By Mark Roy, Chairman and Founder of REaD Group
So, at last a bit of welcome news from the ICO. In black and white in new guidance for the charity sector. Consent is NOT required if you are using direct mail and relying on Legitimate Interest. Considering the amount of utter nonsense being spouted by SO many ‘overnight experts’ this is an extraordinarily timely piece of clear-cut advice from the ICO to marketers.
That said, it was rather curiously tucked away in the FAQ’s of the advice specifically designed for the charity sector. That very same sector that has spent the last 24 months, since the Etherington review, paralysed with fear of potential repercussions of using data incorrectly. Ironic really, when the mainstay of British fundraising had always been direct mail, that it is now that very same channel that will no doubt bring about the resurgence in charitable marketing.
ICO: You won’t need consent for postal marketing …If you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
Of course this doesn’t just apply to charities, it applies to any organisation that has a legitimate interest to process data, no matter what sector. It is very important to realise that when, late in the day, the EU added those 18 words to clause 47 of GDPR – namely “The processing of personal data for Direct marketing purposes may be regarded as carried out for legitimate purposes” – they meant Direct Mail!
Today, direct mail is regarded very differently from a decade ago.
70% of respondents said that mail makes them feel more valued (up from 57% in 2013). Source: Royal Mail Market Reach: The Value of mail in uncertain times, August 2017
It turns out that compared to email, SMS or voice calls it is perceptibly a comparative saint. It is remarkably unobtrusive and has the tactility to create real connections with the recipient and relay real brand value.
The ICO should be applauded for this much needed definitive advice, much more of the same is required… please! Hopefully then, and I suspect only then, will we see an end to the ridiculous scaremongering and be able to get on with running our businesses whilst continuing to protect the consumer interest.
There has never been a better time to plan your next Direct Mail campaign. We might know a thing or two about that…get in touch to explore the huge opportunity this clarity presents.
By Andy Bridges, Data Quality and Governance Manager at REaD Group
The Gemalto Breach Level Index (BLI) recently published some rather concerning findings – more data records were leaked or stolen in the first half of 2017 than in the whole of 2016. An even greater cause for concern, and perhaps somewhat surprising, the report also revealed that the most common cause for data breaches was accidental loss and data being inadvertently left exposed.
While attacks by cyber criminals make for more compelling reading, more attention needs to be brought to internal threats such as accidental loss and other acts of negligence. If nothing else, the BSI report highlights that UK data security culture is in serious need of an overhaul. So how exactly can businesses better protect themselves?
However much we like to believe that information breaches are largely the result of strategically orchestrated attacks by criminal masterminds, the truth is generally far less dramatic. They are frequently the result of human error, such as misplacing hard drives, bad password management, careless file sharing or lack of vigilance to the increasingly prevalent phishing emails. All can be easily prevented.
More than anything, businesses must incorporate information security into office culture – protecting information is no longer the sole responsibility of IT and compliance departments; data security is a companywide responsibility.
As a first step, staff should be trained on a regular basis to ensure that everyone understands best practice in the workplace. The HR policy should also be altered to reflect the fact that responsibility doesn’t lie solely with IT to instigate better behaviour.
Additionally, employees should be on the lookout for potential threats to information security, such as leaving computer screens unlocked and leaving confidential paperwork unattended, and should be encouraged to self-police. Implementing a clean desk policy is a good first step towards safeguarding confidential information.
In order to better protect an information estate, companies need to understand what information they have. As well as ensuring that data is clean, viable and that all relevant permissions and consent are held for the data, companies must also ensure that the appropriate data protection and information security practices are in place. It states in Recital (100) of the GDPR that:
‘In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.’
It is not currently compulsory to report a data breach, but once GDPR comes into force next year, all companies must report a data breach to the Information Commissioner’s office within 72 hours. In addition to risking a hefty fine, companies will also stand to incur the longer-standing loss to their reputation.
With this in mind, it seems highly probable that we will see an increase in breach reports – most likely not due to an increase in breaches, but because companies will have much more incentive to be transparent and open about such occurrences.
Overall, GDPR presents a great opportunity for UK businesses to step up their data protection strategies and better protect themselves against data breaches. The new regulation stipulates that companies will have to be much more rigorous in their approach to collecting, storing and using customer data – which should correspondingly see a vast reduction in accidental loss. Inevitably, this increased transparency will result in a more trusting and loyal consumer.
It is now less than 6 months until GDPR is introduced, and the more earnest businesses are to prepare and implement the necessary data protection strategies, the sooner we will see a significant reduction in the number of data breaches.
By Scott Logie, MD, Insight at REaD Group
In the ongoing race to maximise compliance and pip GDPR to that ever-encroaching finish line, the whispers and concerns over its implications continue to reach fever-pitch.
Earlier this year, the Information Commissioner’s Office (ICO) made an example of the Exeter-based airline Flybe by enforcing a sizeable £70,000 fine. The airline incurred this by sending millions of marketing emails to customers who did not wish to receive them; the ICO have made it very clear that when it comes to consent infringements – they’re taking no prisoners. ICO head of enforcement, Steve Eckersley stated that Flybe “deliberately contacted people who have already opted out of emails from them” by asking if they wanted to update their preferences, which he stressed is still a form of marketing.
It is therefore hardly surprising that many travel companies have begun to feel apprehensive about their ability to communicate with their customers come the day of GDPR reckoning (May 2018). With fines such as the one sustained by Flybe becoming more prevalent, this only emphasizes the necessity for companies to obtain consent from consumers. Consent essentially entails an individual providing approval for the processing of their personal information. The bottom line is that travel companies, and indeed all businesses alike, will have to be far more transparent if they hope to avoid harsh sanctions from an unforgiving ICO.
Initial guidance provided by the ICO suggests that a pre-ticked opt-in box will no longer constitute legally attaining permission. In lieu of this, unequivocal and unambiguous consent must be attained through active opt-in protocols; the box must be empty to begin with. Moreover, comprehensive details of how this data will be used must be provided. Contrary to the current system, consent requests must under no circumstances be hidden in the Narnia of terms and conditions or be a precondition of subscribing.
Admittedly, marketing strategies may require a bit of adjustment, but in the long run these new regulations should be seen as a positive change for both customers and operators alike. While it may ultimately result in a shrinkage in the size of marketing databases, the overall quality and saturation of amenable and valued customers within them shall undoubtedly increase. Those who have willingly shared their personal information will prove more beneficial to marketers than those who have been duped into giving permission. Consumers are more than happy to part with their details as long as they perceive that they are receiving a tailored and personal service in exchange. With regard to Travel companies, details on a customer’s budget, lifestyle and favourite destination can be used to provide the kind of customer service that consumers have come to expect.
On the other hand, it seems likely that smaller companies and those that have already fallen under the ICO cosh may struggle somewhat more than household names to convince consumers to part with their personal data. Nonetheless, there are certain measures that all travel operators, irrespective of size or reputation, can implement to limit any negative effects of GDPR.
The most effective course of action might be to devise highly targeted marketing campaigns that demonstrate to consumers the benefit of consenting. Personal offers and relevant streams of contact can be instigated once Travel companies have segmented their customer database into smaller groups based on factors such as interests, favourite destination and budget. How soon should you do this? The sooner the better; GDPR waits for no man.
Once the swirling dust and initial shock of GDPR has settled, companies should find that they are left with a more succinct database consisting of receptive customers. Which, truth be told, is an infinitely better prospect than a larger spread of individuals who weren’t aware that they had consented in the first place. By conducting these highly targeted campaigns, travel operators can seize the opportunity to demonstrate the value exchange in sharing information and strengthen relationships with their existing customers before GDPR’s implementation. This may seem like an extreme alteration in approach, but travel companies should find that if they navigate these unchartered waters effectively – treasures and bounty await.
12th May 2017
By Scott Logie, MD, Insight at REaD Group
That most contentious of acronyms – GDPR – draws ever closer, and as each second ticks by the clamouring voice of the media continues to cause a frenzy around the repercussions of this new regulation for the marketing industry. As the finer details of GDPR’s implementation are not yet fully known it has left a lot of people wondering how it will affect brand’s ability to communicate and ultimately understand their customers.
The crucial aspect that has many marketers running for the hills are the changes being instigated concerning ‘consent’; essentially the permission given by an individual to allow the processing and use of their personal data. For starters, you can kiss goodbye to the pre-ticked box. Instead, businesses will be required to obtain unambiguous consent from consumers with active opt-in protocols, and must bare each tiny detail of how exactly they intend to use said data. Consent requests can no longer be sneakily hidden away in terms and conditions like a needle in a haystack or indeed be a precondition of signing up to a service. Separate consent must be obtained for EACH separate channel through which a brand wishes to communicate, as opposed to having a blanket opt-in.
All things considered, surely putting consumers at the heart of marketing and promoting more transparency and trust in the industry is a good thing? Nevertheless, these new stringent rules could ultimately mean that marketers find it difficult to target new customers and struggle to profile customer data. The key question is: as consumers become more and more sceptical about parting with their personal data, how can marketers win them over and ensure they are maintaining relationships with them once GDPR comes into full force in 2018?
The big, well-trusted brands such as Amazon, John Lewis and Marks and Spencer will be sleeping soundly in their beds in the knowledge that they should continue to have little difficulty with this conundrum. It is the less established, less trusted or less appealing companies that shall be biting furiously at their fingernails.
Companies that offer insurance or utilities will inevitably find themselves at more of an impasse when it comes to securing consent, as consumers perceive these services as a purchase made from necessity and not for enjoyment or pleasure. The reality is that while consumers are happy to provide their personal data to their favourite retailer with the promise of receiving personalised and rewarding customer service, industries such as insurance just don’t provide the same sex appeal.
Fear not! Marketers from all industries and sectors should refrain from DEFCON 1 just yet. Consider this to be a fantastic opportunity to get a head start and organise highly targeted marketing campaigns to source consent from consumers in the run up to GDPR. In order to achieve this, customer databases would need to be profiled and different consumer segments identified. Each of these target audiences will already have different relationships with your brand, underpinned by their individual lifestyle factors, attitudes, purchasing behaviour and communication preferences. By segmenting audiences and analysing these different relationships, marketers can build a detailed picture of their customers and best understand how to persuade them of the benefits of providing their data in the most relevant fashion.
Truth be told, won’t this ultimately provide brands with a more valuable customer base and allow brands to hone their marketing approach? Evidently, some consumers will still refuse permission to their personal data, but on the bright side those that do would probably be averse to ongoing communications anyway. Why invest in consumers that are not willing to engage with your brand? Time and effort are far better spent on those that have actively requested contact. Furthermore, these consumers will appreciate the open, transparent foundation on which you have initiated this relationship and shall anticipate the same standard in future.
Of course, it goes without saying that it is vital for brands to continue to secure consumer data from May 2018, and undoubtedly (and unavoidably) there will be consumers that choose to opt-out of providing consent. However, this new focus on a transparent approach to data collection will, in due course, result in more reliable customer data and more profitable customer relationships. This new chapter of consumer consent should not be cause for concern; if tackled head on and in an effective manner, the results for marketers could be extremely lucrative and rewarding.
Talk to us today about how to effectively segment your customer data!
14th May 2016
1 – Tell us about yourself – what’s the story so far?
I’ve been involved with data for around 20 years, staring at a business publishers in SOHO rising to Data Governance lead at one of the leading loyalty companies in the UK .…When I started in data I used floppy disks that had a mass storage of 240mb!! Not sure if the younger generation know what those are….
2 – Tell us about your role at REaD Group – what does compliance really mean?
Compliance to me is making sure the information we collect , manage and distribute is something we can trust and is fully transparent, in turn that gives our clients confidence, I suppose I’m the ‘ rules and regulation’ man… but let’s be clear I’m not an Auditor!
3 – What changes in the industry can we expect to see in 2016?
We will be hearing more about cybersecurity with cyber-attacks becoming ever more frequent and increasingly damaging. In addition we will also see mobile commerce grow as the desktop loses its primary place. I also believe the retention, interaction and long-term engagement of consumers will be an even smaller target to hit as we see the rise of the savvy consumer….and what’s going to gain real momentum in 2016 is the impending GDPR.
4 – What inspires you?
People with drive, determination, positive attitudes and to be honest my Dad – he never sits down and just keeps going.
5 – Who has been your business mentor?
There’s a few to mention, so I won’t pick just one… One of those mentors said ‘knowledge is power’ (yes it sounds corny….) but boy has it been true over the years.
6 – What attracted you to the REaD Group?
I’ve had a business relationship with the REaD group for many years and have always been impressed with their skill to keep moving forward and create valuable data driven marketing services for it clients.
7 – What do you like to do in your spare time?
As most people have noticed in the Office – Road Cycling. I love the open road and if I had a time machine I’d go back and be part of the pro peloton!