So, what do I really need to know about GDPR?
It’s been something of a red-eye start for the Unicorn Marketing Department today, as we fought our way through the early commuters to join the GDPR Europe ’Roadmap for Marketers’ Conference at 155 Bishopsgate.
It’s impossible not to have noticed the growing panic around the impending General Data Protection Regulation over the past few months; even as a business offering GDPR training, we’re being inundated with invites to conferences and offers to attend courses almost daily.
The first speaker of the day, Ardi Kolah of Henley Business School and Editor-in-Chief of the Journal of Data Protection and Privacy, went so far as to call GDPR, “the most hotly anticipated piece of legislation ever”, highlighting the fact that as it stands we’re now only around 180 days from May 25th when GDPR comes into force. Amusingly, this point was rapidly called out as hyperbole by one impassioned Twitter user (actually, he called it ‘peak bullsh*t’) – but judging by the fact we’re in a room packed with experienced Marketing, Tech and Legal professionals all eager to get their facts straight ahead of GDPR D-Day in 2018, perhaps the statement isn’t unfounded.
Having worked in an industry that went through a similar period of transformation (when Building Information Modelling (BIM) hit UK construction), I’ve seen the ‘two-camps’ that spring up in these scenarios before: for some, new legislation quickly becomes about the ‘how’, and for others, the ‘why’ is really where the crux of the matter lies. It isn’t to suggest that the two are mutually exclusive – they aren’t – but the difference between them, and where people’s attention lands, is what really underpins the distinction between reactive and sustainable response/future strategy.
Seeing this exact model play out in today’s conference is, therefore, no surprise.
Session one from Ardi Kolah set the scene for day – asserting that the latest legislative change is a response to people having “played fast and loose” with consumer data for far too long, and perhaps even a more generic symptom of “society’s increased sensitivity to data matters”. We are told that only 8% of businesses deem themselves to be ‘ready’ for GDPR; 1 in 4 businesses aren’t sure whether the measures they are putting in place will be sufficient, and 26% of businesses that are aware of GDPR have yet to do anything about it. Are those figures surprising? You be the judge. But it’s certainly a bit of a minefield, and the prevalence of potentially ambiguous terms like ‘transparency’, ‘accountability’ and ‘consent’ (we’ll get to that one!) certainly don’t seem to be helping.
Some top takeaways – finding the useful in all the noise:
1. Building on existing legislation – evolution not revolution.
If you already comply with the Data Protection Act, you’re well on the way. At least that’s what Mark Runacus, Chair of The DMA, thinks. “The reality is that there will be the ambulance chasers and snake-oil salesmen who will try to sell you a new, one-stop, ‘cost-effective’ solution”, he says, “but tech alone won’t solve it.
“In reality, GDPR presents an opportunity to upgrade your tech, and upgrade your relationship with your customers”. He makes a good point, and we’ve heard this before – GDPR is being treated almost universally as something new and scary, but it’s a natural evolution of what we should all be doing anyway. As marketers, and indeed as businesses, we should always be considering what value we’re bringing to customers: is the information we’re providing relevant? Is it helpful? Timely? Are we making people’s lives easier? If not, should we really be interacting with them at all? At the heart of it, a piece of legislation that encourages us to be better at delivering value surely cannot be a bad thing.
2. Fixating on fines and sanctions means you are missing the point (and a bit about AI)…
Following the point about value, Nic Oliver – founder of the tech start-up People.io – seemed to blow the room away when he suggested we may be heading for a paradigm shift in the way we view the value chain between data subjects, processors and controllers. “I might be getting ahead of GDPR here”, he said (although he’s also right when he says GDPR as law has really been a long time coming), “but isn’t it interesting to consider the kind of data that’s “ok” (‘anonymous’ data) versus the kind we’re not ok with under DP or GDPR… Really, when you think about it, it’s the psychographic profiling that happens as a result of big data that’s the thing we should be worried about. Just think about the sheer volume of information we willingly give to the Googles and the Facebooks of the world; these are businesses with billions of first-party contact points globally, who arguably start to know more about us and our buying patterns and likes and dislikes than we do ourselves.”
He talks about the value of data lying not in the information itself, but in what we are able to do with that data; and when.
As for context, the People.io business model is unique insofar as it places personal data under lock and key; offering consumers the chance to answer a series of questions (at will, and as a paid service) in return for a ‘match’ with relevant, hand-picked consumer brands who then have a chance to interact with this specific target audience via a secure app interface. He tells us that this model of interaction – where personal data is never directly passed to businesses for explicit (and often random) marketing purposes demonstrates significantly higher efficiency than programmatic advertising. Again, we’re talking about finding value in what we offer to consumers.
“Consent is dead”, Nic tells us. “As we look to a future of AI where machines and algorithms learn about buying behaviours, we’ll eventually find ourselves in a world where the issue of consent is far more complex than a simple ‘opt-in’. If our apps and everyday appliances gather data on our lifestyles and behaviours, it’s not such a leap to imagine that in the future a machine could feasibly know before you do that you’re about to have a heart attack; should you be notified? Did you ‘consent’ to the use of your health data for this purpose? Who regulates that consent?”
It’s pretty deep stuff, but his point really digs to the core of a much wider debate about how we view, gather, share and use data. “On the subject of GDPR”, he says, “please see it as an opportunity to reimagine what marketing is.” For now, it’s refocussing our efforts on providing useful, timely information to our customers; and not about box ticking to avoid the associated fines. Of course, no one wants to be caught short, but viewing GDPR through the lens of ‘what happens if I don’t do it’ is all wrong.
3. Consent is king (but it’s not straightforward)
Back in the room from the far-flung corners of the AI and machine learning world, and we come back time and time again to the idea of ‘consent’. “Where GDPR is concerned, consent is king, and you should document everything”, says Adam Graham, CEO of The Marketing Group. He’s half joking about the second part.
Whilst the dialogue of consent will look a little different for each business, essentially, we must be able to demonstrate when (and under what conditions) consent for marketing or communications was given; To what the person was subscribing; That we then informed the data subject about this consent, and provided a clear way to redact that consent. “Consent is no longer silent; no longer passive”, Adam says. “We’ve talked a lot about GDPR in the context of something wider than a box-ticking exercise – as more of a cultural shift – and that’s exactly right, it’s less about compliance and more about social responsibility.”
Broadly, consent must be:
- Active – freely given, not enabled by default
- Granular – not simply in OR out
- Unbundled – i.e. single services, not all or nothing
- Without an imbalance in the relationship between business and consumer – e.g. his example that forcing employees to use an app in their personal lives that is designed only for work would be unfair
- Verifiable and documented – what did they agree to, when was it, how consent was given etc
- Not a zero-sum game where privacy is concerned – i.e. people can change their mind, and privacy information should be attractively presented and seen as a priority
- Grounded in legal basis – what’s the data being gathered for? I.e. is it relevant, and for a viable reason?
Adam reminds us that under GDPR, users retain legal rights over their data after consent is given – and that means requests for information by a customer, or indeed the right to be forgotten (to request that a company deletes all personal data held about you) are here to stay.
The grey area for marketers, it seems, is the issue of ‘legitimate interest’. Legitimate interest means determining when outside of explicit consent, a user’s behaviour is indicative of a legitimate need for a product or service that could warrant some kind of communication – something that is decidedly subjective. The example given in the context of a panel discussion was about whether a return visit to a website several years after an initial purchase is deemed ‘acceptable’ under GDPR. The answer here is much more about what the product is; let’s say it’s a vehicle – where the normal buying cycle might be five years – in that case, a return to a company website might be deemed as legitimate interest, consistent with typical buyer trend, and therefore not something that a customer might perceive as irrelevant, or an auditor as invasive. On the other hand, if it was a pair of shoes – where a typical buying cycle might only be three months – the contact is far from appropriate.
In a nutshell, we’re looking for the hallmarks of a ‘sensible’ attempt to apply the principles laid out by the law to the specific scenarios of individual businesses. Working heavily in the Financial Services sector, where businesses are subjected to audits and regular scrutiny by the FCA, we’re used to the idea that legislation is there to guide businesses, but that the regulators expect some degree of pragmatism in each individual case. “It’s about using your brain”, says Adam, “it’s about stopping and thinking, is this appropriate contact? If I was the consumer, is this likely to be a useful intervention or not?”
4. Trust/’Your culture is your brand’ – Data subjects vs. real people
Another phrase thrown into much of today’s discussion is the notion of ‘privacy by design’. Privacy by design addresses the need for systems and customer touch points to support the effort to protect customer data, and seamlessly integrate points of explicit consent into everyday processes.
In this vein, Helen Beveridge, Head of strategic insight at Circdata, talked about the opportunities presented by GDPR for businesses to build (or, perhaps, ‘rebuild’) trust with consumers. She likened ‘good’ trust in its essence to the way her young Scout group treated interpersonal relationships; uninhibited, useful, supportive – cheering one another on, working together, and not stealing from one another. “Trust becomes endemic when everyone else agrees to do ‘the right thing’”, she says, “but whilst this is all very well in principle, how do we enable this in an internet-based society?”
When we extrapolate the ‘Scouts’ guide to trust’ into the arena of global businesses, we’re into the discussion around how people perceive brands. “Do we trust Apple or WhatsApp more because of the heavy press coverage around their ongoing battles with the intelligence services when they refuse to surrender personal data?” Helen asks. Possibly. One thing is for sure, we start to feel safer in the hands of those brands when they can demonstrate on a global stage that their commitment to customer privacy is core to the ethical code of their business.
In fact, the point about trust goes beyond brand perception; Helen goes so far as to suggest that this nosedive in trust (there were some statistics here that escaped us, but the gist was that as a nation we no longer trust anyone – be it our politicians, or our neighbours) might actually be the thing driving regulatory change. “What happens if we start to see regulators as enforcers of public opinion; not of the law?” she asks us. Even the semantics of how we refer to ‘data subjects’, not as people, in the context of the data protection debate is indicative of the depersonalisation of the issue at hand. “When did we forget to be human?” she asks. “If we could stick an ROI figure on privacy, people would take it a lot more seriously. But in many ways what GDPR is trying to do is re-focus our attitude to ethics in the contact of building IT infrastructure and indeed wider relationships with our customers.”
We’re human, we’re not always going to get it right, but adopting the principles of privacy by design, and undertaking privacy impact assessments (how much do I need to communicate this vs. what’s the outcome if this is an unwelcome or ill-received piece of communication) can help us be more sensitive to the issues that underpin GDPR.
Ok, so what should I be doing about GDPR?
I realise there’s a lot to take in here; we’re not just talking about a shakeup in legislation, we’re facing the challenge of a fully-fledged cultural shift in the way we treat personal data.
A few things it is clear businesses need to be doing:
- Delivering GDPR training as part of a standard induction plan
- Delivering GDPR training to all existing staff with immediate effect
- Ensuring all data gathering activities and customer touch points are adequately documented
- Making sure everyone across the business understands: what personal data is, what they can do with it, and how to recognise and report a data breach
- Taking reasonable steps to consider ‘privacy by design’ (can you make your opt-in processes more transparent? Do you need to make policies more readily available to users? What about the architecture of your CRM and automated comms?)
In many ways, much of what was presented today seems less revolutionary than blindingly obvious – we’re being asked to question our relationship with our databases; we’re being asked not to be hoarders. Why do we get so attached to the droves of potentially irrelevant customer data we hold?
The obligation to deliver relevant, timely, useful comms should be inherent to crafting a sustainable, positive user experience for marketers and businesses alike – not something we do because of the threat of fines and sanctions forces our hand. If we want to remain engaged, we need to make sure we’re giving the best UX and customer experiences possible; that’s not something revolutionary, that’s common sense.
For more information on the GDPR Conference Europe: Roadmap for Marketers, visit their site here. And don't forget, you can always follow our conference and event coverage live on Twitter @unicorntraining.