SWOT analysis techniques (strengths, weaknesses, opportunities, threats) have helped marketers to focus on key issues for decades - and where some see threats, others unearth opportunities for their businesses to steal a march on their rivals.
Enter the EU General Data Protection Regulation (GDPR). Ever since it was first proposed back in 2011, it has been branded one of the biggest threats to the marketing industry for decades, although others have viewed GDPR as an opportunity finally to rid the industry of the rogue practices which seem to have dogged the sector for so long.
Fast forward six years and even Information Commissioner Elizabeth Denham has admitted that her office is running at "race speed" to try to get in shape for the new legislation. Speaking at the 2017 DataIQ 100 launch, she said: "For me, it feels a lot like changing the tyre on a moving car."
Many quake at the prospect of huge fines for data breaches (up to 4% of global turnover for serious cases), tackling the right to be forgotten, and the recruitment of thousands of Data Protection Officers. But it could be argued that the most significant factor for the data industry remains the issue of marketing permission.
While Brussels ultimately watered down proposals to make all marketing opt-in only, the tightening of the law around gaining and maintaining consent from consumers for future marketing activity is still proving a huge challenge. But get it right and you could be reaping the rewards.
Rosemary Smith, a director of Opt-4, explains: "There are definitely challenges for organisations in terms of the amount of information individuals will have to be given at sign-up - up to 13 different notifications. Consent mechanisms will be restricted to those which can claim to be 'clear affirmative actions’, so no more pre-ticking or conditional consent.”
“Organisations relying on consent will need a positive action to be able to demonstrate agreement and they will have to be able to record how and when consent was given,” she adds. “To ensure that specific consent for electronic channels is gathered, we will see many more permission statements with 'unbundled consent' for each channel.”
However, while DQM GRC managing director Christine Andrews agrees that permission statements will be much longer and potentially more intrusive than before, the changes will also force firms to be far more transparent and stop hiding behind legal jargon, which, she insists, can only be a good thing.
“Consumers will be much clearer than they are now about how their data is going to be used. For example, the whole issue of how data is going to be processed will need to be clear upfront and at the point of consent. Practically, this may mean links to privacy policies are 'called out' rather than buried in the bottom of website pages,” says Andrews.
There will also be challenges for increasingly diverse organisations, says BBC TV Licensing head of data management, Mark Chipperfield, who believes that these businesses will need to think about their range of services and products and determine if multiple consents are appropriate.
He points out: “More customers will expect companies to provide greater access to their data, including any various consents and preferences held. So having greater transparency and control - which is a lot of what GDPR and the e-privacy regulation are all about - will be crucial.”
However, Andrews warns that in the adtech and programmatic world, the practicalities are going to be highly complex. She adds: “The [online advertising] AdChoices programme provides a means of opting-out, but the mechanics for opting-in at the website will need greater consideration.”
For FastMap managing director David Cole, who has been banging the drum about the issue for years, consent is the new frontline for marketing and he cites the three phases of “law and process”, “marketing optimisation” and “engagement”. He says that phase one will see technical adherence to GDPR driven by high-profile fines and public maulings of competitors. This phase will be focused on staying out of trouble through legal compliance and implementing new process and technology.
In phase two, consent will be the new acquisition. Cole explains: “This will be driven by dramatic effect on revenues. Marketing will be called in to optimise statements. Consent targets will be set, complex financial models built and developed and consent will become as sophisticated as acquisition.”
Finally, in phase three, engagement will be the new marketing and companies will be forced to create a marketing experience that customers actually want. “The emphasis will be upon openness, transparency and sustainable customer interaction, with softer performance measures introduced and a better articulation of value exchange with customers focusing on 'what’s in it for me?’"
So, in practical terms, how will companies actually achieve this consent? Channel 4 and The Guardian - which both have simplified permission statements - are often held up as exemplars and Opt-4's Permission Max statement tests show that brand has a significant impact on whether or not people will consent, with a familiar and trusted brand adding up to 25% to consent rates.
Smith says that using brand-friendly wording is important, but adds: “Consumers do not want to be heavily sold to in permission statements - rather, they want clarity and control over what the brand will do with their data, as well as reassurance that it will be held securely.”
Others see an opportunity to employ the classic direct marketing technique of “test, test and test again”, with Cole insisting that the vast majority of learning should be undertaken in a “safe” quantitative research environment which does not put your data structures at risk. He explains: “This requires that a brand’s unique tone of voice is considered, as well as an appreciation of what your different customer profiles are getting from your marketing. The possible permutations of channel choice, order, opt-in versus opt-out, and language are enormous, with each one achieving a different outcome. It’s important to prioritise. Undertake an iterative process of optimisation as though it were a multi-variate direct marketing campaign. Create a test matrix and try to isolate the variables that are having the impact on performance, rather than changing everything every time.”
Andrews agrees: “Testing the options is always a good idea - my rule of thumb is that brands should avoid trying to catch people out in terms of whether they really have consented and make the offer to opt in compelling. At the end of the day, marketing departments should be more concerned with engaged and consented consumers, not just how many names they hold on their database or CRM system.”
The notion of less is more might be an anathema to many marketing departments, and some believe companies have yet to realise what impact the new rules will have on opt-in. Cole says: “Let’s face it, a healthy 50-60% could dive to a terrifying 20-30%. So marketers need to get focused on plugging that gap.”
But Andrews believes big is not necessarily beautiful. “I must receive 50-60 emails every day that I doubt I really subscribed to and I’m certainly not interested in,” she explains. “Today, for example, I had one to a business email address that I haven’t been using for at least three years. Maybe they would do better to use their resources to target those who have opened and clicked through on communications.”
Bizarrely, given its recent travails, it is the charity sector which is leading the way in permissioning, although many organisations have been dragged kicking and screaming down that path. RNLI was the first out of the blocks when it revealed back in December 2015 that it was moving to an opt-in only regime - a switch which it estimates will cost it nearly £36 millon over the next five years - and Cancer Research UK soon followed suit.
RNLI has also pledged to share its experiences with other organisations, but the results - and learnings - could be a long time coming. So, with just 14 months until GDPR D-Day on 25th May 2018, where can companies go for advice now on the best way forward?
Smith points out that guidance has been slow in coming, but key areas like consent and profiling will be getting the ICO treatment shortly. “To be fair, current guidance (ICO Direct Marketing Guidance and Privacy Notices Code of Practice) have already been written with GDPR in mind,” she says. “The ICO has been recommending opt-in for some time now. But we shouldn’t expect the ICO to do all the work and industry groups should step up to the plate to provide guidance which balances the new requirements with commercial reality.”
Cole actually has some sympathy for the ICO, explaining that, in his experience, everyone wants to know the “perfect permission statement” and brands want to be told what to do to stay out of trouble. However, he adds, if guidance is created that can be applied to every situation, it can become too generic, boring and overly complex. Much guidance has been written, but brands are reluctant to embrace it.
He says: “The Brexit situation has made things somewhat more complicated, because we now have to prove 'adequacy' to the EU and they will decide whether we are applying the rules adequately. The fact is that many sectors have still not understood the implications of the changes and that means that the ICO needs to be stepping up its communication so that we don’t have Armageddon in early 2018.”
Industry bodies, including the DMA, the Advertising Association and Fedma, also have a role to play, while most of the major law firms have a data protection team dedicated to the issue. But Smith says those companies tempted to trawl the Internet for "self-help" should beware. "GDPR has become a bit of a gold rush for some newly-coined data protection 'experts' and it is worth checking a consultant’s provenance before appointing them. If you want a legal view, it is vital to instruct a firm which has a practice team that understands data protection, which is a real specialism.”
One thing is certain, however. No matter where you go for advice in the next few months, there is going to be a very long queue...