The General Data Protection Legislation (GDPR) came into being in Europe in May 2016 and is due to come into UK law on May 25 2018.
Many might think, ‘I’ll worry about it then’, but for most, it is already too late and even now remedial action is unlikely to prevent the significant loss of our marketing customer and prospect databases. For marketers, consent to digital marketing is probably the most significant impact, but for businesses in general, we expect the biggest technical challenge to come from the need for a public accessible and yet secure ‘digital data dashboard’ to handle free ‘subject access requests’ and the new right of an individual to data ‘portability’ or being able to download what is held on the data subject in a form that they could then re-upload elsewhere. For most that is a significant systems change not least in providing a secure portal through which to facilitate this.
GDPR is a complete overhaul of the existing Data Protection Act of 1998 which was conceived in the mid 90s before email, SMS and certainly social media. The Privacy and Electronic Communication Regulation (PECR) of 2003, was designed to legislate for a change in technology and advancing digital communications but that too is considered old, inconsistent and incomplete compared to the new rules.
At its core, as UK Information Commissioner Elizabeth Denham has said, is, ‘the challenge to move from a mind-set of compliance to a mind-set of commitment’. That commitment is to giving consumers or ‘data subjects’ (DS) as they are defined, the rights to choose what they receive and to know how their data is ‘processed’ and used.
Whilst those ‘ideals’ may be applauded, what has not featured is any commitment to businesses for whom the goal posts are moving where legacy data is no longer compliant and investment in databases and systems, unable to cope with compliance or consumer demand.
The business or ‘data controller’ (DC) has to be able to evidence that it has acquired prior consent to market before it can send emails or texts, make automated calls or use personal data to communicate to an individual. The biggest problem here is that the ICO say that they will accept prior consent – what you hold now – but then go on to say as long as it is compliant with the rules of GDPR. In other words, it has to be specific, unambiguous and voluntary. That means if the data was captured using consent in Ts and Cs, pre-ticked boxes, an opt out or ‘soft opt-in’ (the right to communicate with customers with an auto opt-in to marketing by offering an opt-out) or any other means than an unticked box, that data will be illegal to use for marketing after May 25 2018. An important point to note is that a specific opt-in for example, ‘to receive our newsletter’ will mean that you can only send newsletters!
The ICO advises you should ‘re-permission’ any data that doesn’t comply to bring it up to standard before the rules change. There are a variety of ways of re-permissioning but in our experience inertia applies and the low-cost ways of doing this deliver less than 5% response. Before you set about doing this, I and 300 others responded to the Consent Consultation paper that closed on March 31 2017 and the results are being considered with rules to be confirmed but that publication has now been delayed until the end of the year. Most are therefore waiting and hoping that somehow legacy data will be exempt, as it was in 2003 for the advent of PECR particularly for B2B marketing that doesn’t yet require consent.
Subject access requests
GDPR suggests that the consumer will have the right to request that you supply the data you know about them within 30 days (currently 40) and that you provide it in a ‘commonly used digital format’. You must provide the DS with the ability ‘at any time’ to revise the permissions to use their data and the ‘right to be forgotten’ ie removed from the database, something that in many cases is a technical impossibility. That means that every business needs a ‘single customer view’ (SCV) across all data ‘silos’ ( on and off-line) and to provide a secure ‘digital dashboard’ that you can give people access to.
Unlike the ‘cookie’ laws, when the then ICO recognised the lack of awareness of the new law and allowed businesses 12 months to comply, failure on GDPR will result in prosecution. The fines are significant at up to 20m Euros or 4% of global turnover whichever is the greater!
There are several additional elements of GDPR that will affect businesses but as an experienced marketer who has lived through the last two changes, my aim here is to highlight the changes that will have the biggest impact on marketing.
Rob Bielby is CEO at The Marketing Innovation Group