“Data really powers everything that we do.” Jeff Weiner, CEO of LinkedIn.
Data has become the fuel of marketing, allowing brands to deliver relevant, personalised, consumer experiences, and to make best use of their budgets by targeting the right audiences, in the right place, at the right time. But just as marketers are getting to grips with including Big Data in their digital strategy, new EU-wide privacy rules – in the form of the General Data Protection Regulation (GDPR) – look set to add an extra layer of complexity.
The GDPR may not come into force until May 2018 but marketers will need those two years to bring their data strategies up to scratch. While the basis of the GDPR is not drastically different from the 1995 EU Data Protection Directive it replaces, it will give individuals increased control over their data and require companies to be more transparent in their data practises. Breaching data regulations could result in significant fines – as much as 4% of global revenues.
So how will the GDPR impact marketers, and what should you be doing to prepare for it?
Audit the information you hold and share
The GDPR enforces the principle of accountability, so marketing departments must understand and document what data they hold, where it comes from, and who it is shared with. If they share inaccurate data with third parties they must take responsibility for correcting it. Implementing regular organisation-wide data audits now is the first step in preparing for the GDPR, and will involve discussions with advertising technology partners to understand how and where data is being processed. For example global open ad management company Sizmek has recently opened a new data centre in Frankfurt to ensure it can comply with the new regulation.
Check you can comply with individuals’ rights
Under the GDPR consumers will have the right to know what data is held about them, to correct inaccurate records, to have information deleted, and to opt out of direct marketing. They will also have the right to prevent their data being used for profiling, where the results of data analysis lead to an action such as targeted advertising. While these rights have not changed dramatically from the previous regulations, requests may need to be processed more quickly and can’t be charged for.
In addition consumers will have the new right of ‘data portability’ so they can have data – for example their purchase history – transferred from one business to another. While companies across all sectors must ensure their systems and procedures have the capability to comply with these rights, the fintech sector will be particularly impacted.
Review privacy policies and consent mechanisms
The GDPR requires privacy notices to use simple language that is easy to understand. They must include the identity of your business, what the data will be used for, and for how long it will be stored. Under the new regulations, notices must also explain that users can complain to the Information Commissioner’s Office (ICO) if they feel their data is being mishandled.
Privacy notices must also state the legal basis under which data is being collected and processed, for example user consent. Companies relying on consent to process data must make sure it is given via a positive indication of agreement. It can no longer be inferred from pre-ticked boxes or a failure to opt-out. The GDPR will require companies to demonstrate consent was freely given and in the case of children it will require consent from parents or guardians.
Design or review data breach procedures
Under the GDPR all companies must detect and investigate personal data breaches, and notify the ICO if a breach is likely to result in damage to an individual. Reviewing data breach management processes now, as well as identifying the types of breach that must be reported, can help companies avoid the additional penalties that come with failing to notify the ICO when necessary.
Increase awareness and education around the GDPR
Above all, the next two years should be used to ensure marketing teams are aware of the GDPR, and understand the implications it will have on their activities. This may include appointing a Data Protection Officer to take responsibility for compliance or allocating additional resource for data protection processes. It will also mean keeping up with the latest news as the ad tech industry clarifies important questions such as whether or not user consent will be required for anonymous profiling, where personally identifiable information is replaced with random IDs.
With the UK poised to leave the EU there is increased speculation as to whether the GDPR will come into effect in Britain. But the regulation will apply to all businesses that collect EU data whether they’re in Berlin, London, or even New York, and the ICO has already indicated reform of national law is still necessary, stating; “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.” To ignore the regulation on the grounds of Brexit would be a public relations disaster for any business.
Rather than an unwelcome obstruction, the introduction of the GDPR should be seen as an opportunity for marketers to make transparent customer-focussed data practises central to their business culture and digital strategy. Given data really does power everything marketers do, the next two years would be well spent increasing awareness of the GDPR and ensuring processes and procedures around this precious resource comply with its stringent terms.