GDPR – the EU General Data Protection Regulation – is among the biggest legislative changes to hit UK businesses in years. Organisations that fail to adhere to the new rules face fines of €20m or 4% of their global turnover. And there’s no limit on size of business; it affects everyone.
As a business owner, you need to get to grips with GDPR, how it affects your business and what you need to put in place to prepare. The ramifications impact many different departments and, as such, you’ll need a holistic plan of action which involves key members of your team.
With this in mind, we gathered three of The Marketing Centre’s partners and experts around the boardroom table to discuss the regulation’s impact from the perspective of legal, IT and marketing.
If you’re new to GDPR as a concept, we urge you to have a read of our overview here before reading on.
The Marketing Centre: Hi all, firstly, can we get a bit of background to GDPR. Why are the laws changing?
Trupti Harding-Shah: We’ve been operating under outdated legislation for some time now in that the current Data Protection Act (DPA) doesn’t address many of the challenges thrown up by our digital way of life. Under GDPR, businesses will have to be more proactive in their data management, and customers will have a much more dynamic right of consent around their data. They can give or withdraw consent at will, port their data or have it erased completely. It’s encouraging a real shift away from a compliance and box ticking mindset towards businesses being much more transparent and accountable to their customers.
Andy Hart: Exactly right. It’s a “sign of the times” thing. We’ve seen a continual and exponential explosion of data over the last ten years, and privacy has changed a lot. People used to easily give away data to things like Facebook, but the pushback has begun – giving people ownership over their data and enabling them to say, “that’s not right, I’m not happy with that. I want that changed or deleted.”
I’m not sure GDPR is the right way to handle this, but something has to be done because many service providers aren’t as secure as they should be. Nothing is totally secure. It’s a bit like buying a house in a high-crime area, sticking the Crown Jewels in it, and then working out how to secure them afterwards.
Pete Jakob: Ultimately, GDPR brings our data protection laws in line with the rest of Europe; the world, even. The laws will hand power to individuals about what data businesses hold on them and, importantly, how they can use it.
TMC: OK, let’s cover the basics. What do the laws mean for businesses in each of your departments, and what are the key challenges?
Andy: From an IT perspective, a business needs to understand what data it has, where the data is, who has access to it, and what it’s used for. Within that data there will be a subset which is personal information – defined much more broadly than under the Data Protection Act. Personal data isn’t just names and ID numbers or payroll numbers; it includes things like your computer’s IP address and demographic information.
There are therefore basic security controls that need to be put in place, whether the data is at rest or in transit. Data should be encrypted or anonymised, so it can’t be immediately tied back to an individual. Privacy notices need to be clear and easy to understand, outlining why data is collected, what it will be used for and how long it will be kept. It must be as easy for users to opt-out as it is to opt-in, and opting in must be positive. That means not pre-ticking email sign-in boxes, for example.
Trupti: Legally speaking, GDPR sets a much higher standard for consent, so we’ll be assessing the current mechanisms employed by our clients to obtain consent and revising them to make them more granular, dynamic and compliant. We’ll also be updating privacy policies and working with our counterparts in IT and marketing to establish a wholesale lie-of-the-land and roadmap the leap from current practices to the higher standards required under GDPR. As Andy says, businesses will have to look at how they collect, store and manage data internally, and audit this against GDPR requirements.
Until now, the approach has often been that it’s enough to have a privacy policy and cookie policy up on the website. GDPR raises the bar. It’s designed to put data protection at the top of the agenda in the minds of business owners and their management teams and encourage them to take a more holistic approach.
Pete: This question of compliance should be at the top of everyone’s marketing agenda. Today, if I have or buy a mailing list with 25,000 people on it and I want to email them, I can. I have to allow them to opt out, but until they do so I can go on mailing them.
As of May 2018, GDPR implies I might not even be allowed to email them unless they’ve explicitly consented to be mailed.
TMC: Implies?
Pete: Yeah. Well, there is a lot of misinformation floating around on this. GDPR doesn’t explicitly mention email marketing, and it certainly doesn’t prevent it. HOWEVER, there is a separate piece of legislation - Privacy in Electronic Communications (PECR) - which has been around since 2003 and is revised periodically.
The latest revisions are still in draft, but it is PECR and not GDPR which is creating concern about the future of B2B email marketing without positive opt-in consent. If the current draft of PECR goes through, it will put B2B email marketing on the same footing as B2C marketing and will mean you need a positive opt-in to send mailshots. Which way it goes remains to be seen but there could be a significant impact from a marketing perspective.
The combination of GDPR and PECR means marketing process needs to be tightened, and a positive opt in needs to be encouraged.
The question businesses need to ask is, why would their customers opt in? They need to work hard now to develop an inbound marketing strategy that offers more than simply bludgeoning the recipients round the head with sales messages. It becomes a human game rather than simply a numbers game.
If you’re procuring or building lists, work hard to get everyone to opt in. The same goes for your existing data. You’ll need records of how everyone opted in, and where, and when.
TMC: The question then is, how do you collect data?
Trupti: There’s a lot more to consent under GDPR than under the DPA: GDPR requires consent to be granular, clear and affirmative. If you want consent for a specific purpose, the request for consent needs to be directly relevant to the purpose for which you’re going to use it. In real terms, this means you can’t run a competition that says “tick this box and give us access to your data” if you’re going to use the data for another purpose altogether.
The whole business of implied consent and pre-ticked boxes will have to go. The withholding of information behind consent – including websites that say “we need your data for you to go further” – may have to go, too.
If we flip it and look at it from the perspective of the individual - it’s not unreasonable to want to know what the information you’re sharing is going to be used for. As businesses embrace this, it’s only going to build up trust in the minds of their customers and enhance their reputation. Yes, this may be disruptive in the short term but there’s also an opportunity here to win confidence.
TMC: Trupti, how worried should businesses be about non-compliance?
Trupti: Under GDPR the financial sanctions for non-compliance could mean fines of up to 4% of annual turnover or €20 million; authorities will also have investigative and corrective powers under which they could audit a business, issue warnings and even ban you (temporarily or permanently) from processing data. Individuals could also bring cases against a company if they’ve suffered loss as a result of their data being mishandled. There are additional sanctions under PECR which might also apply. Here the financial penalties are lower, but there’s scope for criminal prosecution.
In the UK, the ICO does already take enforcement action against companies not complying with the existing data protection legislation but GDPR raises the stakes giving supervising authorities stronger powers to uphold the higher standards it prescribes.
TMC: How many of the businesses each of you deals with have a plan in place for GDPR?
Andy: Very few. Many of the people I’m talking with aren’t cognisant of what’s going on. There are even people who say, “we’re leaving the EU so it doesn’t matter to us or apply to our business”. It does, and it will. It applies to anyone who conducts any transactions with the EU, with EU businesses and EU citizens.
Pete: It seems that most of the UK has its head in the sand on GDPR. Directors are vaguely aware of it, know they need to do something and are talking to their legal team about the details and the fines. I’m recommending that people go back to the principles – what would be the right thing to do, and how far off that are they, and how much can they close that gap in the next twelve months?
There’ll be vast swathes of the marketing industry that won’t be close to 100% compliant next May, but if you have a plan and you’re well on the way, you can show supervisory bodies that you’re trying to do the right thing.
TMC: What does ‘trying to do the right thing’ look like?
Pete: Firstly look at cookie and privacy statements – are they open and transparent about what you’re using to capture insight and what you’re doing with it? Are you collecting data through an opt-out process? How do you move to an opt-in process? Ask people to opt in now. If your clients, customers, contacts and so on haven’t opted in, contact them. Send them an email that’s clear about why you’re asking them to confirm, and how they can manage their preferences and so on. Start implementing that now.
TMC: How do businesses make sure they comply with the new rulings both in terms of process and internal structure?
Pete: Aside from the opt-in and compliance elements, one thing we haven’t talked about is the process for data breaches and internal reporting. Whoever becomes aware of a breach, or a suspected breach, needs to have a single point of contact they can report it to. Someone needs to assess the breach quickly, understand what caused it and where it is in the data handling process, and how many and which data subjects it impacts.
Then it needs reporting, within 72 hours, to the supervisory authority. If someone has failed to do what they should have done, there will be a fine; if the business has done everything correctly and there’s been a breach despite that, there’s unlikely to be a fine.
That single point to which the reports go is the data protection officer; someone as senior as possible to take overall responsibility for data. Many see this as a job for IT. But so much of GDPR isn’t about IT. It covers CCTV recordings, voicemail and hard copy data on paper as well as electronic data. If a notepad with someone’s details on it is stolen, this constitutes a data breach.
The reality is that IT, marketing and legal will all have a role to play, so the person nominated should be able to take a coordinated approach across all those departments. For the average SME I expect it’ll be the Financial Officer or Director.
Trupti: There needs to be an education process within the whole company. Business owners won’t want to educate their managers and then find that others within the organisation have inadvertently let a ball drop. It’s a question of managing risks: Being joined up and making sure everyone in the business understands the standards prescribed by GDPR and what that means to them in the context of that individual’s role.
Currently under GDPR, only public bodies and businesses that undertake large scale or systematic processing of data have to appoint a data protection officer (DPO). Smaller businesses are not required to appoint a DPO, but even if you don’t have to, I agree with Andy, it makes good business sense to designate someone as a data protection champion to monitor performance and report to the board.
Most businesses we work with appoint our lawyers as data protection champions to interpret GDPR and pull everyone together. That won’t be right for everyone, though, especially if they don’t have access to the kind of flexible inhouse solution we offer.
Education will carry a cost. Every business will have to make that investment, and the smart ones will probably do it sooner rather than later. Whether it’s a question of assigning employee time to those activities or bringing an expert in will vary, but every business will need to allocate a budget for education and training their teams, appointing a champion and performing that audit to establish how they’re treating data and then bridging any gap.
We also have thought about the partners and suppliers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards and you’ll want to work with businesses who are GDPR-compliant.
Some of those arrangements with mailing list providers will have to be revisited to ensure the partners have explicit consent to – for example – selling email addresses to third parties. It’s not just about prospects – it’s about all the people you’re doing business with.
TMC: Anything else?
Pete: One thing; storage practice will have to change too. If an organisation gets a subject access request, IT teams sometimes struggle to identify all the data relating to an individual, because it’s locked up in different systems. Large organisations will have to look at how they tie their systems together. Most will have to consider modifying their website to include explicit consent for data collection, having procedures and controls so that if there’s a breach people know what to do.
Many organisations don’t comply with their own data retention policies at the moment - they should be deleting data after so many years and they hang on to it forever. Even if they’ve deleted a file, it’s stored in systems or databases or on a server as a big block, and that blocks backed up for security or recovery purposes, and that backup is kept forever. If the business ever does need to restore, they’ll take that backup and they’ll get the data back. That won’t be possible as an approach under GDPR.
In all honesty, most data breaches are down to human error. People talk about being hacked, but the actual cause is someone leaving a laptop on a train or hitting ‘Reply To All’ on an email. It’s that easy.
The best thing businesses of all sizes can do is run an employee awareness program, so staff understand why data needs to be kept safe and what the basic vulnerabilities are. Can people just wander into the office and see what’s on their screens? Are documents being left on top of photocopiers or in the out trays of printers? Do we leave things on the reception desk that we shouldn’t?
These are basic, brass tacks security controls that have nothing to do with IT systems. They simply require a bit of a cultural change which, as we all know, can be hard to achieve.
TMC: Sounds like there’s a lot of work to do!
Pete: There absolutely is, but certainly from a marketing perspective, I think we should take a positive stance on GDPR. It’s forcing us to treat clients in the way that we would like to be treated. If we’re trying to be respectful, honest, open and authentic with our clients – all those values we’ve been talking about since before digital technology – it’s a no-brainer.
If we look at the countries like Canada or Germany, which have much tighter privacy regulations than the UK has had, we see email volumes go down but email engagement goes up by comparison. We’ll go the same way and see less spam. Why is that a bad thing?
Andy: Quite right. If we embrace it and are pragmatic about it, we’re in a good place. Nobody wants those headlines about a huge data breach. If we get the job done and have the right security controls around it – which many businesses don’t have, and which do cost time and money – then we’re avoiding those headlines. It’s introducing an overhead on all businesses, but it means we’re seen to protect our data properly, which makes us more trustworthy.
Key takeaways:
Thanks to Pete, Trupti and Andy for their thoughts. One thing’s crystal clear from all the experts we’ve consulted - businesses need to pay attention, and plan now, to be ready when GDPR comes into force next May. If you’re not sure what your business needs to do, get in touch.