The Facebook-Cambridge Analytica scandal has further rocked consumer confidence in the way their data is being collected and used. Against this backdrop, could GDPR be the final nail in the coffin for third party data?
Questions about how businesses use and (in some cases) abuse their customers' personal information have never been so prevalent, especially when it comes to the sharing of data with third-parties.
Yet, if you believe the hyperbole, the third-party data market is already on the edge of a precipice, about to be shoved into the abyss by a spectral-like figure named the GDPR.
So how likely is the General Data Protection Regulation to kill the third-party data market stone dead?
And if it is to survive, what questions should marketers be asking about their own third-party data use, in order to ensure it continues to be a valid asset come May 2018, when GDPR is applied to European law, and to ensure they're able to retain consumer trust?
We talked to two data experts, Jim Roberts, director and founder of BlacklerRoberts, and Jim Conning, managing director of data services at Royal Mail, to establish some answers to a crucial area of the GDPR debate.
In May 2018, GDPR will come into force for European nations and will apply to anyone using EU citizen data.
Its objective – to put customers in control of their personal data – has led to a number of stipulations; notably around data permissioning and what constitutes explicit consent.
According to Gigya’s Jason Rose, because third-party data (any data received through outside sources) is a practice reliant on consent that isn’t explicit (i.e. consumers opting into individual company names), GDPR will render all third-party activity obsolete.
“Consumers will now be asked to check a box that says, in effect, ‘We intend to sell your information to data brokers, allowing other companies to send you unsolicited offers and track your online movements’. How many will accept, given they have no obligation to do so? My prediction is zero.
“What’s more, GDPR has no ‘grandfather’ provision allowing the use of third-party data collected without GDPR-level consent before May 2018. The result: Existing third-party data in the EU is gone, and no new data will flow to data brokers as a replacement.”
Whilst this is a provocative story, there are a number of caveats to this apocalyptic assessment, especially in the UK.
Nothing’s been set in stone
Critically, GDPR’s guidelines have yet to be reinterpreted for national data laws. So much so that in countries such as the UK, the national regulator (the ICO) are yet to announce how they will approach third-party data under GDPR.
“The ICO is focused on the data broker market,” says Jim Conning. “They want to investigate and understand data brokerages that don’t really have correct permissions – even under the current data protection laws. Crucially, GDPR tightens all of that up and ensures everyone has correct permissions so consumers know what their data is being used for and to provide the ability to say what they don’t want their data used for.
“My view and the view of many other leaders is that credible organisations in the third-party data space have responded to this draft stipulation and whilst we all acknowledge the need to remove some of the more salacious practices that go on out there, we need more clarity on the explicit consent side because there’s some negative connotations that can result from removing the third party data market in its entirety. That will come when the ICO announces its plans in November and early next year, I have no doubt.”
Whilst most European nations plan to follow the letter of the law regarding their own reinterpretation of GDPR, the guidelines around what constitutes explicit consent and legitimate interest remain somewhat ambiguous.
“Third-party data comes in many guises from simple List Rental databases, providing access to part of a client’s customer base, to companies house data on businesses, to demographic datasets and even suppression data,” says Jim Roberts. “Most of these external data sources are used within businesses and concerns raised on how third party data will be impacted by GDPR.
“So, the first point to highlight is what data is covered by GDPR? Looking at the regulations we have the following definition for personal data:
‘Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
“This helps us understand if the third party data is personal data, as anything outside of this falls outside of the GDPR and can be used.
“The second point is ‘consent’, with this being seen as opening Pandora’s Box when it comes to telling your customers of each third-party their data is being shared with now and in the future. The point to highlight here is that there are alternatives to lawful data processing under GDPR, namely:
- Processing is necessary for the performance of a contract.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”.
“These alternatives can be used to enable the use of some third party data, for example suppression data to ensure compliance of legal obligation (statutory duty).
“Finally, ‘legitimate interest’ is often touted as a way of using third party data, but I do not believe this is the spirit of the goal of the GDPR so is prone to risk. The full guidance on ‘legitimate interest’ from the ICO expected early next year will help clarify this point. This then leaves us with ‘consent’ and the need to get a ‘freely given, unambiguous, affirmative and informed’ permission. This will reduce the available data, but improve the quality of the data that is left from a consent view point.”
Third-party data has value – to the customer
Third-party data gets a bad rep, and in some cases this is fair. A 2014 study by Experian, for instance, found that more than 90% of organisations report at least one type of common error in their contact data, from missing information and inaccuracies, to outdated and duplicate data.
And according to PwC’s Global State of Information Security Survey, the number of data breaches attributed to third-party vendors increased by 22% since 2015. Consumer trust around data has been slowly eroding as a result.
However, for all of the negative press, there’s a view among many experts that losing the third-party data market will actually have an adverse effect on data quality.
“This data is integral to deploying targeted marketing campaigns, because they provide hundreds of data elements that no consumer would fill out in a single form,” says Larisa Bedgood, director of marketing at V12 Data, in a Business2Community post.
“With only a few first-party data elements, third-party data sets can be appended to correct and fill in missing elements such as email addresses, phone numbers, lifestyles, demographics, purchase indicators and more to strengthen your customer insights."
Data validation is a key component of the third-party data market, and is an area that could, if lost, lead to an increase – rather than decrease – in invalid and bad data being used by brands in their attempts to engage customers.
“Third party data is important in two ways – you have the potential to acquire new customers going through life events – homemovers, birth, marriage, graduation etc,” says Conning.
“But it also enriches the information you have about your own customers – understanding them in a more granular way. If we lose all of that, we lose the appropriateness of marketing to existing customers as well as appropriate marketing to new customers.”
Data will get more expensive
As Roberts states, the likely outcome of GDPR is that third-party will become more scarce as some of the more salubrious, charlatan provides are forced out of business by the increased transparency GDPR brings.
“This is good for everyone,” adds Conning. “It’s good for those third-party data providers that have properly opted-in transparency by channel. It’s also good for brands, although the cost of acquisition will definitely go up.
There will be less data, but it will be much higher quality, much better permissioned and much more likely to yield engaged customers.
“There will be less data, but it will be much higher quality, much better permissioned and much more likely to yield engaged customers, but just don’t expect to pay what you previously paid. It will cost more per record. In any market – if it’s more scarce and of higher quality, it tends to cost more.”
As Informatica’s Monica McDonnell explained in a recent post on MyCustomer, marketers should be using this expectation as a vehicle for commanding renewed budgets in the wake of GDPR.
“The timing allows marketing teams to request investment to strengthen their customer data toolset and skills at the time when consumers are increasingly willing to contribute to a well-managed set of data that returns value to them. Marketers should embrace this opportunity with open arms – with the ability to deliver business value beyond simply avoiding the fines and bad publicity associated with non-compliance to GDPR.”
With the continual ambiguity around third-party data, beyond budgetary planning, marketers could be excused for thinking there are few actions to be taken beyond waiting instruction from the ICO or their relevant European regulator.
However, Conning says there are several steps marketers can take to ensure their third-party providers are making plans for the GDPR.
“I’d say there’s two stages – sit down and ask: do you trust the third party providers you’re working with, and have you got evidence that they are compliant today? Have you seen their data protection statements that, when collecting data, shows relevant processes for removing people’s data records when they want to be remove from their services. Have they had any complaints against them? These are all things you should be looking for from a quality data provider, but you need to operate in a current market.
“We are still under the umbrella of current regulation so everything your provider does has to be complaint to today’s laws. What you should be doing is putting in process to ensure that your data providers have a plan for GDPR, but the data providers are following law and procedure as it is now – they can only prepare for what they know and they don’t yet know everything. They can’t be GDPR compliant today.”
And Roberts states that, whilst not discounting third-party data entirely, marketers should also be using the run-up to GDPR asking wider questions about their data use in general.
“I recently read an article comparing GDPR to dating, so with that analogy, ask yourself the question ‘After a first date, would you share your date’s details with all your friends and expect to still get a second date?’ Similarly after many dates and marriage would you share your partner’s details with all your friends? Probably not, so treat your data as you would your relationships and you will not go far wrong with GDPR.”