If your instinctive reaction to the General Data Protection Regulation has been one of fear and anxiety, then it’s time to breathe out and move on. Consumers are not only aware that a new law is coming, they have become significantly more willing to share their data over the last year, provided the conditions are right.
Six out of ten consumers now say their are either somewhat or very aware of a new data protection law (even if not specifically of GDPR), a reversal of the situation last year when 62 per cent were only slightly or not at all aware. This is one of the findings from the 2018 DataIQ GDPR Impact research, the first tranche of which, covering mobile and digital data, was published on 21st March.
The climate of concern has cleared and a new era of conditions for consent has set in.
Based on a representative sample of 1,005 UK consumers aged over 18, it shows that the previous climate of concern has cleared and a new era of conditions for consent has set in. This is most visible in the decline in the number who say they would prefer not to share their personal data unless it is absolutely necessary - down from 49 per cent in 2016 to 32 per cent this year.
And this is in advance of any significant consumer education by the Information Commissioner’s Office, whose “Your data matters” campaign is due to break in April. Although fieldwork took place before the Facebook/Cambridge Analytica issue, it suggests that brands have much less to fear when pushing their revised privacy notices and permissioning options into the market.
As Robert Bond, partner in law firm Bristows and one of the most highly-respected lawyers in the data protection sector, told an audience that, “it is not true that after 25th May, billions of pounds in fines will be levied.” With tongue slightly in cheek, he pointed out that 26th May is actually a Saturday, while Monday 28th is a bank holiday, so no civil servants will be at work at the ICO.
More seriously, he noted that the ICO’s own myth-busting blog has said it is more interested in education than punishment. “But I can guarantee somebody will be caught. If the Uber or Equifax breaches were to have happened after 25th May, regulators in Europe would say hit them, because they are big companies with deep pockets,” said Bond.
“We don’t have a Highway Code for the data world, but we will get there.”
He noted that no company can hope to be 100% compliant by the start of enforcement, “because everybody is on the journey”. Instead, he offered some key areas to focus on, not least of which is whether a business is compliant with the existing Data Protection Act. Key areas to address, he suggested, include third-party vendor contracts (including cloud-based services), ensuring new privacy policies are being enacted across all touchpoints (which will require staff training) and getting involved with IT to ensure existing and planned systems have undergone data protection impact assessments.
Bond acknowledged that this journey towards compliance is not an easy one, not least because some key areas of guidance are still pending. “We don’t have a Highway Code for the data world, but we will get there,” he said.
This may explain the continued lag between the significantly increased level of awareness of GDPR that brands have compared to their level of preparedness. In 2016, 46% of organisations said they were very aware of GDPR - this has leapt to 84.3% in 2018. Preparedness has also more than tripled, with 25.4% describing themselves as very prepared, compared to 7% in 2016. Although a further 61% say they are somewhat prepared, this still looks like a gap between knowing the law is changing and doing something significant about it.
One of the main challenges continues to be creating a single view of the customer, especially sewing together directly-captured data with their digital and mobile footprint. Yet this is increasingly what customers expect to happen.
As David Morris, director of solutions consulting at Tealium, which sponsored the first tranche of research and the launch event, told the audience: “Engagement with brands is becoming more personal because of increasing use of mobile phones. Consumers expect a personal experience because the device is personal to them.”
“The issue brands have is that they don’t focus on convenience and customer service.”
A key finding in the B2B segment of the research relates to this very challenge. Just over one quarter (26.3 per cent) of all organisations have a common identifier which allows them to integrate along the customer journey, rising to 31% of the very prepared. This can play an important part in driving compliance, since the ability to identify all the data held on an individual is at the heart of enabling key GDPR rights like access, correction, portability or deletion.
But Morris suggested this is not the only reason to deploy data integration techniques like tagging. “The issue brands have is that they don’t focus on convenience and customer service as the reason why they use mobile to engage with customers - they are more focused on promotions. So when they ask customers for permission, it is not seen as altruistic and individuals may say no,” he said.
Brands are desperate to avoid a significant impairment to their marketable audience from this type of denial of permission to process personal data. Yet is seems consumers don’t want to do this - they just want to be told why their data is needed and to build trust in brands. And that’s what your company wants, too, right?
The first extract from the 2018 DataIQ GDPR Impact research, in association with Tealium, is now available here.
The second extract, produced in association with DQM GRC, will be launched at a morning briefing on 28th March. To register for the event, go here.