GDPR is a hot-button topic which is increasing traction within every form of news, from broadsheets showing the impact assessments to tabloid ‘scare-tactic’ articles to viral media online. GDPR will affect every organisation dealing with data about EU/UK citizens, and marketing will be one of the most heavily regulated industries as a product of this. With the current legislation in the UK (DPA 1998) designed to protect organisations and their interests, GDPR in May 2018 moves to protect the end users’ anonymity and freedoms; a key difference which will shut down many marketing agencies altogether.
In its current state, marketing companies have near complete freedom of data sharing, and are able to purchase bulk information from associated businesses. Think signing up for a loyalty card in a store; that data can currently be passed on to marketing agencies (for a fee of course) so that they can target their advertising towards a specific niche of consumers. One important thing to note with this is that data collection is currently ‘opt-out’, where steps have to be taken to avoid third party handling of data. Under GDPR, all data collection will be ‘opt-in’ only, where a consumer must agree to have their data stored and used. This will be a huge blow to marketing firms across the UK and Europe, and the impact is already being felt within the industry.
To get around this, many marketers are using built-in ‘opt-in’ data collection on their websites and through mail marketing. You will have probably noticed the recent rise in sites’ and their cookies policy, usually taking up 1/5 to 1/2 of the screen asking you to agree to data collection. Now most of us will simply agree to this to have full usage to the site, but now at least we have the choice.
The right to erasure is also a massive aspect of GDPR which will negatively impact marketing agencies; the right for any individual to request that their personal data be ‘purged’ from a directory, with a compliance time of 1 month at most. Over a quarter of UK consumers interviewed have said that they will use this right to preserve anonymity online, and receive fewer marketing messages or calls. Unfortunately again for marketers everywhere, most companies simply do not have to infrastructure required to complete these requests. A surprisingly large number of companies still keep their records as hard copies, or in an unformatted way (think of a large spreadsheet, or several mini-repositories spread across a number of machines). This affects two aspects of GDPR; personal data collection and pseudonymisation. Personal data collection may still be used under GDPR, but only for services you have voluntarily registered to, or those with legal or medical concerns. Pseudonymisation is the big one with GDPR; separating parts of a consumers data so that no direct link can be to a specific person.
If a company is caught using or collecting personal data under GDPR by the Information Commissioners Office (ICO) then the fines can be monumental; up to 20 Million Euros (~£18 Million) or 4% of the companys global annual turnover. Not profit, turnover. Obviously this is a huge factor which most companies need to heavily consider, as it would bankrupt many small or low profit margin businesses with a single fine.
The concept of ‘sensitive’ or personal data is also changing monumentally, and is one of the key aspects of GDPR reaching the news every day. Put simply, anything which can be used to identify an individual will be classed as sensitive data. Everything from IP addresses, to phone numbers, to retinal scans and fingerprints, and especially medical records and employment. Any breach of misuse of sensitive data can be subject to the massive fines by the ICO and European body; it’s not worth taking the risk.
The main changes which will affect marketers are opt in data collection, and the unauthorised contacting of people based on their personal data. If an agency contacts someone and they have requested not to be contacted, either through unsubscribe or opt-out, then the ICO may step in with fines. Having the infrastructure to purge records such as these is critical, and already we can see many companies going under because of the new legislation.