If the prospect of the new legal framework for data protection has you worried, just imagine what life was like for charities back in 2015. “We were shaken by the negative impact from the death of Olive Cook,” recalled Michelle de Souza, chief data officer at Age UK. Those fears triggered an audit of business processes, including the way personal information was being collected and processed.
Ultimately, this led to the creation of a governance framework and what De Souza described as, “a step-change with a more responsible data-driven marketing culture.” Speaking in an interview specially filmed by REaD Group for last week’s GDPR Impact event, she explained how her role became the catalyst for a pragmatic approach to the Regulation and beyond.
“GDPR is principles-based which is difficult for people to understand.”
Embedding that new mindset into the organisation has not always been easy, not least because of what she called the “ebb and flow of different situations.”. Then there is the nature of GDPR itself and how it is written. “It is principles-based which is difficult for people to understand. They should welcome that, but day-to-day they tend to want a prescripitve way of working,” she said.
With most of Age UK’s income being generated by offline direct marketing, it has chosen to adopt legitimate interest as the basis for its data processing and to “keep the faith” that it has the evidence to back up that choice.
That decision is one of the most critical for all organisations considering how to respond to GDPR, yet it has also given birth to one of the myths which Mark Watts, partner in law firm Bristows, addressed at the event. “Marketers make the connection with consent because there are a number of reasons why that might be needed, such as location data. But legitimate interest is available as a basis because Recital 47 recognises direct marketing as a legitimate interest,” he pointed out.
Core to the decision is carrying out a balancing exercise which considers whether individuals are likely to be benefitted or harmed from having their personal data processed. If there are clear benefits to them and significant reasons why the organisation needs to process their data, which might include DM as well as fraud prevention, then legitimate interest can be used.
“There is anxiety among our clients that customers will want to delete all of their data.”
Two other myths were also busted by Watts – that everyone can delete their data and that every business needs to get a data protection officer. “There is anxiety among our clients that customers will want to delete all of their data,” he said. While untrue, there is a requirement under GDPR to establish how long data will be kept. This is where one of the biggest lags to compliance can be found. “On over 100 projects, almost no-one has got their retention policy sorted. It can’t just be forever and you have to inform people,” said Watts.
While GDPR sets out the need for a data protection officer in certain circumstances, he argued that this need to necessarily be the highly-resourced, indepedent person many imagine. “If you have a data protection compliance programme, you just need somebody whose job it is to manage that,” he said.
The organisation with perhaps the most to gain from GDPR’s position on direct marketing is Royal Mail. Not only does it have a specific carve-out under the new law, but it remains one of the most trusted communications channels.
“Marketing is something you do for your customers, not to them.”
This should see an upswing in its adoption because, as Jonathan Harman, managing director of Royal Mail Market Reach, put it, “marketing is something you do for your customers, not to them. The Regulation means you have to bring your A-game and that should build more trusting relationships between brands and consumers.”
Harman laid out 12 reasons why direct mail will be central to marketing after 25th May and beyond, including any eventual revision to the ePrivacy Regulations (PECR). “They don’t apply to direct mail, so you can rely on legitimate interest,” he said. Many brands have already recognised this for their customer repermissioning activities, where existing data has been collected without a clear enough privacy notice and statement of purpose. “It is recommended by the Direct Marketing Association and people trust what they receive,” said Harman. As a rejoinder, he noted that the ICO had never imposed a fine for postal marketing.
If accountability is the founding principle for organisations within GDPR, then transparency is its key mode of expression. Consumers will be looking for the evidence that brands are responding to the change in the law and enabling their new rights.
Crucially, a large proportion are coming into this new environment from a position of knowledge. In the consumer survey conducted by DataIQ in association with REaD Group, 11.5 per cent described themselves as “data savvy” with a further third saying they have a reasonable understanding, whereas only 5.7 per cent say they understand nothing at all about how their personal data is used.
Among the three in ten consumers who describe themselves as happy to share their data if they trust the brand, this level of understanding surged – one quarter describe themselves as “data savvy”. Combined with those who say they have a reasonable understanding, this means six out of ten Trusting consumers are well-informed and will be looking for actions by brands that validate that trust.
“The point of GDPR is to have personal information properly treated and respected.”
While the majority of those brands have the best of intentions, Mark Roy, chair and founder of REaD Group noted that, “we don’t know what GDPR compliance really means – there is no clear path. But the point of GDPR is to have personal information properly treated and respected.”
Against the backdrop of revelations around Facebook and Cambridge Analytica, Roy suggested that intense lobbyng by American technology firms to temper the demands of the new ePR ar likely to fail. “Facebook has sealed their fate. There is not a single person in Brussels who will now say there is not a problem and they don’t want to do anything,” he noted.
What that is likely to mean is a significant impact on the ability to prospect via email, while GDPR will constrain the ability to harvest data online. Said Roy: “It shifts the onus onto companies who for years have been collecting data any way they can legally while hiding consent in the terms and conditions. GDPR puts an end to that.”
While options such as postal marketing are able to operate under a lower legal burden, the data industry itself is working out how to maintain compliant data flows. That means demonstrating transparency and building trust. As Roy said: “Our job is to gather data legall and pass it on to third-parties. If the consumer trusts us a brand, they wil willingly share their data.” On that point, the research clearly backs him up.