spring / 2018

The magazine of branded content
The Facts
Juliet Stott
All you need to know about Europe’s new data protection legislation
Juliet Stott
May 3, 2018

On 25th May 2018 a new law will regulate how data is collected, handled and used in Europe, which will have far-reaching implications on the marketing community. Content Magazine spoke to a London-based GDPR expert Julia Porter, former consumer-revenue director at The Guardian Newspaper and chair of the Direct Marketing Association, to find out exactly how this legislation will change the way we can market to consumers. Here’s what she had to say:

Content: What is GDPR, and how will it affect businesses trading in Europe?
Julia Porter: GDPR is an update of the data protection regulation – which was introduced in Europe 20 years ago. It’s designed to harmonize data regulations across the region and create consistency about how those regulations are interpreted. It also introduces a much greater focus on transparency and accountability with both data controllers and data processors.

The key thing for international brands to be aware of is if you are a company transacting with customers in any EU territory then you’ve got to adhere to the GDPR regulations.

Does the US have a similar piece of legislation?
The US has the ‘Privacy Shield’ which took over from ‘Safe Harbour’. The Privacy Shield is an agreement, between the EU and the US that sets out how companies should handle data, and ensures companies behave in a customer-centric way.

What should US-based multinational businesses do to ensure they comply with the new GDPR legislation?
One of the key points of GDPR is to make sure that the data remains safe and secure and that individuals (the data subject) understands that it’s being handled according to the standards set by GDPR. This means US companies can do one of three things:

  1. Sign up to Privacy Shield and abide by the agreed standards or;
  2. Set up data centres in Europe, which means data does not leave Europe; This is a route chosen by many Software as a Service (Saas) companies or;
  3. Work with your legal counsel to introduce Standard Contractual Clauses which ensures that the supplier effectively complies with the law through contractual and SLA arrangements.

How does GDPR affect other nations around the globe?
Australia, Canada, New Zealand and Switzerland already have approved data protection regimes with the EU and have extremely high standards anyway. Whereas the US has a slightly different set of standards, which is why Privacy Shield is important. So, if your business is not in one of the countries I’ve already mentioned then you can use your legal advisors to create model data clause – components of the contract that says you will behave in a GDPR-centric way.

How will marketing practice change from 25th May?
At a high level, the key difference between now and a post-GDPR world is that the old system has been an ‘opt-out’ regime. In the future, consumers will have to ‘opt-in’ and say ‘I want to hear from you’.

The difference between opt-out and opt-in, in terms of how much marketable data you have, is huge. On average, an organisation may have 60% of its database that is marketable in an opt-out world, versus about 20% to 30% of its database in an opt-in world. Therefore, the responsibility – or the onus – on the corporates is to explain why consumers should sign up for an email, or communication of any kind.

Can marketers still send emails and direct mail to people on their existing lists?
Emails and direct mail have to be treated a bit differently. Emails are subject to another regulation called PECR, where consumers need to be asked to “opt-in” to receive emails. In the case of email data subjects can be treated differently according to whether they are ‘customers’ or ‘prospects’. If a customer has transacted with you in the recent past or might be in “negotiation for a sale” for a similar product or service, then marketers can offer them a ‘soft opt in’ via email—this means that instead of asking people to opt-in to receive communications, they can offer them an opt-out option.

But if money has never changed hands or is not likely to in the near future, with a person on the list, marketers have to ask for permission to communicate with them by email, i.e. ask them to opt-in.

For direct mail there are some differences. In certain instances, marketers are able to communicate by direct mail if they have a “legitimate interest” – i.e. if a customer could “reasonably expect” to hear from a supplier.

In addition, the new law states that you can’t keep data you hold on people forever. Many companies have ancient databases, and a lot of that data just has to go. The ICO guidance says businesses can keep data for two years.

What will marketers NOT be able to do anymore?
The handling of third party data will significantly reduce. Tracing the provenance of third party data can be challenging. So, when people phone up and do generic customer surveys and say, “I’m just doing a survey on behalf of an unspecified group of companies could you just tell me everything about your washing machine or how you use your telephone?” that’s unlikely to be compliant. If they don’t say who they’re collecting data for, on behalf of which company, use of that kind of data will go.

How will the GDPR legislation affect customer profiling?
Individual profiling, anything that profiles an individual’s habits or personal data that might result in a decision which will impact their life, is going to become a lot harder to do. Businesses may not use personal data to make a judgement that will have a negative impact on a person’s life, for example, not offering them a mortgage based on their personal data. However, if an organisation wishes to understand patterns of sales based on anonymized data or aggregated data against, say, zip codes, this is permissible and will often be described as a “legitimate interest”.

What should marketers do going forward?
Marketers need to be transparent with the consumer and be explicit about when they are collecting data, why they are collecting it, what they’re going to use if for, and say where it is going to be kept. Marketers will need to explain what they are going to do with the data in more detailed, privacy policies.

How can brands, businesses and companies prepare for a post-GDPR world?
Ideally, organisations should keep all of their data in a single database so they can keep an audit trail of all of the interactions they have with their customers – including dates, what’s been sent to customers, how they responded, what they bought, all of those sorts of things. So, if someone comes along and says, ‘Could you please give me all of the information you’ve got about me?’ (this is a Subject Access Request (SAR)) the company should be able to, relatively easily, extract all of that data and say, ‘Here you are, here is a list of all the stuff we know about you. Here are all the emails you’ve signed up for, these are the dates that you signed up on. This is the last thing you received.’

Should businesses create preference centres where customers can opt-in and opt-out of communications easily?
Preference centres are not legally required, yet they are a good device to help consumers manage their own preferences. A preference centre enables the consumer to see a list of all the communications they’ve signed up for. They can change these at any time, and this is something they can control and update. When I was at the DMA, we did a really useful piece of research called ‘Customer Attitudes to Data.’ We found that what people really want, more than anything else, is control. They want to be able change how they interact with businesses. They also want to understand the value exchange i.e. ‘What’s in it for me?’.

Apart from preference centres are there any other options?
A few software companies are producing plug-ins for businesses’ databases. The plug-ins enable businesses to manage all of those preferences and the updates for their clients.

Which person or department should be responsible for the data?
Many organisations who handle sensitive data will need to have a board level data protection officer who is responsible for information security, data protection and data governance.

Secondly, the IT department needs to ensure the business has robust cyber security arrangements in place. They need to ensure laptops are encrypted, that email logins have a two-step authentication, that servers are secure, and they need to conduct penetration testing to prevent data breaches. A data breach will attract huge fines and cause massive embarrassment to companies.

The legal department has to make sure that contracts with suppliers reflect the GDPR requirements in how to handle data. Suppliers now have more responsibility to learn how they handle data, as they can also get fined.

The marketing team should be responsible for the CRM data team. Marketers have a super-important job. They’re the ones having to make the case for using and sharing the data as well as creating the value exchange for customers.

A marketer’s role is really central to making GDPR work for the organisation. They are also the team who will be making the selections, analysing the data, carrying out profiling etc. so they need to have a good understanding of how GDPR applies to their decision making.

Finally, what are the benefits of becoming GDPR compliant?
Although re-consenting an entire database can seem like a radical option, and can lead to a significant reduction of contacts on the list, it can often increase response rates and ROI. In the UK, a charity called The Royal National Lifeboat Institute re-consented its entire database. It was quite a radical move as it reduced its database from around 900,000, to 300,000, which everyone thought was a nightmare. Yet, when it did its next campaign, it discovered that its response rate tripled and the average donation value it received also tripled. So, for a third of the size of the database, it actually ended up with three times the donations that it had had in the past.

Ultimately GDPR isn’t just a stick to beat people with—it’s not designed to kill a business or to stop companies trading. It’s rooted in a desire to protect people’s human rights and provide some control to customers. In light of the heightened awareness of data security, it’s a piece of legislation that helps protect people from corporates mishandling their data, whilst also ensuring that people can still receive relevant and compelling offers.