Marketers need to act on the General Data Protection Regulation now, if they are to avoid putting business continuity at risk.
What is GDPR?
On 14 April 2016, the European Commission approved tough new data laws – the General Data Protection Regulation (GDPR). They will come into force in 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect their commencement.
It’s a major shake-up. More than 200 pages of major reforms will introduce concepts such as the consumer’s ‘right to be forgotten’, raise levels of verification for opt-in consent, demand that companies store consent permissions, and make unapproved data unusable. Companies that don’t comply could be fined up to 4% of their global turnover, or €20m.
According to Henley Business School, the new statutes are “a huge threat to business continuity for the marketing sector in the UK”.
Maybe, but the laws should not be a surprise for marketers. It took four years of discussions to reach this point. But, even if businesses have remained unaware of the path towards legislation, few can have missed the fact that the uses and abuses of customer data have been a hot topic for years.
Something was always going to be done, at some point. Especially as the original EU data protection directive, which the new laws will replace, was written in 1995. It is essentially a relic of a pre-internet age, and certainly not fit for purpose in this time of social media, cloud computing and the Internet of Things.
What about Brexit?
The Information Commissioner’s Office is the public body responsible for ensuring the UK is ready for GDPR. They have acknowledged there may be questions about how the GDPR would apply in the UK once we have eventually left the EU, but have emphasised that this should not distract from the important task of ensuring compliance. The ICO points out that with so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals. So it seems safe to assume that there will be no escaping the level of standards set by GDPR even after Brexit.
What will GDPR mean for businesses and marketers?
The GDPR will bring definition, clarity and accountability to data practice. Much more than bringing in a code of ethics. It will enforce transparency and create a legal framework around the ‘Single Digital Market’.
For many marketers, it is likely to signal upheaval. All private and public organisations operating within the Eurozone that hold 5,000 or more customer records will have to assess and change their approach to the data they hold. GDPR will also affect global supply chains – for example, companies in India that hold data about EU citizens must also conform to the new laws.
For some companies, it could mean a laborious and expensive appraisal of data they – or their outsourced suppliers – already hold. For others, it will necessitate a radical overhaul of the way they do business.
It’s also likely that the demand for data protection officers – whether in-house or independent – will increase dramatically. Research by the data protection recruitment agency GO DPO EU estimates that in the financial services sector alone, around 33,000 companies might require a data protection officer in order to meet some of the new regulations.
Whose data is it anyway?
Customer data is essential for marketers to reach the right audience and meet customers’ needs and interests. Yet CIM’s recent research revealed a shocking 92% of consumers do not fully understand where and how marketers, brands and organisations use their personal information and data and one third (31%) said they have no idea about where and how their personal data is being used. Fears of data breaches and misuse has them on high alert.
And with two thirds (68%) of marketers confessing to limiting sharing their own data as a consumer because they know how organisations will use it, this is extremely worrying.
In addition to this, only 16% of consumers admitted to always reading the available T&Cs before providing their personal data and more than a quarter (27%) admit to not knowing their data protection rights as a consumer.
However, two-thirds (67%) of customers actually say they would share more personal information if organisations were more open about how they will use it.
Getting it right
Marketers must recognise that the new GDPR regulations reflect a growing demand for reform among consumers, and the hope of putting an end to headlines about data breaches by household-name brands. But knowledge isn’t enough.
Compliance advice from the Information Commissioner’s Office needs to be acted upon now.
Data protection is no longer a talking point, it’s the new reality.
Chris Daly, Chief Executive, The Chartered Institute of Marketing