Privacy by default: GDPR will change the rules of marketing forever

13 Mar 2018

Target marketing is in the sights of the law. Image: Vintage Tone/Shutterstock

The biggest change that GDPR will bring will be in the balance of power between consumers and brands, writes John Kennedy.

For some of us, the General Data Protection Regulation (GDPR) that becomes law on 25 May this year is already a bit like the old Y2K scare, with every second press release or bit of marketing that comes from a doom merchant warning firms to get ready, or else.

Many are merely selling existing security services or rehashed CRM platforms. Ironically, the biggest threat to GDPR being taken seriously is, in fact, over-marketing by opportunists.

‘The elephant in the room is this: most advertising is crap. We all know this to be true. GDPR forces brands to get more creative in how they deliver brand experiences’

Cynicism aside, GDPR is happening and will be law on 25 May. The changes it will bring will be significant, and demands for compliance could be onerous on organisations.

The reality is that the reason for GDPR coming into existence is not only down to data breaches and the way firms manage personal data, but it is also due to bad or intrusive marketing, and the implications of stewardship of vast tracts of personal data.

If you analyse many of the fines handed down by the Data Protection Commissioner (DPC) in Ireland, they have been due to intrusive marketing and poor data management.

But GDPR codifies the penalties in a pan-European manner, and some companies could be hit with fines of up to €20m or 4pc of global turnover, whichever is higher.

While some firms are goggle-eyed by the fines, what they fail to see is the reality that consumers themselves will have greater powers of litigation. So, expect to see a tsunami of court cases emerge when GDPR becomes law.

Power to the consumer

UK firm Crown Records Management predicts that 71pc of the UK public will ask for their personal data to be edited, creating a logistical nightmare for many businesses.

Privacy by default: GDPR will change the rules of marketing forever

Yvonne Kiely, director and digital lead in advisory at EY. Image: EY

‘GDPR will change marketing fundamentally’

“GDPR is going to force marketers, and other parts of many businesses like sales and finance, to take far more accountability of how they handle customer interactions in the framework of European data protection laws,” said Aaron McKenna, managing director of the Digital Marketing Institute.

“To date, there have been pretty specific – if narrow – sanctions for activities such as sending unsolicited emails, but no explicit rules around what to do if there is, for example, a data breach. There have been lots of schools of thought about whether people should opt in or out of certain interactions or privacy settings. Now, the rule is explicit. It’s privacy by default.

According to Alan Coleman, CEO of Wolfgang Digital, while GDPR will bring with it onerous demands in the management of users’ data, it might actually improve marketing.

Amazon Echo is a Trojan horse that threatens traditional retailers

Alan Coleman, CEO and co-founder, Wolfgang Digital. Image: Wolfgang Digital

“GDPR is great for marketing,” he said. “The elephant in the room is this: most advertising is crap. We all know this to be true. GDPR forces brands to get more creative in how they deliver brand experiences that have their audience requesting more. Greater rewards for great marketing.

“Another impact will be the increased focus on existing customers. Who’s more likely to give you permission to market to you, somebody who is unfamiliar with your brand or somebody who has already spent with your brand? With existing customers being the low-hanging fruit, I expect marketing activity to people post-purchase to expand. Right now, marketing budgets are over-indexing on advertising to the pre-purchase part of the funnel. GDPR will shift budgets down to the post-purchasers where loyalty and advocacy live.”

Yvonne Kiely, director and digital lead in advisory at EY, said the onset of GDPR will change everything that marketers had mostly taken for granted up until now.

“GDPR will change marketing fundamentally, I believe. The three tenets of right of access, right to be forgotten and right of portability specifically focus the data journey from acquisition to usage and storage to deletion, and the obligations of entities to be transparent with the customers about this journey.

“From a marketer’s perspective, the collection and usage of data helps inform a multitude, including segmentation, proposition design, channel dynamics and campaign management, to name a few.

“Now, under GDPR, marketers will have to plan, order and justify the data they want to collect, how they are going to ‘process’ or use it at the time of capture, and be sure they know where it sits in order to access it/delete it/share it when requested. For some marketers, this will be a fundamental shift in data ownership and consent, and will require a deep change in how we think about data as an asset of both the individual and the entity collecting it.”

Warning: Must require explicit consent

PwC cybersecurity lead on GDPR: ‘Everybody is starting late’

From left: Pat Moran, PwC Ireland cyber leader, with Grant Waterfall, PwC global cyber leader. Image: Maxwells

Pat Moran, cyber leader at PwC in Ireland, said: “The biggest change will require marketers to look for ‘explicit consent’ before they can use personal data to sell or promote their goods or services.

“The follow-on from this of course means if they do use data without consent, then they are likely to have to explain their actions to the DPC. Transparency is a key focus area for the DPC and we are likely to see significant fines arising as a result.”

Nicola Flannery, senior manager in risk advisory and data privacy services at Deloitte Ireland, explained that the onset of GDPR will require marketers to adjust the language and settings on their websites that require users to tick boxes to grant consent. No longer will marketers even be able to tick boxes on the user’s behalf.

Nicola Flannery risk advisory senior manager, Deloitte on GDPR

Nicola Flannery, senior manager in risk advisory and data privacy services at Deloitte Ireland. Image: Deloitte

“The regulation is very clear on the lawful bases for processing personal data,” Flannery explained.

“Consent is one such lawful basis and it must be unambiguous and involve a clear, affirmative action. The affirmative action should be a positive action indicating in an obvious way that the individual consents to direct marketing.

“This does leave room for ‘implied consent’ in certain cases but the fact still remains that the organisation must have a clear and positive indication of this consent, and must be able to demonstrate this consent at any given time.

“Based on this, any kind of pre-ticked box, default setting or consent as a condition in order to receive the product or service would all be viewed as going against the affirmative, positive action required by the GDPR,” said Flannery.

Privacy by default: GDPR will change marketing forever

John Boyle, director, business development and marketing, William Fry. Image: William Fry

John Boyle, director of business development and marketing at William Fry, elaborated: “GDPR requires that the consent given for marketing purposes  be ‘freely given, specific, informed and unambiguous’.

“This means many brands will have to be more detailed in their explanations of what they plan to do with personal data, and that consent must be signalled by a clear, affirmative action. Ongoing marketing contact as usual will not be a realistic option unless this is adequately addressed. Many businesses are currently going through a refresh process to bring their customer data up to the right standard.”

GDPR will actually be an opportunity for most businesses to sharpen up their data management practices.

“Arguably, the challenges are less onerous for B2B than they are for B2C marketers, and many no doubt regard getting their house in order as a sizeable distraction from business as usual,” said Boyle.

“There isn’t really a credible excuse for being caught unawares, though, with the volumes of media coverage and industry briefings covering the topic in recent months. For most businesses, it’s an opportunity to improve governance and practices around data management while also helping to build greater transparency and trust with customers.

Target marketing is in the sights of the law

The real turning point will be direct marketing and profiling activities, with greater powers for consumers to know what information an organisation has on them.

“GDPR calls out direct marketing, including profiling,” said Flannery. “Organisations that currently target individuals with direct marketing based on profiling analytics – which may consist of, amongst others, individual preferences or interests, behaviour, economic situation etc – need to double-check that this is carried out in a transparent manner, with adequate demonstrable consent.

“The right to object also extends to this type of targeted marketing, and organisations need to provide individuals with explicit and clear information about the right to object as well as provide easy and free-of-charge ways for individuals to assert their right.”

The size of an organisation and the resources it has available will play a part in how GDPR is embraced.

Moran said: “Most of the larger corporates will get this part of the equation right.

“We can already see this emerging from the the number of consent notices that are appearing when we sign up for things on the internet.

“However, I do have concerns about the SME and start-up companies that do not have the resources or knowledge to address this regulation. This could have very damaging impacts on their reputation and, ultimately, their lifespan.”

Crucially, according to McKenna, GDPR will change how marketers value and protect the data they have on target consumers.

“If you look past the rules around data controllers and best practice for data security and get to the bottom line; if there is a data breach after GDPR, a company is obliged to disclose it.

“This will have an immediate reputation impact on a business, which will be followed by an investigation that could lead to some serious fines.

“All of a sudden, data protection has a built-in ROI case that it probably didn’t have previously. You wouldn’t leave a warehouse full of stock without fire and theft insurance, because the threat is real. Now, there’s a more tangible threat in the instance of data breaches.”

Updated, 3.21pm, 13 March 2018: This article was updated to amend incorrect figures in relation to the potential fines imposed by GDPR.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years