The debate around data has never been more important or more current, with multiple forces coalescing to make this so.
Firstly, the frequency at which organisations are experiencing data breaches is growing rapidly (81% of large organisations and 60% of SMEs now suffer data breaches each year).
Then there’s the steady rise in misuse of third-party data by businesses (fines by regulatory bodies for data-inherited nuisance calls increased three-fold in 2015, in the UK alone), which, combined with the regularity of data breaches, is leading to a decline in consumer trust (73% of consumers are wary of how their personal data is being used by brands).
The rate at which most organisational data is degrading also provides major cause for alarm. 85% of businesses are currently operating databases with between 10-40% bad records while email data is the quickest to decay, with an average of 75% of all subscribers to email lists deemed 'inactive'.
Years of regulatory confusion means businesses might have been excused for failing to address the processes by which they obtained and used their customer data in the past. In the EU, data regulations were last drafted in 1995 – prior to the proliferation of the internet. To compound this problem, in the UK, the ICO’s current literature outlining its definitions for data use is often considered complex and unwieldy.
Yet to try and combat the plethora of issues, a new set of regulations loom large on the horizon in Europe.
Content seriesView full content series
The General Data Protection Regulation (GDPR) is said to represent the “most significant change in data protection legislation seen in the past 20 years”. While the law has not formally been enacted, its adoption is considered pro forma among EU states (including the UK, regardless of an in or out vote in the upcoming EU referendum).
And far from being viewed as an overbearing, bureaucratic move, consumer opinion of the regulation changes is positive. A recent survey by the European Commission found that more than 90% of Europeans says they want the same data protection rights across the EU, including greater control of their data, access and management of their data, knowledge of when their data has been ‘hacked’, and even exercising the ‘right to be forgotten’.
Once adopted, GDPR will go into effect in spring of 2018, and according to Zach Thornton, external affairs executive at the Direct Marketing Association (DMA), will require a seismic shift in thinking for many businesses:
“The GDPR will fundamentally alter the way marketers work with data and so it makes sense to begin getting grips with the new regulatory environment. The fines for breaking the regulations are set to be eye-watering, at €20 million or 4% of global turnover, whichever is higher. The prospect of losing 4% of global revenue in enforcement action should focus minds.”
However, Thomas Husson, a principal analyst at Forrester Research, says this ‘focusing’ process will need to happen sooner than the rollout date of 2018, and businesses should take the regulations as an opportunity for a new, more innovative approach to using customer data, as soon as they can:
“But this is not just a regulation issue. The real issue is that consumer distrust will increase, damaging the brand value. Marketers need to work closely with legal and security teams in a cross-functional team to get ahead of regulatory enforcement. In terms of skillset, they should take a consumer hat and think of privacy in terms of context and value.
“At Forrester, we strongly believe the new privacy is all about context. We define contextual privacy as ‘a business practice in which the collection and use of personal data is consensual, within a mutually agreed upon context, for a mutually agreed-upon purpose’. It is really about creating a dialogue with consumers and being clear on the data you will use, not use and what for.”
And according to the current GDPR text, this dialogue is what most businesses are currently lacking. At present the Parliament Committee on Civil Liberties, Justice, and Home Affairs (“LIBE”) outlines the following requirements from GDPR, all relating to better communication between brand and consumer, and for greater transparency in data use:
- Notice – those whose personal data is being collected should receive notice.
- Purpose – the collected data should be used only for the purpose(s) provided.
- Consent – disclosure or sharing of personal data with third parties may only be permitted if data subject consents.
- Security – personal data that’s collected should be kept secure from potential abuses.
- Disclosure – those whose personal data is collected should be notified as to who is receiving it.
- Access – data subjects may access their data and correct any inaccuracies.
- Accountability – data subjects will be able to hold data collectors accountable for abiding by these seven principles.
For marketers, this means burying heads in sand is not an option. Many may argue that the use of customer data is a wider business discussion, and in some respects, they are right. But as Thornton adds, given the increased reliance on communication, a marketer’s skillset is likely to be in high demand:
“While it is not only an issue for marketers that doesn’t mean they shouldn’t take responsibility. It is in their business interests to do so as those organisations that tell the good stories, are transparent with data and honest with their customers are the ones that are set to thrive (under GDPR).
“This goes deeper than mere compliance. How marketers use consumer data is increasingly becoming a brand differentiator. Brands that are trusted to behave ethically with their customers’ personal data are those that forge long-term and profitable relationships.”
The importance of this last point cannot be understated. A global study of consumers reveals almost half (48%) are now suspicious about how companies use their data, and counter-movements such as Personal Information Management Systems (PIMS) are creating whole new industries around consumers taking control of how brands use their data.
Ctrl-Shift forecasts that the market for PIMS, which incorporates data and life management, could be worth up to £16.5 billion in the UK alone, accounting for 1.2% of the overall economy, larger than either the pharmaceutical sector at 0.97% or the automotive industry at 0.7%.
Conversely, brands that underestimate how much this means to consumers are already experiencing the backlash when value propositions related to data don’t add up. India’s recent rejection of Facebook’s ‘Free Basics’ internet project is just one example, and shows that a line will be drawn.
“Consumers are more aware than ever before of how their personal data is used by marketers,” says Thornton. “However, while people are more aware they don’t necessarily understand data-driven marketing business models. Business have been slow to show their customers how they use personal data and why. This is unfortunate as businesses have not been transparent and therefore customers do not inherently see the benefit.”
Thomas Husson advices that the first steps for marketers looking to approach their use of consumer data should be to contribute to a cross-functional privacy task force with enforcement powers, to establish an internal data privacy standard, to audit data practices, partners, and processes and to simplify their external-facing privacy policies. And this should involve giving customers control of their data via advanced privacy settings - for example via mobile app settings.
“For marketers, the opportunity is to differentiate their brand. It is not just about being more transparent but about trusting your customers so that they can trust you.”
Marketers are wise to approach a number of aspects in the consumer data conundrum head-on:
- What regulation actually applies to their consumer data and what processes are in place to comply to impending regulation?
- Who should oversee a data project and whether a data officer is required to ensure a smoother transition through compliance of new regulation?
- What counts as data ‘transparency’ and how to use data ethically, regardless of regulation?
- What processes are in place to maintain data quality?
- What the current process is for receiving consent for data use?
With so much to cover, each of these areas will be explored further in coming articles on MyCustomer.com. However, for many, the last point is most pertinent as a starting point for approaching the subject, and perhaps the most critical.
“What lies at the heart of the General Data Protection Regulation (GDPR) is that the current level of consumer opt-in consent used in nearly all consumer contact databases will not be sufficient under the new law,” says Jeremy Whitaker, an advisor at Verso Group. “It will render data unusable.”
About Chris Ward
Chris is Editor of MyCustomer. He is a practiced editor, having worked as a copywriter for creative agency, Stranger Collective from 2009 to 2011 and subsequently as a journalist covering technology, marketing and customer service from 2011-2014 as editor of Business Cloud News. He joined MyCustomer in 2014.