On 25 May 2018 the General Data Protection Regulation (GDPR) will come into force. Assuming the UK votes to remain in Europe, it will replace the UK Data Protection Act and mean that for the first time Europe will have a harmonised data protection regime that impacts not only companies based in the EU but also those that want to do business here.
The central tenet of the regulation tightens the requirements around when brands can use data. For example, brands will no longer be able to bundle data consent in with their terms of service or provide an opt-out box. Instead they will have to get specific and unambiguous consent.
The consequences of being on the wrong side of the law are also getting stricter. Previously the most serious breaches of the UK Data Protection Act would get a maximum fine of £500,000. Now that has increased to €20m or 4% of global turnover.
Jonathon Little, partner at law firm Jones Day, explains: “Data protection has not always been at the centre of brand’s thinking on legal issues. But this new regulation will apply automatically throughout Europe.
“Plus, before there was a remote chance of direct action. Now, at least on paper, there is a very big stick.
“This will pull data protection out of the shadows and up the corporate agenda.”
Jonathan Little, partner, Jones Day
The five key changes
- Personal data – A broader definition of what personal data covers could see IP addresses and cookies may included, although the ICO is yet to issue full guidance
- The definition of consent – A new definition of consent says it must be freely given, informed, specific and unambiguous
- Notification about security breaches – Companies must notify the ICO within 72 hours or without undue delay and report data subjects, types of data and how they plan to mitigate the situation
- Sanction for breaches – Increases to €10m or 2% of global turnover for sanctions, rising to €20m or 4% of global turnover for serious breaches
- Increased information requirements – The new requirements have to be included in a privacy statement including name and contact details, the fact data will be used for marketing purposes and how it will be stored. This also includes six new data subject rights including the right to opt out, the right to access or move their data to a different company and the right to have their details deleted.
How brands should prepare
With brands now having two years to make sure they are compliant, the first thing they should do is raise awareness, according to John Mitchison, head of preference services, compliance and legal, at the Direct Marketing Association.
“Brands need to make sure everyone knows what is going on and the rules coming in and how they currently process their data. That can be an eye opener for lots of people,” he says.
Also high on the agenda should be an audit. Little says: “If I were a marketer I would spend the next couple of months working out where you are. And then put in place soft procedures to make sure, for example, that when creating marketing campaigns you are thinking about data protection issues and documenting how you do that.
“When the regulations come into effect brands will not get their doors kicked down straight away. But if you can show you spent two years doing what you could do comply that will be very helpful.”
The RNLI took a proactive approach, announcing last year that it would switch to an opt-in model. While not done directly with GDPR in mind, Jayne Clarke, the charity’s head of marketing, says the move has showed her how important being ahead is and how long getting everyone in place can take.
The risks of not being ready
The most obvious risk is in the much larger fines. Little believes that while €20m fines will not become the norm, at some point the regulator will use its fining power “to show it means business”.
Yet of greater concern for brands should be the reputational damage. Marc Allsop, senior vice president at Aimia, says fines do not always act as a deterrent because they are rarely large enough to cause harm. But the impact on the brand and its relationship with consumer is a risk.
“Fines play a part in encouraging people to comply but it’s the process of being publicly named, shamed and fined that is the bit that will make brands comply. No company wants its name in lights in that way,” he explains.
For brands that really get it wrong, they risk losing customers in their droves. Research by Aimia as part of its annual Loyalty Lens report found that more than 20% of customers would delete their account if they were concerned about data protection, leading to a rise in what Aimia terms the “deletist consumer”.
“The very simple fact is if you get the data component wrong, and wrong can be as big as a data failure or as simple as not providing consumers with enough control, customers will vote with their feet. Consumers now have so many relationships with companies that if you let them down they will simply delete that relationship.”
Jayne Clarke, head of marketing, RNLI
How have you found the shift to opt-in communications?
It has been more complex than we thought. We have been doing background work on our systems and getting the messaging right and really understanding what opt-in means.
Our first mailing went out in May so the first wave of people who have opted in are coming back now. We were quite conservative with our expectations but we have been inundated with people opting in. But we are at the start of that journey and we now think it will take us to the end of the year to communicate it to everyone.
How have you communicated the changes across the business?
We have had lots of smaller rollouts and open forum sessions to explain what we are and are not doing and what people’s roles are in it. We have had to keep repeating the message. A lot of people might think it does not affect them but then it dawns on them three months lather that it does and we then have to work through it with them. It is a huge internal communications piece but we have to get our staff and volunteers involved as they are the ones that will whip up excitement among donors and get them to opt in.
Have donors been engaged?
We have had the whole spectrum. Some have said it is a no brainer and they will continue to support us, others have asked what it means to opt-in and others have raised concerns they might be opening floodgates.
What are the advantages to being head of the EU regulations?
We are able to create our own path. Our compliance officer is very much looking at the EU regulations but being ahead of the game means we give ourselves the time to do it the right way and that we can communicate we are doing the right thing because we want to, not because we have to.
What advice would you offer other brands?
Get everybody in the company involved. This has to come from the top of the organisation so the trustees or board need to talk the mantra to everyone. This is not just a marketing initiative we have to take our staff, volunteers and donors on the journey with us.
Data is at the heart of every marketing success story; it’s what brings the best marketing campaigns to life. Marketing Week’s Data Storytelling Awards will celebrate the strategies, people and brands that are setting the standard in data across sixteen unique categories.