Insightful, practical, really informative and enjoyable (yes an enjoyable GDPR event!) are just a few of the positive adjectives used to describe the REaD Group GDPR breakfast briefing. With only 3 days to go until ‘G-day’ the event was very timely – and very well attended – with a room packed full of experienced and informed marketers, Agency side Account Managers and data professionals.
There is more to GDPR than Consent!
To set the scene, REaD Group CEO, Jon Cano-Lopez, kicked off proceedings by referencing the latest consent guidance from the ICO (published only a few days before the event). The first statement in the guidance reinforces that consent is often not the most appropriate legal basis for processing data under GDPR:
ICO guidance: “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”
So, although the GDPR presents some new hoops for marketers, data managers and compliance teams to jump through – there is more to GDPR than consent – and life will go on beyond 25th May!
The sky won’t fall in on 25th May!
Hannah Crowther, Associate at renowned law firm Bristows LLP, delivered an engaging and no-nonsense presentation packed with salient advice (she even got some laughs!). Lamenting the barrage of opt-in requests we are all experiencing, she advised caution when deciding whether to re-permission your data – in many cases it is not necessary – particularly for existing customers, members or subscribers.
Her top tips for staying on the right side of the GDPR?
- If you are embarrassed to say what you are doing with personal data you shouldn’t be doing it!
- Avoid surprising people – use the Legitimate Interest balancing tests to determine what an individual would reasonably expect to receive
- Give individuals control over their data and what happens to it, for example, including a clear means to update their preferences or opt out- and document it
Her informed legal view: If you have carried out your checks and balances – by using Legitimate Interest Assessments in a serious and thoughtful manner – and you can evidence your process, you are unlikely to be in ICO fine territory.
What about the right to erasure? This is another area of GDPR receiving a lot of coverage but also greatly misunderstood. In fact, in many instances requests can be legitimately challenged by an organisation – using the outcome of a balancing test and where there is an overriding legal basis for continuing to hold and process the requester’s personal data (she used the examples of current employees or customers who need to be invoiced).
It’s a journey not a destination!
A pre-recorded interview with experienced CDO at Age UK, Michelle de Souza, gave us insight and sound advice – based on her hands on experience of preparing for GDPR. Their two year GDPR journey has taken them from relative disinterest internally to embracing the new principles based regulation. Michelle likened the run up to the enforcement of GDPR to preparing for your driving test, hoping you will pass – and that you don’t get pulled over!
“If you are doing something that doesn’t feel right then you probably shouldn’t be doing it.” Elizabeth Denham, Information Commissioner
Mark Roy – Founder and Chairman of REaD Group – spoke passionately about GDPR being a force for good. Surely it is better for businesses to be more transparent and honest about what they are doing with personal data so consumers can be more informed and more engaged? Talking about Recital 47 that states explicitly that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
By Direct Marketing the GDPR refers to Direct Mail (not email, telephone or online – which are still covered by PECR). Mark expounded the virtues of Direct Mail as an effective, more trusted, less invasive and creative channel to market. Research confirms that consumers trust direct mail more than email and that it makes them feel more valued.
In Mark’s view, once the GDPR dust has settled, the real game changer will be the ePrivacy Regulation (ePR) which is expected to replace PECR in 2020 and will shake up all digital channels.
Closing on an optimistic note, he reiterated that businesses that embrace GDPR will thrive beyond May 25th – and the future for data driven marketing is bright!
By Jon Cano-Lopez, CEO at REaD Group
We are now only days away from the big day – the General Data Protection Regulation – widely considered to be the most drastic change to the data landscape of recent decades.
GDPR is, in many people’s opinion, long overdue. The previous legislation surrounding data protection, the Data Protection Act, was implemented in 1998, before many of today’s digital marketing channels existed – the marketing practices of today are almost unrecognisable to those of 20 years ago.
Like it or not, GDPR will force marketers to alter their practices (very much for the better) and will impact businesses in numerous ways – across every bit of personal data processing. One of the central reasons for its implementation is to give consumers back control of their data and promote transparency and honesty between marketers and their customers.
The data value exchange
Unquestionably, gaining permissioned data will become more challenging and this will directly impact on marketing communications. The real test for brands will be to convince consumers of the value exchange in providing their data. Consumers and brands have been benefiting from data sharing for years, to the point where people often take many of the benefits for granted, such as loyalty schemes and tailored offers.
By providing relevant and tailored communications, brands can demonstrate the value of data sharing and ensure that their customers are likely to welcome correspondence from them.
While many marketers, and indeed much of the media, have been concentrating on the issues around obtaining consent, it is important not to forget that Article 5 of the GDPR requires that data be kept up-to-date and accurate. Using first class data cleaning products, such as Data-as-a-Service (DaaS) solutions which can clean data in real time, will ensure that companies are complying with this aspect of the regulation (and take a significant amount of hassle out of the task).
Data is becoming an increasingly valuable asset, and this value should not be underappreciated. It costs five times as much to attract a new customer as it does to keep an existing one. Keeping data up-to-date in order to communicate better with your existing customers should therefore be a no-brainer.
Despite a desperate scramble by many companies to re-consent customers via email, it is important to remember that consent is NOT the only legal basis for processing data. There are six in total and they are all created equal. Marketers received some good news from the ICO earlier this year when it was announced that if you are using direct mail to market to consumers you can rely on ‘’legitimate interest’’:
“you won’t need consent for postal marketing… you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact and an individual is unlikely to be surprised or object.’
However, an LIA (legitimate interest assessment, also known as a balancing test) should be conducted to determine whether ‘legitimate interests’ can be used as a form of lawful basis for the data you are contacting.
In light of this announcement, brands should explore the opportunities presented by direct mail and think about how to utilise the channel to secure maximum impact. Public perceptions around direct mail have changed over recent years after many experienced an endless deluge of largely irrelevant and unwanted email. A return to a golden age of DM should be welcome news to consumers and companies alike. Mail as a medium has been found to be far less intrusive, more tangible and trustworthy, as well as providing a greater scope for companies to be creative and encourage engagement.
The months ahead
The 25th May should not be thought of as a finish line, but the beginning of a journey. Achieving compliance is only the start – maintaining best practice and incorporating it into company culture will be the real test for companies. However, it is important to remember that the legislation will ultimately benefit both consumers and brands. There is no need to panic over the prospect of fewer names on the marketing database, as those who have chosen to share their data will be more receptive and open to communications; essentially more valuable to business. Forging these long-term and mutually beneficial relationships with customers who want to be contacted will pave the way for a successful future.
Another important difference between the Data Protection Act and the GDPR is that two existing Privacy concepts will be entrenched in law in Article 25, namely ‘Privacy by Design’ and ‘Privacy by Default’.
These concepts are not new but will have enhanced prominence and importance with the enforcement of the GDPR, under Article 25.
Privacy by Design means businesses need to consider privacy at the initial design stages and throughout the development process of any new products, processes or services that involve processing personal data.
Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones.
Sounds simple, right? Well, maybe not…. It is far more than a tick-box compliance exercise that can be buried within audits and contracts…it requires full commitment to build data protection into company culture and all aspects of its operations. Essentially, these Principles encapsulate an ethos that should permeate every organisation that controls or processes personal data.
So here are a few tips for applying these key principles (and soon to be legal obligations):
Educate all staff so they understand the principles – and that the Privacy obligations and accountability sit with ALL staff not just IT or compliance teams
Conduct a Privacy Impact Assessment – or PIA. A PIA is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained within the organisation
Best practice is to create a PIA template which can then be filled in for each new system or product/service. The ICO have provided a PIA template here.
Implement appropriate technical and organisational measures to ensure that only personal data necessary for each specific purpose are processed. This applies to the amount of personal data collected, the extent of processing, period of storage and accessibility
Data collection techniques – including cookies – should also be reviewed and revised to avoid excessive data collection. Ensure that automated deletion processes are in place to remove personal data after an appropriate (and set) period of time
Remember this is a legal obligation – no longer a ‘good idea’ or a ‘nice to have’
One big benefit of applying Privacy by Design and Default, is that it will also make it easier to be transparent, which is absolutely key when it comes to earning the trust to collect the data in the first place – and also a fundamental principle of the GDPR.
So, time to embrace Privacy!
Read about how REaD Group have embraced information security and implemented Privacy by Default.
By Mark Roy, Founder and Chairman of REaD Group
The current chaos that seems to have overtaken the social media world these days is going to have far reaching consequences, not just social media but across the entire digital spectrum.
We have all been inundated with warnings about the imminent arrival of GDPR and many of us have spent much of the past few years preparing for that change. But it is the Electronic Privacy Review (E-PR) that will have a devastating effect on businesses engaged in digital communications as the current social media furore has altered the focus of E-PR from PECR re-write to complete reinvention of digital communications regulations.
The back story to GDPR is that the European Union was extremely unhappy in the early teenies about American digital behemoths – the likes of Facebook, Microsoft, Google, and Apple wantonly using European citizen data for their own gain. They believed (rightly in my view) that European citizens should be able to exploit these services whilst having confidence that data would not end up disappearing to God knows where and used for God knows what!
To make matters worse for the Americans, in the time it has taken to get GDPR ratified in Europe both Safe Harbours and Privacy shield have been binned, although an allegedly ‘beefed-up’ version of Privacy Shield is now in play. Somewhat unhelpfully, in a deeply Churchillian two fingered way, Mr Trump has also managed to abolish the Obama Privacy bill which apparently did not put ‘America First’!
However, the wider story is not about the new controls and transparency that GDPR will provide for European citizens, it isn’t even about the fines that will be issued if companies fail to adhere to this new higher standard, the real story is about what is going to happen next year when the E-Privacy review (E-PR) is published.
The digital marketing arena is currently governed by the Privacy and Electronic Communications regulations (PECR). Written in 2003 it has been subject to comparatively little reform over the last 15 years, amazing considering all that has changed in that time. The E-PR is fast approaching its closing stages and aims to resolve the significant legislative gap between the digital arena of 2003 and today’s much changed industry, as well as creating important synergies between E-PR and GDPR.
At its heart (surprise surprise!) a pretty draconian view of how commercial organisations are able (or unable) to exploit European citizen data. One other key thing to mention is that currently, sitting within the text, it states that all digital communications should be based on consent in line with GDPR, in other words open, transparent and unambiguous and requiring affirmative action.
So, it will not surprise you in the least when you hear that MEP’s, Euro legislators, rapporteur’s, ministers et al have spent the last few months being savagely lobbied by who? You guessed it, the US behemoths who stand to lose billions as a result of these changes, yes – those same behemoths that sat firmly in the cross-hairs of the Euro legislature back in the early teenies!
So when a story erupts about an analytical business using “surreptitiously” acquired data to try and influence the outcome of an election you won’t need a degree in quantum physics to understand that any party involved in the creation of the E-PR will now be doing everything within their power to ensure that European citizen data is protected at all costs.
Whilst I have long said the GDPR right to erasure articles would signal an end to the wanton use of citizen data in the programmatic industry, it now seems that a relatively small analytical business abusing the trust of Facebook users (aided by a long-held commercially convenient laissez faire attitude from Facebook) has pretty much ensured that the E-PR will move to an opt-in model and that European digital marketing companies will have to find a new and more transparent way of acquiring customers.
By Scott Logie, MD, Insight at REaD Group
I played football on Thursday afternoon for the first time in around a year. We played 3 games…and lost them all. In addition, I stubbed my toe which was massive and bruised when I woke up. I also seem to have tweaked some muscles in my groin. All of which meant that I was feeling pretty sorry for myself when I hobbled through the rain to attend the MS Society Awards lunch on Friday. By the time I left a little over 4 hours later not only had I realised the need to stop being quite so self-centred but I had learned a huge amount about people’s ability to be positive, see past adversity and support others.
Every year at REaD Group we choose a charity to support. This year we are helping out and raising funds for MS Society after it was nominated by one of our staff who has a friend who suffers from Multiple Sclerosis. We have done some fundraising events already including a waxing evening (for some of our hairier gents) and are walking 10 peaks in the Lake District in 10 hours on the 1st of June. I was also invited to judge the employer of the year award which was one of 15 given out at the awards.
Even before the awards, at the drinks beforehand and over lunch, the stories of how people live with MS and the support of those who help them out day to day was incredible. As part of the judging we had already read a lot about the things that people in companies do to help their colleagues who have to live each day with MS, but to meet these people in the flesh and see the bond between them was amazing. It was clear that for all of them, this wasn’t about helping staff but about a lasting friendship.
This might sound odd but one of the things I noticed, from my point of view as an outsider, was how often it was hard to distinguish who had MS and who didn’t. At my table at lunch were three sets of people from companies and in each case one was an MS sufferer and the other wasn’t. And in each case, until they stood up and needed support or assistance, it would have been impossible to say who had MS. This clearly shows how unpredictable a disease it is, and how it can literally affect anyone at any time.
Scott Mills from Radio 1, whose mum has MS, presented the awards and described it as “an emotional rollercoaster” and boy was he spot on. The awards were a mixture of individuals and groups who support MS sufferers and people with MS who are an inspiration for others. The first group includes partners and employers who go above and beyond, those who are researching to help find a cure and people in the media who are raising the profile of the disease and its consequences.
However, the most lump in throat moments for me here were from the young people who either care for their parents with MS – including a 9 year old girl and two 16 year old girls who have to balance exams, being 16 and looking after their parent – or those raising funds. This latter group included a 10 year old girl who organised a bake sale on her own and an 11 year old boy who swam nearly 1,500 lengths of his swimming pool.
And then there are those who not only live every day with MS but also take the time to raise funds, such as Noel Wilson who is aiming to drive his mobility scooter around every racing circuit in the UK, or who campaign or support through sharing their experiences. Such as Hannah Smith who was diagnosed with relapsing MS at 24 and has set up a blog called An Ordinary Girl with MS where she writes openly about her experiences. The ability of people to lift themselves above a debilitating illness, and not just live every day but inspire others is fantastic.
It feels like a drop in the ocean but I’m really proud that REaD Group are supporting the MS Society this year. I hope you all feel the same and support us in whatever way you can.