We wanted to put together a guide for everyone’s favourite piece of EU legislation - what it means, what it changes, and what you need to do about it.
Before we start, I’d like you to cast your mind back to 1998. A time when there was no Google (which was founded in September that year), no Facebook and no MySpace. We were in the very early days of websites and email but mostly computers were something you used at work. A time where if you hailed a taxi in the street, the only detail the driver knew was where to drop you off. The idea that a taxi company would be able to look at a digital map of all their cars in real time, and track where you are even after you’ve finished your journey as Uber can today, was pure science fiction.
1998 was when the data protection legislation we currently operate under - The UK Data Protection Act was created. The world has clearly changed at an astonishing rate since then, and 90% of the data in the world today, has been created in the last two years alone. That trend is only going to continue in the coming years, as we can look forward to things like internet connected cars, buildings, fridges, RFID tags and Smart Dust becoming commonplace - and most importantly, being able to track all of us all the time. Estimates show that in 2015 there were around 5 billion connected things in the world, and that by 2020 that number will be closer to 50 billion.
So although the marketing industry (well all industries) is worried about GDPR and what it means for them, I think we can all agree that a change is long overdue.
So what is it?
As I’m sure you are all aware, GDPR is the European Union General Data Protection Regulation. It comes into force in the UK from 25 May next year (and across the EU around the same time). The government has confirmed that the UK’s decision to leave the EU won’t change that. In fact, they have gone further and plan to introduce a new data protection bill in 2018 that is actually wider reaching than the European Legislation.
As for what it means in practical terms and what we all need to do. Everyone in the industry is very much dependent on guidance from the ICO (the Information Commissioner’s Office) who are gradually releasing information as the legal situation becomes clear - and their website is a good starting point for getting into the details. Or of course you can read the legislation itself online on the EU’s own website - Europa.
What does it change?
Broadly speaking, there are five areas that the legislation changes:
Firstly, it expands the scope of EU data protection law well beyond the borders of just the EU. So companies in other countries will have to adhere to it if they are dealing with european citizens. This could have a major impact on the US in particular - if you’re worried that it might affect your business model, then think how Google and Facebook must feel.
It also expands the definitions of personal and sensitive data. Like the DPA, the GDPR only applies to ‘personal data’ and although it’s still somewhat up for debate, the current thinking is that this means consumer data. Marketing to people in a business capacity - where you’re talking to them as part of their job - isn’t directly affected.
However, the GDPR’s definition of personal data is far more detailed and makes it clear that anything that can identify you online (such as an IP address) can be classed as personal data, as can behavioural data, location data, biometric data, financial information, and so on.
The legislation also introduces stricter rules around consent requirements, so you can no longer assume that it’s OK to use people’s details you’ve captured for other purposes. You have to explicitly request consent to do that - again, think of Google and Facebook. Things like pre-checked boxes and convoluted small print messages will be frowned upon, as the goal is to allow users to understand and give consent consciously. You are also advised to keep a record of this consent in case it is questioned in the future.
There are also stricter processing requirements. Data has to be collected for a specific purpose - not just because it might be useful to you. It has to only be processed for that purpose.
There’s also a new accountability principle that requires you to demonstrate that you comply with these requirements and state explicitly that this is your responsibility. This is where we get into discussions around data processors and controllers (the data controller sets the purpose of what data is to be collected and what needs to be done to it, so they are accountable; the processor carries out the processing that the controller has asked them to do).
Finally, it expands individuals’ rights and introduces the following:
- The right to be forgotten: an individual may request that an organisation delete all data about them.
- The right to object: an individual may prohibit certain data uses.
- The right to rectification: individuals may request that incomplete data be completed or that incorrect data be corrected.
- The right of access: individuals have the right to know what data about them is being processed and how.
- The right of portability: individuals may request that personal data held by one organisation be transferred to another.
A lot of this is reinforcing what’s already in existing legislation (in the UK at least) but there are some fairly shocking statistics from a Chartered Institute of Marketing report published in 2016, underlining why the new legislation is needed. That said:
41% of marketers do not fully understand the current laws and best practice.
Only 36% say their organisation is transparent about how it collects data - meaning that 64% don’t think their company is transparent at the moment.
Only 30% of marketers said they would put the trust of the customer above overstepping the mark with data.
And 81% of marketers said that their company shares data across departments without express permission from customers. This may well be illegal now, and it certainly will be next year.
The flip side is that the last ICO survey found that, 75% of adults in the UK don’t trust businesses with their personal data. That’s possibly unsurprising given the previous statistics, but it’s pretty shocking. Three quarters of us don’t trust businesses to do the right thing with our emails, phone numbers, preferences and bank details. Can you imagine if 75% of us didn’t trust businesses to be honest about pricing, or to keep to their own service agreements. We’d say something was fundamentally wrong.
And just one more even scarier number. These new laws certainly have teeth. Companies can be fined up to 4% of your global turnover for failing to comply with them.
So how do you comply?
According to the ICO you must:
- Implement appropriate technical and organisational measures that demonstrate you comply. So, internal data protection policies, staff training, internal audits of processing activities and so on.
- Maintain relevant documentation on processing activities.
- Appoint a data protection officer if appropriate.
- Implement measures that meet the principles of data protection by design, and data protection by default. So things like:
- Data minimisation;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
What does that mean in practice?
We’re going through this journey at the moment to review our own processes and are working with some of our clients on what they need to do and the changes that need to be made. So here are some practical examples of things that organisations need to do in some of the areas where things are getting stricter. I’m sure most of you are doing something similar at the moment.
The DMA guidance (Direct Marketing Association) recommends your first step should be a data audit to look at:
- What data you hold - does it include personal data? And why do you hold it?
- How and where the data is stored - this can mean going back through your archives, checking what legacy applications you might still have in place and getting rid of anything you no longer need and making sure what’s left is up to date.
- How you achieve consent when you collect personal data? You need to check privacy policies, cookie policies, terms and conditions on websites, marketing emails and anywhere else you are capturing or using personal data. Again, this is something we’re doing at the moment. We’re reviewing all our clients’ websites - and our own - and will be making recommendations on where they need to be more specific about how personal data will be captured and used.
- What do you do with the data? This is the data minimisation we mentioned. We’ve been doing some fairly forensic process reviews of the way we work with clients and third parties (their other suppliers and our suppliers) and we are making sure that data is only processed for the specific purpose that consent has been given for. What you can’t do in the new world is correct data, add or delete records and make copies of it just because it’s easy or because that is the way you’ve always done things.
- That feeds into Accountability. Under the new rules, we all have to be absolutely clear about who owns and controls this personal data - so who the data controller is and who the processor is. And making sure all parties understand their responsibilities. In most cases, we’d expect agencies to be acting as the data processor as they are being instructed by their clients (the data controllers) on what data to capture and how to process it.
Now these are all good, positive and customer focused things to be doing, we’re gaining a better understanding of our clients and improving our processes as we go. So it’s not all doom and gloom.
In fact, there’s a really positive recent blog post from the IDM (the Institute of Direct and Digital Marketing) which describes GDPR as an “incredibly empowering thing…. that’s all about being up front about why you need to collect data from people, being clear about how you'll use it, and then only using it for those purposes. It's about being reasonable, only collecting information you need and for as long as you need it. It's about holding data securely and making sure it's kept safe. It's about empowering people and telling them about their rights when it comes to having control over their data. Most importantly, it's also about writing down what you're doing and why you’re doing it. Putting yourselves in the shoes of your customers, your supporters or your members for a moment.”
I think it’s hard to argue with any of that. So in summary, what we all need to do is:
- Know where your data is (and if it’s in 'the cloud' then know where that cloud is).
- Don’t hold any data you don’t have to.
- Don’t do any data processing you don’t have to.
- Don’t assume consent.
- Know your responsibilities.
And remember that despite all those depressing statistics I mentioned earlier, the same CIM report says that 67% of consumers would be happy to provide companies with more data, if they understood the value they will get from sharing it, and if they trusted you to use it securely and respectfully.
We've put together a one page guide for you to download. Please do get in touch if you want to discuss any of this with us.