The implementation of GDPR in 2018 has wide-ranging implications for the marketing industry and how it manages data across all their different channels, writes Ger Hayden.
The dust has settled on the initial coverage surrounding the General Data Protection Regulation (GDPR), which comes into effect on May 25th 2018. Its foundations are built from the core rules introduced as part of the current Data Protection Directive, with increased guidelines around the collection and processing of personal data.
There’s no doubt that as digital grows and intertwines itself into other channels, with EPOS, customers service and channel touch point data, data is coming to marketers at a pace that’s often hard to control.
Let’s not underestimate the importance of this change – organisations within the 28 member states are liable of fines of up to €10 million, or 2% of annual turnover if found in breach of any of the regulations.
In short, there are increased obligations for companies retaining data, and added restrictions on how it can be shared, creating stronger rights for European citizens. The regulation was created to unify the data held by companies on European citizens, also allowing for non-EU companies to comply under one set of rules.
Data, or how it’s used in its majority in the media industry, is used on an opt-out basis. Under the new regulations, marketers must look at an “explicit” opt-in status.
Opt-in data must not be collected sneakily, having it in on page 52 of your t&c’s is no longer good enough. The regulation states the opt-in process must be by “a statement or a clear affirmative action”. “Silence, pre-ticked boxes, or inactivity” are no longer acceptable ways to collect data.
Other than the tactical implications and their effect on the regulation, the way we process, collect and maintain data is set to change. The industry and level of data continues to grow massively in the last few years, and the level of expertise in the movement of data hasn’t.
Data Processing Implications
Chapter 2, Article 5 of the regulation outlines the 6 principles of data processing of personal data. On the whole, there’s nothing ground breaking here over the Data Protection Directive, but one change is accountably, the data controller must be able to prove they comply.
- Lawfulness, Fairness and Transparency: Data must be processed lawfully, fairly and in a transparent manner in relation to the subject.
- Purpose Limitation: The reason for collection must be “specified”, “explicit” and have a “legitimate” purpose
- Data Minimisation: The data must to “relevant” to the “legitimate” purpose – it’s too be kept “adequate” and at a need to have basis.
- Accuracy: Inaccuracies in the data are to be kept up to date, and rectified when spotted.
- Storage Limitation: Old data need not be stored for longer than needed.
- Integrity and Confidentially: Data must be stored securely.
From an advertiser perspective, one big change is the fact that cookie information is now considered personally identifiable information (PII). That means that without “explicit” consent, advertisers can’t re-target users who have haven’t explicitly opted in. It’s sure to negatively impact the volume of “cookied” users, and we know lack of volume hinders performance in most cases.
Prospecting activities like audience profiling and third party audience segments are set to become a whole lot more complicated. Suppliers of third party data must forge direct relationships with users, who otherwise may not have known their data was being used by third parties. Documentation of explicit opt-in may be required by brands and agencies.
The regulation is going to clean the sometimes inadequate and often lazy way brands communicate with their users. It specifically outlined that the subject of the data can opt-out at any time, “it shall be as easy to withdraw consent as it is to give it”.
It’ll force transparency to the market, which can’t be a bad thing.
But, if you have any plans to collect, store, or re-use data in 2017, it would be beneficial to update all cookie and privacy policies to GDPR standard to ensure a smooth transition in 2018.
First Party Data collection should be the key priority this year based on the 6 principles in the article. We are going to have to lean on using clean, transparent data to drive marketing performance. The collection of relevant numerical and categorical data to really understand who are customers are, and provide them with relevant messaging, can’t be done overnight.
Ger Hayden is performance manager with Vizeum.
First published in Irish Marketing Journal (IMJ May 2017)© to order back issues please call 016611660