On 28th September 2017, the techUK Marketing & Sales Group heard from three speakers about how GDPR will impact various aspects of marketing. Marketing Consultant, Ben Wheeler, was in the audience and summarises what he learnt below.
Readers of Insights will know that techUK regularly cover GDPR issues. Earlier in September, we looked at what employers need to know as well as what GDPR means for big data, analytics, the cloud and AI. This event ended a busy month by shining the spotlight on marketing.
The Lawyer’s Perspective - Gabriel Voisin, Bird and Bird
Gabriel started his session by addressing the financial and reputational costs behind a data breach, citing the example of Sony, and the fines that can be placed on organisations that break the data rules when sending marketing emails. The clear message was GDPR compliance will make sound financial sense.
Gabriel then explored what constitutes personal data. GDPR will require organisations to be aware of additional categories of data that apply - such as personal data now including location data, online identifiers such as device IDs, cookie IDs and IP addresses. Sensitive personal data will now include genetic and biometric data.
One of the main aspects of GDPR is that the rules surrounding consent to data being held will be stricter - and that organisations need to be aware of this. What’s more, organisations will bear the burden of proof - so they must keep good records that demonstrate who consented, when and what they were told at the time. Gabriel suggested that, where organisations could not be satisfied that existing consent was given in line with GDPR requirements and properly documented, then consent should be renewed. He suggested incentivising people to renew their consent.
Much consent-gathering currently takes place through email sign-up boxes. Gabriel used a visual to demonstrate that many of the typical broad brush ‘consent to everything’ approaches won’t work with GDPR.
The Compliance Perspective - Dave James, Ascentor
Making the point that cyber security and data protection go hand in hand, Dave started his session by quoting Elizabeth Denham, the UK Information Commissioner at the ICO. Speaking at the CBI Cyber Security Conference on 13th September 2017, she said: “Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorised third parties...”
Ascentor specialises in cyber security, so the key points made about GDPR compliance were based on good information risk management (IRM). Even before the advent of GDPR compliance, good information security should never have been an afterthought, but embedded at the outset of a project. Describing a Cyber Security 101, Dave explained how organisations should identify their information, locate it and protect it: “GDPR is for life not just for Christmas - you need good governance.”
Dave went on the describe Ascentor’s practical steps to achieve GDPR compliance, starting with identifying and locating data through a pragmatic data audit, with good practice examples from the ICO and the Direct Marketing Association (DMA). He also suggested a risk-based approach with a privacy impact assessment.
The next step is to protect data and mitigate risk - with the Cyber Essentials Scheme a good starting place. Organisations should write meaningful and understandable policies (on topics such as Bring Your Own Device (BYOD)) and get buy-in. Finally, he suggested using information security frameworks such as IASME/ISO27001 and following them explicitly.
The Marketer’s Perspective - Dan Holt, BOSS Digital
Dan’s talk moved away from the legal and compliance areas and speculated on the potential shape of GDPR from a marketing perspective, and the opportunities it may create. Building trust between the public and organisations holding data was a major part of Dan’s talk.
He cited recent research from The Harris Poll showing that, after dishonesty or intentional wrongdoing, the next most damaging factors on consumer trust are data breaches or misuse of personal information - something that GDPR is designed to prevent. Dan said that GDPR matters because lost trust has profound implications for a company’s customer referral, conversion and retention rates - it affects the bottom line.
He drew the distinction between B2B and B2C marketing, explaining that the marketing implications of GDPR will be most profound for consumer marketing - to the individual. That’s because all users must have opted in for email and SMS before receiving any direct marketing. With B2B marketing, with some exceptions, cold email/SMS will generally be permitted without consent. Dan reinforced a point that sole traders must be regarded as consumers – an interesting curved ball for anyone thinking otherwise.
Dan felt GDPR would be a good opportunity for businesses to get their data in order - citing the examples of old databases and email lists stored on Mailchimp. He made the point that a cleaner database means higher levels of engagement and less wastage on ineffective advertising.
GDPR also offers an opportunity for differentiation. By taking the initiative with these strategies - or at the very least making it clear that you are embracing GDPR and operating legally and transparently - you are making an important statement to your customer, whether consumer or business.
Slides could be downloaded from the links below.