You don’t have to be a user of gay dating app Grindr to think that data sharing may have gone too far. Not least because medical information should be classified as highly-sensitive and is subject to tight controls under GDPR. It is hard to understand how it could be considered proportionate for the targeting of ads.
In this respect, consumer opinion is a long way in advance of business with 73% expecting to be able to click on an ad without sharing any personal data. This is one of the findings from the second tranche of DataIQ’s GDPR Impact research, carried out in association with DQM GRC, that was first published at a live event on 28th June.
Consumers clearly view the data-value exchange differently from many leading brands, or perhaps have a less-well developed understanding of how, if the service they are using is free, then they themselves are the product being sold. Even so, the concept of an anonymous internet persists, with 60% saying they don’t expect to share their data when browsing a web site, 59% when watching videos online and 56% when using a search engine.
If those views are bad news for Google’s business model, Facebook has a more mixed position. Nearly one-third (32%) expect to be able to use a social network without offering their personal information. While this is clearly unlikely to be possible, only 19% recognise that the exchange requires them to give a lot of data.
When it comes to other services like those owned by Facebook, the figures rise in a more negative direction - 40% say a messaging service (like WhatsApp) should not involve any data sharing, while 48% say photo sharing (like Instagram) should be anonymous. Both are owned by Facebook.
“If 25th May is raining, consumers may sit at home firing off complaints.”
As GDPR enforcement draws nearer and brands have to consider whether they can claim contractual basis or legitimate interest, rather than consent, as their basis for data processing, it seems likely that much of what is currently standard practice will come under pressure, either from the data protection authorities or from consumers themselves.
Adam Rose, partner at Mishcon de Reya, believes the latter course of action seems likely. As he told the event, “if 25th May is raining, consumers may sit at home firing off complaints.” One basis for enforcement action by the Information Commissioner’s Office will be complaints and consumer harm. But that may not mean just a simple scaling up of the monetary penalties imposed.
Rose believes there is a parallel between the likely outcome of that action and the way footballer’s transfer fees rose - once Trevor Francis became the first £1 million player in 1979, many more followed until today’s marketplace in which £100 million-plus fees are no longer unusual. “There is a risk of that happening, especially if other European states are fining at the £10 million level. If the ICO does not follow suit, it could look as if it is not offering adequate protection to UK consumers,” he noted.
“Adequacy is one of the Prime Minister’s big five things to sort out in Brexit.”
That could have consequences for the all-important adequacy ruling which the UK needs to get post-Brexit. It could also change the culture within the ICO, which has pursued a more collaborative approach that is in line with the self-regulatory approach in UK advertising and marketing. Not surprisingly, Rose pointed out that adequacy is seen as “one of the Prime Minister’s big five things to sort out in Brexit.”
But if consumer complaints are a genuine risk to data sharing, employee subject access requests could prove to be an even bigger problem. “Make sure you know where employee data is held - do an audit, because it can be archived in hard copies, held in emails, stored online, scraped from job boards,” said Rose.
He speaks from experience having led the law firm’s review of its records management which saw several hundred boxfuls of records removed from storage, reviewed and destroyed where appropriate, reducing the number retained to just a few dozen. With the possibility of former and current employee SARs becoming the next PPI, his warning to review HR materials is timely and also risk-reducing.
It is perhaps not a surprise, therefore, that SAR management is the second commonest piece of regtech that businesses are planning to implement, with 45.9% looking at this technology, led only by permission management systems, which 50.4% are working on. Preference centres are being considered by 40.5% (although Rose suggested that one of the main drivers of these, the ePrivacy Regulation, could face such lengthy delays that it may never get passed).
“GDPR starts on 25th May, not stops.”
It is striking the balance between business and consumer interests that makes GDPR programmes so complex. It is also why Christine Andrews, managing director of DQM GRC, said: “GDPR starts on 25th May, not stops. Records of processing, particularly for marketing, are a major area of challenge, especially for those organisations processing under legitimate interest if they don’t have a clear preference already expressed.”
Investing in regtech will be essential to be in the right place on that date. Andrews pointed to the complexities of requirements like Article 30, under which all the activities for which data is processed need to be identified, with a record kept of the systems involved, including third-party partners and vendors. Article 7, meanwhile, means all purposes for which consent is sought need to be explained and those notices recorded, together with the time, place and method used. “Consent needs to be unbundled and granular,” noted Andrews, which is where those preference centres come into play. These not only help with compliance, they also show that an organisation is actively enabling its customers’ rights.
As a result, they may not feel the same desire to complain and brands may realise a positive benefit from their regtech investments. According to Andrews: “If you approach the GDPR journey properly and don’t just treat it as a tick box exercise, some value will emerge.”
Figures in this article are taken from the second extract of the 2018 DataIQ GDPR Impact research, produced in association with DQM GRC, which is now available here.
The first extract, produced in association with Tealium, is now available here.
A third set of research findings covering relevance and accuracy, produced in association with The REaD Group, will be unveiled on 19th April at an event in Central London. To register, go here.