GDPR is coming, whether marketers are ready or not. A recent DMA Survey found that 70 per cent of marketers were most concerned about how the GDPR would affect marketing consent. Let’s focus on that issue and try to get our heads around exactly what will need to change, and why.
The Good Old Days
First, let’s go back a few years to the ‘Wild West’ days of data protection. In those days gone by, some companies didn’t think twice about buying briefcases full of email addresses from service station car parks up and down the country.
I remember on one occasion, at a previous company, I was offered five million email addresses for the princely sum of £100. When I enquired where the email addresses came from the reply was “you don’t want to know”. I passed on the opportunity, but I knew a few people who would have jumped at the chance.
Data protection and privacy in those days was lax to say the least. There were still regulations, but your average Mr Consumer was not as aware of their rights as they are today. Regulations have tightened up, and marketers these days have a robust set of guidelines in place to ensure they are only contacting people that want to hear from them. Customers also have far more recourse if marketers do overstep these boundaries today.
In fact, individuals are becoming even savvier about who they share their data with and why. Consumers, in the main, are still happy to offer up their data, but they want a real value exchange for doing so, and more control over how that data is shared.
The evolution of data protection is set to continue and become more stringent with the introduction of GDPR. Even though the government has already triggered Article 50, there will still be two years of negotiations before the separation of UK and EU takes place. In addition, the UK Government have confirmed that we will still need to adhere to the GDPR guidelines to continue to do business with EU countries. Given that the GDPR comes into force in May 2018, it is inevitable that companies will need to prepare for this regardless.
What some may not realise is that the new GDPR was adopted by the EU in April 2016, and was given a two-year transition period, hence the fast approaching public introduction date of 25 May 2018. When the GDPR comes into force in, all organisations that process the personally identifiable data of EU citizens will be required to abide by its provisions, which in the UK, will supersede the provisions of the Data Protection Act.
Sign Me Up!
Whilst there are many implications in the GDPR, let’s drill down into consent. We know that’s what is most concerning to marketers and in the same DMA Survey, email was deemed to be the channel that would most likely be affected (89 per cent).
Article 4 of the GDPR defines consent as:
“…any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”
Let’s Break This Down:
Freely given – There must be a ‘genuine and free choice’. You cannot make a service or contract conditional on providing consent if the processing of data is not necessary for the performance of that contract or service.
In addition, as well as being freely given, it must be just as easy to withdraw that same consent. No light grey 8pt unsubscribe links on a white background!
Specific and informed – To be specific, data processing consent should be separate from other forms of consent or actions, such as consent to the terms of service or consent to share data with third parties.
In addition, being informed requires the data subject (the customer) to be aware of the purpose in collecting the data and who will be processing that data. They also need to be informed about their rights, such as the ability to withdraw consent or object to certain types of data processing.
Clear affirmative action – As a further explanation to this, Recital 25 states that: “This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.”
Implied consent will no longer be enough.
A user leaving a pre-ticked box giving consent would not be a definition of affirmative action.
Another change related to consent, is the shift towards more organisational accountability. Data controllers will need to be able to demonstrate a clear audit trail of the consent gathering process. This would include not only storing the fact that a user has given consent, but also what the terms of that consent was.
The letter of the law here states that the data controller would need to store the wording of the policy that explains the consent, as well as the fact that consent has been given. If the policy wording changes, the data controller will need to store all legacy versions of the policy and the policy version to which any consent relates to.
The GDPR gives the country’s regulators the ability to impose huge fines for non-compliance. Article 79 states that infringements of the basic principles of processing, ‘including conditions for consent’ can be subject to the highest level of fines, which may be the higher of €20M or 4 per cent of “total worldwide turnover of the preceding financial year”. That’s turnover, not profit!
As you can see, non-compliance is simply not an option and the clock is ticking. Some of the nuances of the GDPR may not be fully known until they are enforced by the ICO or even tested in Court. For most marketers however, getting legal and valid consent as well as the storing and documenting of that consent is something that you should be preparing for now. If you need any help in preparing for GDPR, please get in touch with us at RedEye.