The EU’s General Data Protection Regulation (GDPR) is due to come into force in the next two years. While the exact wording and therefore the legal interpretations and implications are still not fully clear, brands should still be “on the front foot”.
Speaking at the annual Direct Marketing Association (DMA) Data Protection Conference, Christopher Graham, the information commissioner, said: “Brands should get on the front foot before the Information Commissioner’s Office comes knocking on their front door. You want to keep several jumps ahead of the sheriff.”
Getting leadership on board
Key to ensuring brands are compliant with new laws is getting the c-suite on board. Graham suggested mentioning to CEOs and CFOs the ICO’s new remit to fine companies €20m or 4% of their turnover, whichever is higher.
“Two years is not a long time to get the right people appointed and the right procedures in place. This is real.
“The stakes are so high in the short term because of the reputational damage – we have seen what’s happened to big brands when things have gone wrong. But if that doesn’t work try getting them to explain a €20m fine to shareholders.”
Christopher Graham, Information Commissioner
Baroness Neville-Rolfe, the Parliamentary Under-Secretary of State for the Department for Culture, Media and Science (DCMS), agreed. However she also pointed out that this new legislation can be an opportunity for brands.
“We must not only talk about compliance and threat but also the opportunity to have a brand that is behaving well and therefore winning customers by doing the right thing. Data is the lifeblood of the modern business. Get into the finance and audit [departments], marketing and consumer goods and think about it from that point of view,” she said.
“If you’re going to be in this world, you have a responsibility. You need to meet us halfway,” she said.
She added that brands also need to adopt a different attitude from the current tendency towards “tick-box” compliance, which she said marketers should “get away from”.
Connolly argued that for services such as Facebook it is crucial for privacy policies and requests for consent to have a painless “flow” so the user experience is “as good as the product itself”. This is especially important on mobile, where “the real estate we work on is very small”.
The GDPR means brands are going to be “operating in the next two years in the realm of known unknowns” until enforcement begins, Connolly suggested. She said Facebook relies on a “circle of trust” whereby personal data allows the platform to show users the posts that are most relevant to them, which in turn makes them more willing to have their data used in this way.
Rather than using survey responses as a barometer of whether consumers trust brands, she said that a better indicator is when people “go dark” and stop interacting with a service. “That’s when you know trust is gone.”
Barclays director of information, policy and strategy Fedelma Good, summarised the advice to brands with a call to communicate with consumers about personal data use simply, clearly and honestly.
“We can’t have wordy terms and conditions. They just don’t cut it. We need to find ways to give consumers the information they need.”
The public must be able to see their data not only as a business asset that brands can use for profit, but a “personal asset” that they derive value from themselves, thereby having an incentive to allow access to it and help “drive industry forward”, said Good.
Adopting best practice
Brands should also make sure they are committing to best practice, not just what the law demands. The RNLI, for example, made a significant proactive change to its data handling by committing to gaining an explicit opt-in before sending any direct marketing from January 2017.
RNLI product marketing and innovation manager Helen Hopkins said: “We decided to move to consent-based marketing. We won’t be direct-marketing to anyone – and this is via any channel – unless we have their explicit consent.”
The British Red Cross has now adopted a similar approach, promising to only contact donors by phone if they have opted in to receive such calls in the last two years and to gather “fresh specific and informed consent from an individual” once that two-year consent period has expired.
The moves are in response to criticisms of charities’ marketing practices over the past year following the suicide of charity volunteer Olive Cooke, who had received hundreds of fundraising letters and calls.
The RNLI said it had considered four courses of action after regular crisis meetings about the state of charities’ marketing last summer: continuing existing fundraising practices, stopping entirely, reducing the number of requests to supporters, or getting explicit opt-ins.
In the end it decided on a combination of the last two options, but this has not come without consequences. In assessing the likely impact ahead of the changes, it forecast a £35.6m funding deficit over five years, which it must make up for through “assessing reserves, business planning and operational savings”, Hopkins said.
The cost of not being ready
Baroness Neville-Rolfe said adoption of the new data laws is not without cost but that the cost of not being ready is even higher.
“[The GDPR] are complex and demanding. At the DCMS we will support organisations to make the necessary changes and prioritise them because it is easier to get head of the rules than do it on deadline.
“But at its core, data protection is about simple things – trust, integrity and professionalism.”