The marketing industry has now passed an important milestone, with exactly a year to go until the biggest change to data laws in a generation comes into force, and marketers are even less confident about their readiness now than they were three months ago.
The EU’s General Data Protection Regulation (GDPR), which has been adopted into UK law in spite of Brexit, will come into effect from 25 May 2018 and involves higher maximum fines of 4% of global turnover for breaches.
Only 54% of businesses surveyed by the Direct Marketing Association (DMA) expect to be compliant by the deadline. That number has fallen substantially from 68% since the DMA asked the same question in February. Nearly a quarter of companies have not even started preparing yet, despite the new law being first announced more than five years ago.
Confusion over consent
Confidence has been hit by controversial guidance issued by the Information Commissioner’s Office, which will police the law in the UK. It is consulting stakeholders on a number of key areas such as gaining consent to use personal data, profiling individuals and ‘legitimate interests’ for processing data, but its piecemeal approach has been held up by the general election.
Its draft guidance on how brands must request consent to use personal data for marketing purposes was due to be finalised in May, but marketers are still waiting to find out whether its initial strict interpretation will remain intact. Among its most significant proposed measures are:
- An unambiguous opt-in is required to process personal data
- Brands will need to be specific about what will be done with the data
- Individual companies must be named when requesting consent for third-party marketing
- Pre-ticked boxes and any assumption that consent is given by default will be insufficient
- Brands should not stop consumers using a service if they withhold consent for their data being processed
Bodies such as the DMA are pushing for clarity. At an event in London today (25 May) chairman Mark Runacus said: “We need clear and consistent guidance and we need that as a matter of urgency if we are to meet the 2018 deadline.”
He expressed concern that the ICO would “penalise those who are trying to be open, honest and transparent” by taking proactive steps on the basis of its advice prior to the draft guidance, which took a harder line than many expected.
What are ‘legitimate interests’?
Asking for consent isn’t marketers’ only hope for ensuring their communications with consumers abide by the new law. The GDPR allows other legal justifications for processing personal data, the most relevant of which for marketers will be legitimate interests – essentially the right of a company to do business.
The ICO has not yet provided guidance on when brands can use this justification, but direct marketing is explicitly stated as a legitimate interest in the text of the regulation.
We need clear and consistent guidance and we need that as a matter of urgency if we are to meet the 2018 deadline.
Mark Runacus, Direct Marketing Association
However brands will always have to balance their own rights against consumers’, and the latter will always be favoured by the law. Using personal data for direct marketing will probably only be a legitimate interest if it’s absolutely necessary to do it and consumers would expect to be contacted, having given over their details.
It’s not yet clear if there are therefore situations where brands can send marketing without having asked for consent, but Jason Cromack, executive director of MyLife Digital, suggests for example that he believes “legitimate interests will work very well with charities, because even though you might only talk to them once every six years it doesn’t mean you don’t support them”.
Once the ICO’s guidance becomes clear, marketers will need to think carefully about which legal basis – consent or legitimate interests – is the better one to to justify the use of personal data. If you ask for consent first and consumers refuse, it’s highly unlikely you can claim a legitimate interest.
Opportunities as well as headaches
Not all brands see the GDPR as a source of worry and confusion. Sherine Yap, global head of CRM at Shell, says: “From my perspective, because we’ve taken this fairly vigilant approach, I don’t see a direct impact, not tangibly.
“So we’re in a very fortuitous position where we don’t have to rework a lot of what we’ve got or lose a lot of what we’ve got. We have to validate a lot of the permissions and a lot of the consent, but I actually think that’s going to be a bonus because for me we don’t have a lot of dead weight in the databases.”
Sky group head of data protection and privacy Nina Barakzai believes the GDPR should require “just an extra few tweaks” if businesses have been operating a transparent and customer-centric data policy until now. She sees her main task as being documenting evidence of how Sky has taken steps to protect consumers’ privacy.
“My task is not to ask ‘why have I got this data?’, which I probably already know, but how I demonstrate it.”
She counsels businesses to work with data and technology partners on their compliance with the GDPR, partly because both will share responsibility for personal data and partly because it is cheaper that way. “Most of our preferred suppliers have been planning for GDPR since 2013. We have contract clauses in place,” she says.
It is a good sign if partners are proactively discussing the law, Barakzai adds. “The ones who don’t talk about it with you – you probably want to check it with them because it means they have been asleep.”
One way to avoid the worries of complying with the law is to “build an anonymisation strategy”, she says, as if you do not process personal data then it becomes irrelevant yet marketers can still segment and utilise anonymised data in commercially valuable ways.