DIGITAL DISCOURSE (#2) ON... GDPR
ON THE PANEL THIS TIME:
Let's begin with a question for the digital marketers. It's now little under a year until GDPR comes into force officially (May 2018) - have you even begun to prepare? And do you even know where to start?
I've started a GDPR consultancy. Does that count as being prepared?
I can imagine that, by now, a marketing lead may have been nominated in many organisations, but I can also imagine that - in terms of how it's planned and then rolled out, other things have got in the way. 'Us marketers' know it's important though.
One of my customers was in the same boat. Someone took the lead, but with daily operations still needing to continue and the vastness of the piece they didn't get far - so they enlisted me.
GDPR is such a hot topic, there's a lot of content available on the matter now. We're no longer sure where to get accurate information from. Do you have any tips?
The ICO directly explains everything you need to know. They also release responses to questions regularly and clarify the regulation for the UK. The 'consent' piece for example is still waiting to come to define exactly what's acceptable and what's not in terms of how you word your intentions etc.
To know what advice to listen to now is to understand what approach you will take. Risk-based, ethics-based or compliance-based. Understanding this, you can sort through the information to figure out what technology is required (if it's required), and what changes need to be made.
Also, don't be scared to download and read the regulation. Skip the recitals, but the actual Articles are quite readable (ambiguous yes, but they do give clear guidance in some areas).
Would it be fair to say that most digital marketing teams are nowhere near prepared at this point?
Most haven't heard of it. I spoke to an agency selling databases who hadn't.
Not if they are still asking “What is GDPR....” :-)
I recently attended a digital marketing event, and it’s safe to say that approximately five people were really aware.
What are some of the common 'myths' associated with GDPR?
That “it's an IT issue” - it's not. Granted, technical tools help with mitigation and also continuity, and are critical - as they are typically quick wins. However, the majority of regulation focuses on people and organisational controls, and in particular third party contracts.
So be cautious if a vendor says their software makes you compliant.
At the moment, all I do is evaluate GDPR technology, and there isn't a comprehensive solution from anyone. There are some very good solutions which deal with very specific aspects - such as the obligation to ensure your supplier chain is compliant too.
There isn't a single system available that provides a complete solution. There are some good solutions out there, and some are good for consultants to use for smaller clients.
The tech side comes along when a company has gone through GDPR consultancy and made changes to its processes and procedures.
There are so many aspects of GDPR to which you could apply tech: encryption, data location, data use logging, supplier management, breach detection, breach notification, data loss prevention.
It will only be very rich companies that can afford to do it all.
Do you think there are any obvious pitfalls digital marketers should look out for - especially when it comes to things like how forms are set out on a company website, for example?
One of the important things is to know where your data is: on your own servers, hosting company, cloud provider (Dropbox, etc) or with a cloud service provider (HubSpot, etc).
“Do not tick an opt in box by default” would seem to be the most obvious one.
Yes, NO assumed or pre-ticked boxes. Get people to actually click the box so the tick appears, if they want to opt in to receiving email / text messages / postal communications. Evidence of opt-in could be required if ever a complaint is made, or a customer requests what info you have on them - and what you are doing with it.
The ICO website in general is worth bookmarking - a lot of this is what people should have been doing all along. Many don't realise the enormity of the current potential fines under PECR and DPA of up to £500k. They will get a wake-up call when the ICO recruit another 40% of officers to enforce things next year, and start making examples of people.
When its €20m (£17m) or 4% of GLOBAL turnover (whichever is more) - crikey!
I thought unticking the box was a given even now? Is it that it basically becomes mandatory after next May? I mean, that's 'best practice' right now.
A company’s website and data collection point is the first indicator of non-compliance. It will be the most evident, and I would say the first place the authorities will go.
GDPR will force companies to take information security and privacy seriously. One of the key statements within the regulation is that “businesses will be expected to implement appropriate organisation and technical controls"
The key message is to do something, document it and focus on high risks (one bite at a time), otherwise the entire compliance path becomes too onerous.
For digital marketing, the core of GDPR is the data governance. What data you hold, where is it held, who sees it, why is it gathered, is too much held, is it accurate, how long is it held for, and so on.
As mentioned above, this really needs to be the starting point and focus before any technology is considered. Some companies hold data for 30 years. What data that is 30 years-old is still accurate or relevant?
GDPR consultants: What are the most common things you've seen when you've been advising / consulting on the subject?
One of the top questions we get asked by clients is: “Do I need to worry about this, with Brexit looming?”
The answer is a clear ‘yes’. The government have been clear that GDPR will be absorbed into UK law as part of the repeal bill.
Additionally, GDPR should be viewed as a journey. Every business will benefit by adhering to the regulation where appropriate. I refer to the recent IT issues with the NHS and British Airways!
Finally, the regulation is quite clear for companies without equivalency laws - potentially the UK would be treated as a third country - which essentially makes it illegal for EU companies to share Personally Identifiable Information (PII) with UK companies.
Do you think digital marketers have a 'duty' to make senior managers aware and make them understand GDPR? (I'm talking C-suite and board here.)
At the end of the day, a data breach, non-compliance, or any issues in data governance will cost the business, and therefore should be a concern for C-suite executives.
When the board / directors realise they could be accountable / personally liable, they will soon pay attention. Every department needs to own and run with this. No slopey shoulders; assuming it's “someone else’s task”. It could be a costly buck to pass…
Interestingly, if a Data Protection Officer (DPO) makes a recommendation to a company and the directors do not apply it, then they become personally liable. So, senior managers should make themselves aware if they don't want to pay personal fines.
And I’m sure that such behaviour will also have an interesting effect on Directors Liability and Cyber insurance policies.
GDPR aside, has any company ever benefited from lost, leaked or stolen data? Of course not. The regulation is designed for more protection for citizens in a fast-changing cyber world. Without going the next step to protect more data, companies are only doing themselves a disservice. Fines or no fines.
How is it all going to be enforced? What should marketers fear?
I wonder how efficiently and effectively local government and central Government will embed this into their systems. Some might say that these organisations already have a tarnished record with handling data…
You might find that 'mystery shoppers' start to subscribe to your various marketing methods now, and will be monitoring how you operate up until (and after) May 2018.
I expect examples to be made of businesses across the board - not just the ‘big boys’ and corporations. If the ICO are increasing agents by approx 40%, I would imagine that as soon as May 25th 2018 comes, they will be looking for organisations / people to make examples of, in various industries.
The ICO is recruiting more staff, and already have been fining companies for non-compliance and data loss (e.g. one mortgage company was fined £150k for losing an external hard-drive with customer data on it).
The ICO have recently extended their senior leadership teams, with the appointment of a senior SRA compliance director.
In terms of what marketers should fear - data subjects’ increased rights around subject access requests, objections to marketing, and “the right to be forgotten” - to name a few things.
They need to ensure that their IT systems allow them to meet the new data subject rights. Also, at time of data collection, they need to ensure they meet the relevant articles around informing and consents.
Another big pitfall is around third-party-sourced data. The onus will be on you, as the data controller, to demonstrate consent was collected.
This could mean a natural end to B2B / B2C agencies that sell targeted customer data lists.
Marketers should also fear other marketers. I wouldn’t be surprised if we hear of underhand people using this new regulation to put competitors out of business - or at least reporting them to the ICO to get competitors investigated and potentially fined - which could impact business in a big way.
Get compliant, and use it to differentiate yourselves from the competition. It could win you business if you are seen to be taking this all seriously, ahead of the changes.
Chris, that is a very valid point, and an interesting perspective!
Most businesses feel their most likely risk is that the ICO will investigate them directly via a targeted campaign. However, it's far more likely to be an ex-employee or a data subject that lodges a complaint with the ICO - which they then have to investigate.
Here’s another question for you. I have to unsubscribe / mark about six or seven emails as spam on a daily basis.
Currently, I get sent to an unsubscribe page, which allows me to choose the box I think best ‘fits the crime’. If this was happening to me in June 2018, will my experience be different – and if so, how?
Or will the actions I take in marking as spam / unsubscribing have more of a negative impact on those firms in terms of future deliverability / blacklisting etc?
As well as hitting ‘unsubscribe’, you will be able to be ‘forgotten’ or ask for them to transfer you all the data they hold on you (data portability).
Companies will also need to be able to prove that they have ‘forgotten’ you, or have the correct permissions to process your data (including having your permission to email you).
And you will have very strong rights if they continue to contact you. More info can be found here.
Also, firms will need to allow you to withdraw consent as easily as it was given. No more ‘write a letter to an address’ if consent was initially collected electronically.
So are you saying that they could still spam me anyway, but they'll only get away with it the once...?
For EU based marketers – yes. Outside of the EU, legal enforcement could prove challenging.
GDPR states that companies need to be represented within the EU to liaise with their local supervisory body (ICO for the UK). However, I suspect this will be one of the many areas where litigation will set a requirement.
Fi asked a question earlier in the thread about digital marketers having a duty to inform senior managers on the depth and impact of GDPR. As a business in the creative and marketing space, I would say we have a duty to fulfil to every client we have ever acted for to bring them up to speed, or point them in the right direction for help from specialists.
If we don't, and they get fined, surely they could claim ignorance and blame the provider of their digital and marketing services?
Also, if a business chooses not to adhere to change, could we seek their signatures on a document which acknowledges they have been advised to change by us?
What about if you're an in-house marketing department?
The regulation is clearly that Information Privacy (and Security) Risk needs to be discussed at a senior level. This is made very clear in the final Working Party 29 guidelines on a DPO. Several key paragraphs are important in this context - this is verbatim from the guidance:
"DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor."
"The DPO must have the resources necessary to be able to carry out his or her tasks. Depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO: active support of the DPO’s function by senior management…"
So whether you appoint a DPO or not, GDPR really enforces a company-wide culture. This is not an "IT Problem".
Good comment Rory. It needs to be owned by everyone from the top down. Everyone needs to be aware and build it into the way they work.
Like many things, you may need a little help to get started, but the more people start doing what is needed, it just becomes the standard way of working. The problem at present is that everyone works in different ways - often in the same role, and in the same business.
I believe that process and procedures - and re-educating people to think before doing - will help a huge amount.
If a business is investigated, and seen to already be underway with a programme of compliance, the ICO are more likely to be lenient on measures taken - compared to businesses who are not even started with getting ready.
Chris, valid points - the regulation is quite clear (even when you have an appointed DPO) the buck stops with the organisation.
Unless you're either a joint data controller or data processor - that's where you need robust contracts in place to cover yourself and limit any liability - however GDPR states this is primarily under the remit of the data controller.
Contracts are critical if you share data with downstream providers! I suspect the current environment where suppliers offer contracts will lead to numerous litigation cases.
This is another aspect where reality and the regulation are at odds to some degree, and where the courts (or hopefully Working Party 29 will offer additional guidance) will hammer it out.
Good info. So the ICO website is a genuinely good source of information.
There was mention of technology enabling GDPR earlier.
From our perspective (in Cyber Security), there is no such thing as ‘100% secure’. All we ever try and do is enable businesses to be more secure than the next and more secure than the next one - but the key thing is to be continually improving and enable a culture of security.
The security threat landscape changes so quickly that this progressive change is one of the reasons you can never tick a box and say "I am secure", and in the same way, you can never tick the box for GDPR compliance - it is a continuous process.
As for benefiting from stolen data, it is for sale on the Dark Web, so someone somewhere is making money from it. However, what we have not seen before is someone contacting a pwned user, telling them where their data was taken from, and asking if they wish to pursue a claim.
I am sure we have all had PPI calls at some point in the past, so you can imagine the next growth industry in the call centres! From a technology perspective, an important message is that deploying the latest "cutting edge technology" does not have to involve spending more of your budget. Often, you can save - and get far better value.
The ICO is offering one-day advisory visits for free. BUT, would that put you on a radar to be re-investigated - and action taken - if work was not carried out to ‘right the wrongs’ in a certain timescale?
At least it shows you’re being proactive. Either way, ignorance will be no form of defence.