How big a deal will 2018’s new General Data Protection Regulation (GDPR) be for marketers? The true answer is that no one knows.
If you haven’t yet heard the dire warnings that you could forfeit €20m or 4% of global turnover for breaking the new law, you probably deserve to be fined – awareness should no longer be an issue for brands.
The questions hanging over marketers as the May deadline for compliance approaches are: how proactive have their preparations been, are their measures sufficient, and will the Information Commissioner’s Office (ICO) actually be capable of prosecuting anyone?
It is safest to assume that, despite its scant resources, the ICO will look to lay down a marker with a high-profile test case in order to deter brands from taking a lax attitude. And if you have such an attitude right now, the danger is that could be you.
Though brands are reticent to go public about what they are doing – partly for fear of drawing attention to themselves and partly because some marketers believe it is the job of legal counsel, presumably – Marketing Week has surfaced a number of encouraging case studies from brands with a clear plan of action.
Steve Forde, director of online product and marketing at ITV, admits it involves “a lot of contractual and legal work”, but points out marketers are the only people “representing the consumer, the marketing side of things and the opportunity”. His key insight, applicable to all brands, is: “If we can’t easily explain to [customers] what we’re doing with their data, then we shouldn’t be doing it”.
If you have got “stringent processes, governance and controls” for data already, GDPR compliance should be less revolution than evolution, adds Cancer Research UK director of individual giving Graham White.
Marketers should already be part of cross-functional teams determining policies, which the vast majority of big brands will be finalising in the first five months of 2018. If you are not in that position, you need to ask colleagues why not as a matter of urgency.
Marketers will also need to take a direct interest in the makeup of their databases and what GDPR allows to be done with them, and then train their teams. This should hopefully be aided by clearer guidance from the ICO in the coming months, though that has been promised throughout 2017 and so far little has materialised.