What will the EU GDPR mean for marketers and agencies?

In 1995, the European Union launched a landmark set of data privacy and security rules – the Data Protection Directive (DPD). The sweeping regulations not only limited the amount of data that could be collected but also required businesses to follow best practices such as obtaining consumer opt-in and erasing personal data on request.

But of course a lot has changed in the subsequent 20 years, and to respond to the new business and IT landscape the EU has been busy finalising a new set of rules to replace the DPD – the General Data Protection Regulation (GDPR). Finalised last December, the GDPR will come into effect in 2018, and such is its significance that some are already calling it a “milestone of the digital age”.

Graham Temple, chairman of The Institute of Promotional Marketing (IPM), explains why it has been necessary to implement a new set of data regulations.

“[Data] has become the foundation of a number of marketing activities from measurement and targeting, through to CRM and the ongoing maintenance of brand relationships with their audiences. The insight fuels sales and success, and yet over the past few years, attitudes to consumer data use have been shifting – most notably in light of recent hacks of customer information and the well-publicised recent cases of charity donor details being shared among third parties,” he explains. “From a largely behind-the-scenes role, consumer data has stepped into the spotlight, and it is now a key factor when it comes to understanding how to keep customers happy.

“Last December, the prevailing ‘data dynamics’ shifted from a regulatory perspective. The EU Commission and Parliament agreed a GDPR text that will become critical in shaping any marketing communications that utilise consumer data across Europe. This means that the creative industries will have to look closely at this legislation and understand how it will not only impact their business, but perhaps more importantly, how it will also impact brands’ abilities to share customers’ data with their agencies and suppliers.”

With the final draft agreed, and any lingering ambiguities resolved, we are now able to summarise what the GDPR contains, and highlight what its implications will be for businesses and agencies.

Data protection officer

Under the GDPR agreed text, businesses that employ over 250 people will have to appoint a data protection officer (DPO) to ensure the business remains ethical and compliant. It is the DPO’s responsibility to advise on and monitor GDPR compliance, as well as represent the company when contacting the supervising authority or DPA.

But Andy Green, technical specialist at Varonis, also notes that even those with under 250 staff could be required to appoint a DPO. “If the core activities of your company involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of “special categories” of data - racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation - then you’re required to have a DPO,” he notes.

Temple adds: “Smaller organisations will have to appoint a DPO if the business’ core activities include data processing - which is a definition potentially applying to any company which uses a person’s details for marketing purposes, whether to inform the creation and content behind campaigns, or to actively communicate with people.”

For further detail, examine the fine print in Article 35 of the GDPR.

Consent

The GDPR hones in on a key area regarded as too ambiguous under existing EU data law, namely what qualifies as valid ‘consent’ for obtaining customer data.  

The regulation has been drafted with the following recommendations for obtaining consent:   

• Consent requirements will be more precise, with current practices such as silence, pre-ticked boxes or inactivity no longer constituting ‘valid consent’. 
• A data subject must be informed of consent to the processing of their personal information, with this being freely given, specific, displayed as either a statement or a clear action. 
• Data controllers must provide accurate and full information on all relevant issues such as the nature of data to be processed, the purpose for processing, the identity of the controller, and the identity of any other recipients of the data. 
• Consent has to be specific to the processing operations and the controller could not request open-ended or blanket consent to cover future processing. 

As Gabe Maldoff from the International Association of Privacy Professionals (IAPP) points out, the EU text does come with a potential caveat, stating that consent could be “inferred from an action or inaction in circumstances where the action or inaction clearly signified consent”. This may yet leave open the possibility of “opt-out” with some data, and many businesses would argue that they already have a tight grip on their opt-out process when it comes to their own customer data use.   

Temple adds: “The GDPR means that consent for use of consumer data must be a “freely given, specific and informed indication” of the data subject’s wishes. The right to be forgotten, first introduced a couple of years ago, has been strengthened and now, under the agreed text, an individual’s information should be deleted at their request, which will have wide-ranging implications for the many agencies and partners typically employed by brands to communicate with their customers. This enhanced opt-out hands people tremendous power to simply stop any further targeted brand communications. One only needs to look at complicated web of data suppliers, information gatherers, and insight analysers often employed by brands to see how complex this situation is.

“Practically, this means that any business looking to promote a product and service will need to ensure communication mechanics only ask for information that is necessary and relevant. Collecting a phone number, email address and residential address could be deemed excessive. Further information requests – such as age, income or lifestyle factors - could easily be considered too intrusive.”

Data breach notification

Article 31 of the GDPR tells us that controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.

Green adds: “According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data – the EU’s term for PII - is considered a breach. Note my emphasis on unauthorised.

The bottom line is that the GDPR notification is more than just saying you have had an incident. 

“Based on my understanding of the GDPR, this means that if an employee sees data that’s not part of their job description, it could be considered a breach. Of course, this is not a problem for your company, because your IT department has done a thorough job reviewing file access lists and has implemented role-base access controls.” 

Green continues: “The bottom line is that the GDPR notification is more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insider were doing.

Data processors have a little more wiggle room: they’re supposed to notify the company they’re doing the work for -the controller - “without undue delay”. Under what conditions does a company have to tell the subject about the breach? You can read the details in Article 32, but if a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.”

Fines

The GDPR carries a significant financial penalty for non-compliance. Of particular note here is that there is a tiered fine structure in place.

Green notes: “A company can be fined up to 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach (Articles 31, 32), or not conducting impact assessments (Article 33).

“More serious infringements merit a 4% fine. This includes violation of basic principles related to data security (Article 5) and conditions for consumer consent (Article 7) - these are essentially violations of the core Privacy by Design concepts of the law.”

The EU GDPR rules apply to both data controllers and processors, that is “the cloud”.  

For countries outside the EU

The GDPR applies to businesses even if they merely market goods or services in the EU alone. This means that if you are collecting and storing the personal data of EU citizens, the GDPR is relevant to your organisation, even if you don’t have a formal presence in the EU zone.

Green warns: “The extra-territoriality requirement (Article 3) is especially relevant to ecommerce companies. Social media forums, online apartment sharing, artisanal craft sites, or beers of the world clubs: you’ve been warned!”

Irrespective of whether the UK votes “in” or “out” in the forthcoming Brexit referendum, British businesses will still have to adhere to the GDPR.

It is also worth reiterating that irrespective of whether the UK votes “in” or “out” in the forthcoming referendum on whether to remain a Member of the European Union, British businesses will still have to adhere to the GDPR.

As per a blog on Amberhawk Training Ltd, if the UK votes to leave the EU, it becomes a state outside of the European Economic Area and therefore has to offer an “adequate level of protection”. However, as the blog notes, “the European Commission sees the UK Data Protection Act as a defective implementation of Directive 95/46/EC and has threatened infraction proceedings to make sure the Data Protection Act 1998 is brought into compliance with Directive standards.”

It continues: “If the Commission’s infraction proceedings are being threatened because that the Commission is of the opinion that the UK Data Protection Act does not meet the requirements of the Directive, it must then follow the UK Act cannot be viewed as meeting the requirements of the GDPR. The current DP Act is therefore at risk of offering an inadequate level of protection.”

Therefore, to reduce the risk that the UK is deemed an unsafe place to transfer personal data concerning Europeans, and ensure that transfers of personal data into the UK from the EU continues, the UK will have to implement the essential parts of the GDPR, even if the UK votes to leave the European Union.

For agencies

Generally speaking, Temple believes that the GDPR will have significant consequences for the organisation and actions of businesses across the creative industry landscape.

“The GDPR will make agencies and brands ask themselves serious questions about whether activity is being undertaken for the good of the customer. Put simply, creative thinking will first need to start with the question, “Will this activity make happier customers?” he notes.

Many brands will not only expect their agencies and service partners to be compliant, they may also reach out to them for support and advice.

However, Temple also believes that the regulation will force agencies into dropping the view that the UK is an “island nation”, as in the case of marketing and promotions, this could not be further from the truth.

He explains: “Agencies are frequently being asked to design and to provide services for cross-border and intercontinental campaigns, which must adhere to these new regulations. The UK is a dominant force in international promotional marketing. At last year’s IMC European Awards 2015, which celebrates Europe’s best promotional marketing campaigns, UK agencies claimed more than a quarter (26%) of the total winners, including The IMC Grand Prix.

“As leading lights in international promotional campaign planning and activation, the UK has to also be at the forefront of knowledge and preparation for the new legislation. Many brands will not only expect their agencies and service partners to be compliant, they may also reach out to them for support and advice.”

Nonetheless, Temple wants to quell any concerns. “Agencies shouldn’t be put off by change,” he says. “Data still provides the bedrock for outstanding creative thinking, and the GDPR is not a noose from which to strangle the future of data-driven campaigns. Far from it. It is, in fact, a way for marketing departments to become more focused in their goals, more creative in their approach, and more customer-centric in activity. The trend towards a more customer-led approach has been underway for some time. The GDPR merely formalises this stance.”

The way ahead

The implications of the GDPR and how it applies is far too complex to be covered in a single article. Your data privacy officer (if you have one) is the person who should be best placed for advice, but it is also worth noting that the DMA will be launching a website dedicated to the GDPR in the coming year.  

While marketing organisations should not be afraid of the impending regulation, it is also important that they do not under-estimate it.

Temple concludes: “At its core, the GDPR places a greater level of responsibility on marketers and agencies to use customer data to keep people actively “bought into” a brand relationship. It places greater power into the hands of people who could potentially object to communications at any stage and withdraw from that relationship. This will represent a seismic shift in marketing’s remit and responsibility.”