On 25 May, when the General Data Protection Regulation (GDPR) comes into effect, an estimated 75% of all UK marketing data could be rendered obsolete.
The study by W8 data found that this is due in the main to lack of compliance with GDPR’s more stringent consent requirements, among other things.
Linked to this are the ways websites ask for permission to use data and embed cookies. A survey of 100 UK marketers, conducted by Sapio Research and commissioned by Ensighten, found that, at the end of 2017, only 28% of those surveyed were confident their websites would be GDPR compliant in time.
But even more worrying is the confusion over responsibility. Nearly half (46%) believed that their companies wouldn't be held responsible for data collection across its digital properties. Furthermore, 25% of marketers didn't believe they were responsible for channels managed by marketing suppliers.
The truth? After GDPR, marketers will be held accountable for all digital channels – regardless of who runs them (see the section on responsibility below).
This guide aims to give you a quick overview of the main topics you need to know about plus some action points you can immediately set in motion to save your marketing data, post-GDPR.
Responsibility: Who pays the fines?
Little has spurred senior marketers' interest in good data protection more than the GDPR’s eye-watering fines, which can be up to 4% of global annual turnover. Combine this with GDPR’s concept of "joint liability" – meaning one can be liable regardless of where in the chain a breach occurs – and the issue of vendor management very quickly becomes a key element in a marketer’s GDPR "compliance journey".
The GDPR talks about "data controllers" and "data processors" to distinguish between the different roles organisations play in handling personal data. A data controller makes decisions about processing activities, either alone or jointly with another controller, such as what personal data to collect for a marketing campaign and what audiences to target. Data processors, on the other hand, are contracted by the controller for the purposes of carrying out the processing.
Primary responsibility for compliance lies with controllers. That said, in contrast to today’s data protection law, the GDPR extends statutory obligations to data processors, too. It is, therefore, important for companies to clarify their roles.
In practice, advertisers will naturally adopt the role of a controller in almost all circumstances. For vendor partners, this will heavily depend on the role they’re asked to play with respect to collecting and using personal data. The reality is that even during the process of a brand campaign, these roles can change.
Regardless of this challenge, liability to compensate an individual in full in the event of a fine falls on all controllers and processors involved in the processing, unless any one party can prove that they are not responsible for the damage in any way.
Yves Schwarzbart is head of policy and regulatory affairs for IAB UK
The IAB recommends marketers take the following steps:
- While drafted for current rules, check out the ICO’s guidance on controllers and processors to assess your role
- Review your contracts with vendors with Articles 26, 28 & 82 of the GDPR in mind
- Consult the ICO’s draft guidance on contracts and liabilities between controllers and processors during that process
- Keep an eye out for more guidance from the IAB on the issue of controllers and processors – expected in the coming weeks
- For situations where consent is required, familiarise yourself with the IAB’s open transparency & consent framework that is currently in development. More info under www.advertisingconsent.eu
Consent: Why your existing marketing data could be useless
Consent is just one of the two legal grounds likely to be used for marketing activities, alongside the equally valid Legitimate Interests, which is still all-to-often overlooked. In fact, it’s hard to discuss one without the other.
Compared with the existing Data Protection Act, the GDPR has significantly strengthened the standard of consent. For consent to be valid, the individual will need to have made a positive action, to agree to specific and detailed information they would have been clearly presented with at the time.
This may mean marketers will find that using consent as a legal basis is not appropriate, instead opting to use Legitimate Interests, as the legal basis for their marketing activity. This is a risk-based approach, in which the marketer must balance their interests against the risks to privacy for the individual.
Clear and positive
Under the new rules, Consent must include actively consenting to statements, whether in writing, orally or electronically. You must also use Consent if you plan to contact potential customers with whom you have had no prior interaction. Examples of this positive action are ticking a box when visiting a website or choosing technical settings for cookies on your internet browser.
Under the GDPR, consent cannot rely on silence, pre-ticked boxes or inactivity on the part of the consumer. By making a positive action, a consumer should be in no doubt as to whether or not they will be receiving marketing from your organisation, what sort of marketing and by what channel. Being clear and transparent is key.
Guiding light of transparency
Many commentators have suggested that Consent is the only legal ground that a marketer should rely on. Some organisations have opted for Consent as their preferred legal option due to its objective nature, but Legitimate Interests is an equally valid ground for marketing activity and provides marketers with more flexibility to connect with customers.
It’s also important to reiterate that the legislation says there is no hierarchy and all legal grounds are equal. This means that the decision to select Consent or Legitimate Interests for marketing activity should be made on what is best for your customers and your business, so long as your intentions remain transparent.
You might choose Consent for some activities and Legitimate Interests for others. This might even happen within the same transaction. A company might decide that Consent is appropriate for email marketing, for example, but that profiling should be carried out using Legitimate Interest. However, transparency should be your guiding light throughout.
John Mitchison is director of compliance and legal at the DMA
Here’s a quick and basic consent checklist based on a more comprehensive one from the DMA:
Have we asked for consent:
- Prominently and separate from our usual terms and conditions?
- In clear, plain and easy to understand language?
- With an explanation as to why we want their data and all the ways we plan to use it?
- For ourselves and for all the third parties the data may be shared with by name?
Personal information: It now includes data that was once considered anonymous. Yes. Really.
In updating the current, outdated legislation, the European Union has set out to give greater protection and more rights to individuals regarding their data. It has deliberately broadened the scope in order to reflect modern lifestyles, changes in technology and the way in which organisations and businesses collect and store information. And it wanted the GDPR to encompass digital forms of data so as to address the "widespread public perception that there are significant risks […] with regard to online activity".
Therefore, the new, expanded definition of personal data in the GDPR includes specific reference to identification numbers and online identifiers. So, on top of data we already understand to be personal, this means that cookies, device IDs and IP addresses are, in most circumstances, soon to be considered personal data, even when not attached to a name or address of any kind.
Anonymised and pseudonymised data
To help marketers who may be caught out by these new definitions, the GDPR introduces and encourages the concept of pseudonymisation. This is officially defined as "the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person".
An example of pseudonymised data is data that has been hashed or encrypted in a secure manner and where it can be decrypted only by a very restricted set of people or circumstances. Frequent references are made to pseudonymisation throughout the text of the GDPR, including descriptions of it as a safeguarding tool. This makes sense when you consider that any leaks or breaches involving data of this type should theoretically cause no harm, and the data would remain protected. However, pseudonymised data is still classified as personal data under the GDPR because of the remaining (small) possibility of decryption and therefore only a few of its provisions are relaxed.
Lastly, anonymous or anonymised data is not considered personal and therefore does not fall under the scope of the GDPR. Anonymisation is actively encouraged when processing data for purposes where deletion or minimisation are deemed too restrictive, such as analysis, benchmarking or historical reference. However, to be truly anonymous, it must essentially be impossible for any encryption to be reversed or any identifying information to be matched back onto the data at a later point. This is why true anonymisation is very difficult to achieve and scrutiny may still fall on data you believe to be anonymised.
Anna Foster is chief data and customer officer at The & Partnership
Data Handling: Are you treating your data right?
To understand how data maintenance and processing will change under GDPR, advertisers need to consider these six questions.
1. Is my data coming from Europe?
With GDPR, it doesn't matter if you have a business in Europe. GDPR applies to any entity that collects or uses data from the EU – even if the company itself does not have a European presence. It doesn't matter whether the consumer is an EU citizen or resident. The only thing that matters is if the data is coming from an EU location. If so, GDPR applies. As a result, advertisers need to evaluate how much data is being received and how critical this data is to their business to determine how much to invest in GDPR preparedness.
2. Is my data personal?
Under GDPR, personal data includes cookies, device IDs, IP addresses and other online identifiers. "Personal data" is more broadly defined, treating what has traditionally been considered as anonymous data and personally identifiable information (PII) – such as names and email addresses – similarly. Companies that collect, use or control this data fall under GDPR’s purview, even if they do not process information that has traditionally been considered PII.
3. Is my data lawfully obtained?
One of the hidden benefits of GDPR is that it will deliver higher-quality, more authentic data from the EU, and about EU consumers. This is because GDPR (and its partner legislation, e-Privacy) implement a higher threshold for processing data, which may warrant opt-in and consent. At the very least, it will require an affirmative action before cookies are set. For brands, consumers that have opted into data collection are likely to be more engaged, qualified and supportive of interest-based advertising.
4. Is my data lawfully processed?
Beyond collection, advertisers need to identify a lawful means for processing any personal data. Consumers must be told what advertisers intend to do with their data once collected, whether it be for analytics, matching with third-party data, direct marketing, or otherwise. Also, for processing data that is especially sensitive – think health data – advertisers will probably need to secure opt-in consent.
5. Is my data secure?
Under GDPR, the processing of personal data requires that certain security requirements must be satisfied. Advertisers should work with vendors and third-party processes to ensure that their data is secure. They must also implement appropriate internal technical and organisational measures "to ensure a level of security appropriate to the risk". This may – depending on the type of personal data stored and the purposes for which it is processed – mean encryption, regular security testing, additional breach and vulnerability protocols, and more.
6. Is my data expungeable?
Advertisers must have a process in place for deleting consumer data upon request. This "right to be forgotten" means that companies must, upon request, delete all personal data associated with an individual. Depending on the type of data collected, it is important to work with internal technology teams to ensure that information requests can be processed efficiently, and with external vendors to ensure that they are prepared to address these requests should they arise.
Tiffany Morris is general counsel and vice-president of global privacy, at data management company, Lotame
Penalties: How bad it gets and how to avoid the worst
GDPR won't just see an escalation in sanctions for breaching data protection regulation, it is a revolution in the way that personal data is treated and how transgressions are dealt with. Unprecedented in levels of fines, falling foul of the regulations will result in fallout that some organisations may find devastating. Add reputational damage and the possibility of individual or class actions, and the scale of the changes and potential for dramatic penalties make the post-May 2018 landscape look bleak for those who breach.
The recent allegation of Uber's concealed hack provides a stark example. Albeit an extreme case, had this occurred just six months later, under GDPR (assuming the regulator found Uber in breach) it would have had to pay a fine of 4% of global annual turnover, or €20m, whichever was higher. The reality could have been a fine in the tens of millions. Seen in the context of the current maximum under the Data Protection Act of £500,000, this isn't just a different ballpark, it's a whole new game.
In 2016 the ICO hit Flybe with a £70,000 fine, Honda Motor Europe with a £13,000 fine, and Morrisons with a £10,000 fine, for email campaigns sent to "unsubscribed" customers. In the case of Morrisons, it was a customer complaint to the ICO that unveiled the breach. In the run-up to May, consumer awareness of this issue will continue to grow, as will the punishments levied after the deadline.
While the 4% or €20m figure will be the maximum fine for the most serious breaches, there are other sanctions that could prove costly – not only to the bottom line, but, importantly, to reputation. Even the lowest-tier actions, such as warnings or reprimands could have a severe impact on a brand's reputation. Come May, all eyes will be on the regulator giving teeth to the new regulation, looking to act on organisations that have ignored the warnings. For brands that rely on customer-first values of trust and transparency, even a warning or reprimand could open them up to damaging accusations of lack of professionalism and cause a lack of trust in the entity’s ability to behave responsibly.
Let's not forget those who will seek to profit from the new Regulation. Hot on the heels of banks mis-selling Payment Protection Insurance (PPI) GDPR is likely to attract organisations seeking to target consumers in relation to data-based compensation claims.
Some are of the view that claims for the misuse of personal data will exceed the £30bn compensation bill that PPI has generated. Consumers will be "sold" promises of big payouts and, if the evidence supports their claims, they will get them.
Dean Armstrong QC is a specialist in cyberlaw at Setfords Solicitors