Now that the General Data Protection Regulation has finally been published, companies can get on with the hard work of building compliant processes. David Reed finds out how challenging this is likely to be and whether assumptions made by marketers about the availability of data will need to be reviewed and revisited.
“Eighty-one per cent of consumers believe data is theirs and can be exchanged for value, but just seven per cent believe they get the most value out of the data exchange.”
Ever since the first draft of the General Data Protection Regulation (GDPR) was published in November 2011, the response of business, privacy groups and legislators themselves can best be described as panicked. Framed solely with the human rights of individuals, rather than legitimate business interests, in mind, the proposed GDPR threatened significant upheaval in the way the information economy operates.
So significant were the potential changes that more amendments were tabled during its passage through the European Union’s structures than were made to the EU’s founding legislation, the Treaty of Lisbon. From lobbying by US technology giants that its proposals were too restrictive to objections from German regulators that it didn’t go far enough, the GDPR appeared designed to upset everybody.
When an agreed text was finally published in January 2016, something like a collective sigh of relief could be heard, firstly just at reaching the end of such an intensive and complex process and secondly that the final proposals are more workable than anticipated. Instead of wholesale re-engineering of data-driven processes, there is a widespread feeling that what is required is a rebalancing of business and consumer interests.
As Jon Waring, director of customer marketing at Screwfix, says: “Some of the parts which looked challenging, such as consent to processing and profiling, don’t seem to have materialised in their original way. The difficulty is that there is still a lot of discussion going on - businesses are trying to work out what is meant where the text is not that clear.”
While the tension of the last four years has been eased by having a definite framework to consider, the hard work is only just beginning in trying to comply. At this point, some of the necessary changes are more evident than others.
“The headline requirement for large organisations is to be more transparent and open in dealing with customers,” says Julia Porter, director of consumer revenues, Guardian News and Media and chair of the Direct Marketing Assocation. “At the most basic level, we need to be very clear about the reasons why we want data, what we are going to do with it and gain our customers’ trust.”
The Guardian has been in the vanguard of this approach with its “Why your data matters” initiative. As well as serving as a reference point for best practice, it is worth recalling that the company took a full year to gain internal agreement about how its values would be spelled out in a privacy notice of this sort.
Some companies will find that easier to achieve than others. As Porter notes, “any organisation which is thinking about how to be open and transparent shouldn’t have too much to worry about. Any of those organisations operating as lead generation businesses will need to do a lot of work.”
In her view, any company which is expecting to spend 2016 adapting processes to the new regulation is already behind the game. Many decided not to act last year in the belief that a lack of clarity about the final form of the legislation meant revisions to working practices and technologies would be wasted. If so, they may have made a strategic error.
Christine Andrews, managing director of DQM GRC, agrees: “Organisations need to get their houses in order now in terms of the existing legislation. If you look at the changes in the new regulation, they build on what we already have.”
Fundamental issues, like knowing what data is held, how sensitive it is, what controls are in place over its use and how it is kept secure, should already be at the heart of a company’s data strategy, she points out. “Data security has been a headline issue because of things like the TalkTalk breach. What is new are the notification timeframes and the level of exposure,” says Andrews.
It is notable that, even before the final GDPR was published, the Information Commissioner had begun to get tough with the data industry, writing to 1,000 data controllers and processors to demand details of how they permission, use and share personal information. The outcome of that activity has yet to be seen, but it is certain to put further pressure on data intermediaries and commercial data owners. At one conference in January, an ICO representative said bluntly, “don’t piss your customers off.”
Porter points out that 2016 will be a busy year for the ICO as it seeks to put guidance into the marketplace to help organisations understand their new obligations under GDPR. Up to now, there has been positive engagement between the UK’s data regulator and the industry. With one of the unknown quantities in the GDPR relating to how the regulator is funded, it leaves open the question of whether this relationship will continue on a similar footing.
“I don’t expect to see a change towards a more adversarial relationship because the ICO will still need to engage with industry. It will need industry bodies like the DMA even more to help members achieve best practice. The ICO won’t have time to enforce against everybody - it needs people to choose to comply,” argues Porter.
Last year saw the DMA publish its revised Code of Practice - also after a lengthy debate around how to express the values at its heart - which managed to be significantly ahead of the curve with its “customer-first” demands. Marketers who adapted to its needs will find adjusting to GDPR less of a challenge.
“The general thrust is to give consumers more control over what happens, for example, by opting-out of marketing,” points out Chris Combemale, group CEO of the DMA. It is as a result of lobbying by the DMA, among others, that a strict requirement for opt-in to direct marketing has been altered to reflect an acceptance that marketing is a legitimate business interest.
Combemale says the new law lines up with changing consumer expectations. “Our consumer attitudes to privacy research revealed some interesting findings, for example that 72 per cent of people are confident about sharing data in the modern economy, but 90 per cent want more control over what companies do with it,” he points out.
More consumers described themselves as unconcerned about what happens to their data - up to 22 per cent from 16 per cent three years ago. But Combemale points out that there is a perception of an imbalance which needs to be addressed. “Eighty per cent of consumers believe data is theirs and can be exchanged for value, but just eight per cent believe they get most value out of the data exchange compared to 80 per cent who believe companies do. That will need to change,” he says.
Data has become highly visible to all parties, leading to shifts in the perception around that value and where control should be held. Combemale says: “What marketers really need to worry about, more than the legislation, is operating in a way that engages customers, builds long-term trust and gives the customer a positive experience. That is what they need to create.”
The downside risk of failing to adapt to this new model is no longer having access to permissioned data with all the commercial impacts that might result. Combemale points out that any concerns about the need to change marketing processes should take into account the basis on which email and online data capture already operate, which is via an opt-in.
“The way you approach online marketing is a guide to all data-driven marketing. If you find yourself contacting people who have said they don’t want to be contacted, you’re getting it wrong,” he says. In this arena, many direct marketers have not covered themselves in glory, from the long-running issue of silent calls to the outcry about data sharing across the charity sector. There are clearly brands which are already on the back foot, even before the requirements of the GDPR come into play.
“Even under current legislation, brands using third-party data are required to know its provenance. A lot of list brokers have confidentiality agreements among themselves and say they can’t reveal their sources because of those NDAs. That puts any brand owner immediately into breach of current legislation,” says Combemale.
Third-party data is one marketing resource which looks to be under significant threat (see page 36 for more) and where some companies, such as Callcredit Information Group, have decided to take pre-emptive action by removing files from the market until auditable proofs are forthcoming. Andrews notes that, “we have seen some data owners talking to us about their approach to data capture and how the ICO gave guidance in 2014 about consent having a six-month shelf-life. That might re-appear when they release new guidelines for this sector.”
If anything, the GDPR has made the issue of consent even more difficult to define, not least because of the clear implication that it is time-limited, rather than indefinite. “Until now, if a business collected a consent there was no expiry date. Only if the individual objected did it get changed. If they now have to go out on a regular basis to re-acquire consent, is that reasonable? That is the biggest change,” says Waring.
Date-stamping of individual records could represent one of the more technically-challenging aspects of complying with GDPR. To prove when data was captured and what permission was acquired, including how that was worded, databases will need to be auditable. Up to now, it has been relatively common practice simply to over-write records and not to capture this critical meta-data.
Waring agrees about the difficulties which could be presented. “Companies with large databases may be marketing to customers where they currently don’t know if they opted-in or opted-out, as different consent statuses may be held in different systems with no consent mastering,” he says. One ruling handed down by the ICO has been to re-contact customers in these circumstances offering them the chance to opt-out.
But he notes that, “timing in databases is a massive challenge. We will have to time and date-stamp records when we get a change of consent in order to prove to the ICO for audit purposes what the customer told us and when. That is potentially a difficult thing to do and many databases do not currently have this capability.”
Screwfix has been fortunate in the timing of the GDPR’s arrival because it is in the process of specifying a new marketing database. Time and date stamping of consent capture has been included in the build.
More complex still will be the Right to be Forgotten which gives individuals the right to ask a company to remove them from a database. “How do we handle that? We have got to remember that they want to be forgotten,” says Waring, pointing out a paradox which also threatens the use of suppression data, since it is an indicator that has to be both held and removed.
The scale of this aspect of moving into compliance with GDPR was laid bare in research carried out by Blancco Technology Group among 511 IT professionals worldwide in late 2015. Even though the sample included professionals in Mexico, Singapore, Malaysia and Australia, as well as those in the US, UK, Canada and Germany, 48 per cent were aware of the GDPR. But 40 per cent admitted they were not prepared.
Significantly, 46 per cent had received a customer request to remove outdated or irrelevant data in the last 12 months and 25 per cent admitted they did not know how long it would take them to build a Right to be Forgotten process to audit standard. The majority (60 per cent) expect to spend the next 12 months building these new IT solutions. In reality, it could take them much longer since the processes need to be defined and agreed before any technology gets deployed.
“Because the GDPR negotiations stretched on for the last four years, many organisations held out hope that an agreement would be postponed or, if things went the way they hoped, the negotiating parties would never come to agreement,” said Pat Clawson, CEO of Blancco Technology Group. “But now that the GDPR is a reality and the new privacy rules will be ratified by the European Council in early 2016, many organisations have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands.”
After such a long gestation period, the final birth of the GDPR has been welcomed with more relief than excitement. As a result, it may be hard to summon up the energy required for the necessary transformations during the coming 24 months. But that is exactly what any company relying on personal information needs to do - persist without panic.
DataIQ is running an important series of briefings on the likely impact the new EU GDPR will have on organisations. For further details, click here.