How should marketers prepare for GDPR?

The General Data Protection Regulation 2016/679 (GDPR) is a regulation by which the European Union (EU) intends to strengthen and unify data protection for all individuals within the EU. The regulation comes into force on 25 May 2018.

So what exactly is the GDPR and how can you make sure your organisation is ready for this crucial piece of legislation? This Blue Paper looks at what GDPR is, what it means for marketers and how they can prepare ahead of its introduction.


What is the GDPR?

According to figures from the Department for Digital, Culture, Media & Sport, more than 8 in 10 people don’t feel they have complete control of their data. [1] GDPR has been designed partly to address this concern, with tougher rules around personal data being put in place, and new processes making organisations more accountable and transparent.

Businesses will be familiar with many of the law’s main concepts and principles, as they are similar to those in the existing Data Protection Act. However, the definition of personal data under GDPR is broader than under the Data Protection Act – ‘personal data’ now includes information such as IP address, internet cookies and any other data that can directly or indirectly identify a natural person. Under GDPR, consumers will also be entitled to ask an organisation to disclose what personal data it holds on them, and request that the data they hold be erased. Failure to comply with GDPR could bring heavy fines – up to £17 million or 4% of global turnover, whichever is higher.


What GDPR means for marketers

GDPR will drive many significant changes:

Brands must make it easy for customers to access their data
GDPR gives individuals unprecedented control over how their data is collected and used, extending to the point where they can ask organisations to both access it and request its removal. This means marketers must implement a system that makes it simple for people to access any information about them that they hold, and a process for erasing it, if requested.

Focus on why you are collecting data
GDPR outlines 6 different legal basis which allow organisations to hold and process personal data. An organisation may have the consent of an individual to process their personal data, but note that consent must be freely given, specific, informed, unambiguous in a clear affirmative action. Alternatively, organisations may rely on the fact that data processing is necessary for the purposes of the ‘legitimate interests’ pursued by the organisation – except where such interests are overridden by the interests or fundamental rights and freedoms of the individual.


How do customers feel about data security?

GDPR is not an obscure regulatory change that will pass unnoticed by members of the public. Indeed, the law has been actively designed to put power in their hands – and many are eager to use it. According to a study commissioned by SAS, 48% of adults in the UK intend to take advantage of their new rights following the law’s introduction.

The same poll found that 15% plan to activate their new rights within a month of GDPR’s implementation. However, clear differences in the type of people interested in exercising their rights were identified. Whereas 21% of 45 to 54-year-olds plan to issue a request within a month of the GDPR coming into force, just 13% of 18 to 24-year-olds plan to do the same. Of course, this isn’t a green light for businesses with a younger target audience to feel relaxed about GDPR. Instead, it’s a reminder that they need to be fully compliant by the time May 2018 comes around – as there will be plenty of people eager to take advantage of their new legal entitlements. [2]


What data rights do adults welcome the most?

The SAS survey went on to examine which particular aspects of GDPR that British adults are happiest with – and uncovered some interesting findings:

* 64% welcomed ‘the right to access’ – being allowed to get a copy of personal data held about them

* 62% welcomed ‘the right to erasure’ – the chance to erase personal data from certain systems

* 59% welcomed ‘the right to rectification’ – being able to correct inaccurate or incomplete data

* 56% welcomed ‘the right to object’, so they can opt out of having data used for marketing and profiling

* 54% welcomed ‘the right to restrict processing’, for instance if they contest the accuracy of data

* 43% welcomed ‘rights in relation to automated decision making and profiling’, such as the chance to speak to an actual person if they disagree with an automated decision

* 38% welcomed ‘the right to data portability’ – e.g. obtaining and reusing data [3]


Could GDPR offer an opportunity to ease customer concerns?

With some high-profile data breaches hitting the headlines in recent years, it is understandable that data security has become more of an issue to the public – as evidenced by countless studies. For instance, research by TRUSTe/NCSA found that 92% of online customers worry about data security and privacy. [4] Similarly, a study by the Chartered Institute of Marketing (CIM) showed that 57% of consumers aren’t confident that brands will handle their data responsibly, while 40% are concerned that their details could be passed onto others without their consent [5].

As Chris Daly, Chief Executive of CIM, commented: “Customer data is essential for marketers to reach the right audience and meet customers’ needs and interests. Yet people are nervous about sharing personal data – fears of data breaches and misuse has them on high alert.”

However, the CIM survey showed that more than two-thirds of customers would share more personal information if organisations were more transparent about how it will be used.

“The solution is clear, marketers need to brush up on the rules, demonstrate clearly the value-add personal data offers in delivering a more personalised experience and ultimately reduce the fear by being open throughout the process,” Mr Daly said.

GDPR offers organisations an opportunity to go even further in providing a reassurance to customers that their data is being handled safely, securely and responsibly. Demonstrating compliance could therefore be an effective way of gaining and maintaining customer trust, and encouraging them to volunteer the information that could help marketers engage with customers more effectively in the future.


How can marketers prepare for GDPR?

Train members of staff on GDPR
It’s crucial that employees who regularly handle sensitive data are aware of their responsibilities under GDPR. According to the Ensighten study, nearly 1 in 4 firms have opted to fill skills gaps within their organisations by training existing members of staff about the new law, well ahead of its May implementation.

Seek third party support
The Information Commissioner’s Office (ICO), which will be responsible for enforcing GDPR in the UK, has a dedicated advice line to help small businesses prepare for the new law. This will complement the existing resources on the body’s website to help businesses of all sizes adjust to the new data protection regime, which include extensive texts and easily digestible infographics. The ICO’s support could be a valuable option for small businesses with limited resources, who might find other alternatives such as hiring data protection officers or consulting with legal experts prohibitively expensive. [6]

Work with data and technology partners on GDPR compliance
Many businesses routinely work with third parties or outsource certain functions to external partners. The law clearly states that responsibility for holding and processing personal data is shared between ‘data controllers’ and ‘data processors’. It’s therefore prudent to make sure all corporate partners are ready for the upcoming changes.

As Nina Barakzai, Head of Data Protection and Privacy at Sky, noted: “It is a good sign if partners are proactively discussing the law. The ones who don’t talk about it with you – you probably want to check it with them because it means they have been asleep. Most of our preferred suppliers have been planning for GDPR since 2013. We have contract clauses in place.”[7]


Marketers confident about the impact of GDPR

For all the significant changes that GDPR looks set to bring about, it should be noted that in general, UK marketers are confident rather than scared about the impact it will have. Indeed, a study by Ensighten revealed that two-thirds of those polled view GDPR as a strategic opportunity, while three-quarters believe it will lead to their approach to customer interaction and engagement being modernised. In addition, nearly, 7 in 10 said they think the GDPR will lead to them harnessing big data more effectively.

Ian Woolley, Chief Revenue Officer at Ensighten, commented: “As GDPR forces brands to re-approach how they interact with consumers, it will create a whole new meaning to the idea of the value exchange, ushering in an era of transparency that will change our industry for the better. The combination of growing digital marketing complexity and sweeping regulatory change makes for a challenging landscape for marketers. Yet by employing tools that simplify GDPR compliance and governance, marketers can focus resources on future-proofing their strategies and providing flawless digital experiences to customers.” [8]

The findings are backed up by a number of leading marketers, who believe businesses that already have robust data protection policies have little to worry about. For instance, Sherine Yap, Global Head of Customer Relationship Management at Shell, commented: “From my perspective, because we’ve taken this fairly vigilant approach, I don’t see a direct impact, not tangibly. So we’re in a very fortuitous position where we don’t have to rework a lot of what we’ve got or lose a lot of what we’ve got. We have to validate a lot of the permissions and a lot of the consent, but I actually think that’s going to be a bonus because for me we don’t have a lot of dead weight in the databases.”

Nina Barakzai of Sky is similarly confident, saying that if businesses are already operating a transparent and customer-centric data policy, the GDPR requires them to make only “an extra few tweaks”. “My task is not to ask ‘why have I got this data?’, which I probably already know, but how I demonstrate it,” she said. [9]


And Finally,

GDPR should benefit consumers and organisations alike. Brands must make sure they have a clear legal basis for holding and processing personal data. The new regulations should encourage marketers to be more focused and disciplined about what data is collected and how it’s used. Organisations should benefit from this more focused approach due to better targeted marketing campaigns and a more detailed understanding of their target audience.



Page 1 of 2