by two ex-Google directors. Fiona has more than 18 years of media experience specialising in sales, strategic partnerships, publishing, business development and thought leadership. She has worked at a number of blue chip media owners including Trinity Mirror, Bauer and News International.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing