GDPR: An opportunity to get fit, not fined

The General Data Protection Regulation (GDPR) is more than a compliance challenge; it’s a rare opportunity to build customer relationships around trust and clarity – a once-in-a-generation change in how businesses and their partners handle consumer data, argues Doug McPherson of OpenX.

With such a gift-wrapped opportunity for businesses to show consumers they care about their data and want to move forward with deeper commitment to openness, it can seem surprising that more companies have not already seized the initiative. But government statistics reveal less than half of British businesses and charities have heard of GDPR and the Federation for Small Business has just announced it believes up to nine in ten SMEs are not ready.

Even among marketers there appears to be a near even split between those who see GDPR as a compliance challenge and those who welcome the move, according to this year’s Email Tracker study from the DMA.

Restoring trust

Consumers are dissatisfied with the control they currently have over their personal data. Figures from the ICO’s Annual Track show just 16% of the public believe companies are transparent in how they use customer data, and only 14% feel they are in control of their data, while one in five feel assured it is stored securely.

The CMO Council recently revealed that data transparency was among the reasons why a third of CMOs are not yet ready to use programmatic digital advertising platforms. Given this level of suspicion, GDPR presents a unique opportunity to encourage more confidence in the latest advertising technology, and reassure customers their new data protection rights are being embraced by organisations committed to forging a more trusting relationship.

Bringing increased clarity to user data

The legislative thrust behind GDPR is informed consent, meaning it will be an end to some poor digital marketing habits, such as consent being hidden away in terms and conditions or assumed through a pre-ticked box. It simply requires companies collecting data to be specific about their data practices, including among other things the purposes for which data is processed, what data is processed, other partners that will have access (unless the user declines), and for how long the data will be kept. This consent needs to be specific for each use, and needs to be freely given and affirmed by an unambiguous sign of consent, such as ticking a box.

Organisations need to provide a mechanism for this consent to be withdrawn at any time. They must also have the capability to answer consumers enquiring what information is held on them and be ready to delete or correct it, if required.

Setting out a more trusting relationship can be communicated through a new Privacy Notice, which every organisation is likely going to have to update to become GDPR compliant. It means a minimum amount of personal data is collected and the purposes for data collection are clearly disclosed to users, and documented internally.

GDPR is organisation-wide

To prepare for GDPR, brands have to understand that it involves the entire organisation, not just the IT team, marketing division or legal.

The ICO in its 12 Steps To Take Now guidance advises that a ‘data map’, which requires companies to create a record of processing activities, should be the starting point, so a Data Protection Officer can ensure all data is GDPR compliant.

If a business does not already have a Data Protection Officer, and they process a considerable amount of personal information, they will need to have one in place by the time GDPR comes into force – May 25^th. This executive is not only the conductor orchestrating compliance internally, they are usually the contact a member of the public can exercise their data deletion and correction rights through. They are also the official conduit between a company and the ICO.

It is obviously essential for organisations to seek legal advice. In fact, as part of our own preparations we relied heavily on outside legal counsel in the EU and U.S. to ensure we had every angle covered. It is also helpful to connect with your outside trade and industry groups which can provide guidance.

Security is central to GDPR compliance

New responsibilities do not stop with processing data compliantly. All organisations need to realise that the GDPR is about protecting data as well as setting out new consumer data rights. As such, it places far more emphasis than previous laws on keeping customer data safe from accidental loss and cyber-attack. The law is not too prescriptive on how this is done; each company must evaluate what security measures are appropriate given the types of data they process. The ICO provides some guidance on the value of encryption for data protection.

The GDPR requires any serious data breach affecting personal information to be brought to the attention of the ICO within 72 hours of detection. The data watchdog then has the right to force an organisation to warn its customers their personal information has been breached.

A serious failure in compliance can result in a massive fine of up to €20m or 4% of global annual revenue.

Get fit, not fined

Despite these potential penalties, the ICO has been at great pains to point out it really does not want GDPR to be seen as just about increasing its powers to fine. In a series of ‘myth-busting’ blogs it lays out how it does not want to fine organisations and has yet to use its existing powers to the full. Instead, it would far rather have companies see GDPR for what it is – an opportunity to be more transparent with customers over how their data is processed and to protect their privacy by storing it securely.