Michael Barnett: Marketers sorely need GDPR to guide them, but can it be enforced effectively?

If the Cambridge Analytica saga has shown us anything, it is that new data protection laws are long overdue – and that most UK marketers would not dare argue. Most, in fact, would agree it is now a matter of strategic importance to restore consumers’ trust in how their businesses use data.

The Cambridge Analytica story surely marks the first time a marketing segmentation model has had such wide and profound implications for society, taking in the election of a US president, the UK’s decision to leave the EU and the exposure of 87 million people’s personal data. Perhaps the most salient detail of all is that the data controller in this case – namely Facebook – may not have actually done anything legally wrong.

When the General Data Protection Regulation (GDPR) comes into force next Friday (25 May), the limits of personal data use by businesses should be clearer and stricter. We’ve been operating for a long time under a legal regime that isn’t fit for purpose in the digital age; where UK, US and EU laws have allowed the emergence of a digital ecosystem in which consumers have little understanding of or influence over what happens to their data.

Marketers talk a lot – and rightly so – about the strategy of creating a ‘value exchange’, where users submit their data in return for free online services. Without data-driven advertising, website owners would be forced to charge for access, restricting the democratised flow of information and commerce that has been the internet’s main benefit.

However, the exchange has become heavily skewed in favour of marketers – not necessarily in terms of value, but in terms of control. Yes, it makes sense that users can choose to give permission to process their data instead of paying a fee, but on the whole that’s not what has been happening.

In reality, the value exchange today consists of nudging people down carefully constructed corridors of consent towards a locked door, which only opens when you utter the magic word: ‘agree’.

READ MORE: How small businesses are tackling GDPR

The right strategy

Generally speaking, there wasn’t anything legally wrong with this until GDPR came along. But that doesn’t mean it was the right strategy.

Perhaps the most important provision of GDPR is that consumer consent for data processing must be “freely given” to be valid. According to the Information Commissioner’s Office’s guidance, this means companies can’t unnecessarily make consent a condition of accessing their service. You must give consumers a real choice.

This is a noble principle upon which all brands can base data-driven marketing strategy. But if GDPR isn’t consistently and effectively enforced, it will be a much less firm foundation.

Some of the most intriguing insights from Cambridge Analytica whistleblower Christopher Wylie’s evidence to Parliament last month were his observations about the ICO’s investigators.

The first was a well-known issue: that they are very few in number, relative to the nationwide enforcement task facing them. The second was more revealing: that not many have a sophisticated understanding of how databases work. That’s an even bigger problem.

As much faith as I have in the ICO’s integrity, independence and determination to uphold consumers’ rights, I fear for their ability to cope with the sheer scale of the task of enforcing GDPR.

Wylie complained he repeatedly had to explain the basic details of the data transfer that took place at Cambridge Analytica, and how this contributed to its ad targeting abilities. Furthermore, he said, in their hunt for evidence ICO investigators asked him the wrong questions; questions that betrayed deficiencies in their technical understanding; questions that a knowledgeable database engineer would not ask.

As much faith as I have in the ICO’s integrity, independence and determination to uphold consumers’ rights, I fear for their ability to cope with the sheer scale of the task of enforcing GDPR. With so few investigators – most of whom don’t have a technical background – how can it possibly be effective in laying down the law?

Marketers aren’t incorrigible bandits, roaming the Wild West of the internet perpetrating data stick-ups on unsuspecting consumers. Most in the industry are just trying to do the best for their brands – and the wider economy – using the tools at their disposal, within the rules as they understand them. But the ICO must draw the line quickly and clearly between what’s acceptable and what isn’t, so marketers can make the right strategic choice about the value exchange.

READ MORE: How GDPR will impact Facebook, Google and online advertising

The unknown quantity here is ‘legitimate interests’ – the legal basis that allows you to process personal data without consent under GDPR as part of your right to do business. There are supposed to be limitations to its use – the key one being that the company’s rights never outweigh the consumer’s – but the danger is we’ll see blanket use of it in place of consent, and the ICO will be too stretched to correct brands’ errant ways.

That would be a shame – and the wrong strategic approach. This is a historic opportunity to recast the value exchange with customers, giving them a real choice over how their data is used in return for real trust and loyalty.