What do you Creative Agencies need to know for GDPR?
From the 25th May 2018 the General Data Protection Regulation will come into force across all the EU member states, currently 28 as follows: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. Clearly the UK will still be a member and therefore affected in the same way by this EU law that replaces the Data Protection Act which has been around for 20 years, but now the regulation comes with the full power of the EU courts making it a legal requirement for all companies to adhere to the regulations, or face some heavy fines up to €20 million or 4% of a company’s global annual income (whichever is the larger amount). Even after the UK officially exists the EU the same legislation will largely apply on the basis that many companies are still trading or performing some function in Europe and therefore still liable based on this regulation, and this has been confirmed as extending out globally to any company in any country processing European citizen data.So, what does this mean for creative marketing agencies?
Data is everything in marketing and advertising. It gives an insight into the consumer; who they are, what they like, and what they want from a company. But in a world where ’data is the new oil’, there is a new control function to ensure that this is safeguarded, rather like all the issues we have had with Diesel recently! and here are a few points for marketers to bear in mind:The Basics
Under European Parliament, GDPR will protect personal data for all individuals within the European Union (EU). This includes the export of personal data outside of the EU. Personal data can be anything relating to an individual within their private, personal, or public life. This includes names, photos, posts on social media sites, or a computer’s IP address. In fact, at the last count there were over 100 areas pertaining to personal data:browser fingerprint; business contact; children; canvas fingerprint; call data record; cell location; contact information; convictions; cookies; credentials; credit card; credit information; criminal record; description; device fingerprint; device id; diary; DNA; drivers licence; duration; eavesdropping; email address; email content; employment; ethnicity; faceprint; family fax; film; CCTV video; finance; fingerprint; gender; health; household Id; Local identifier; shared identifier; images; ip address; location; mapping; marital status; medical membership; message monitoring; nationality; name; network id; personal activity; personal affairs; personal space; photograph plugin; politics; postcode; preferences; private correspondence; private information; profiling; pseudonym; publication; publicity; purchase history; quantified self-race; reliability; religion; RFID; salary; sanctions; security; sexual orientation; sexual practices; SMS; social media; social security number; student; substance abuse; surveillance; taxation; tax residence; telephone; time tracking; trades union; works council; traffic; typing pattern; text message; voice message; voiceprint; wages welfare; WIFI network; zip code
A Quick Summary
- The data subject (individual consumer) must explicitly opt-in to allow personal data to be processed - pre-ticked boxes, or an assumption that consent is given by default, will not be sufficient.
- Organisations will need to be specific about what will happen with the data.
- A data subject has the right to withhold consent for their data to be processed, and the organisation should not stop them from using a service if they choose to do so.
- The tracking of consent is mandatory. The data controller (organisation that collects the data) must know when consent was given.
- Data subjects have the right to access information collected about them and a "right to explanation", in which they can ask why an algorithmic decision was made about them.
- Organisations may appoint a data protection officer, who has the responsibility of ensuring the organisation compliant with GDPR. This is only necessary if you are carrying out large-scale systematic monitoring of individuals, carrying out large-scale processing of special categories of data or are carrying data relating to criminal convictions and offences.
The Possibility of ’Slowing- Down’
A couple of decades ago, data in marketing and advertising referred to simple things like demographics and response rates. Fast-forward to today, we live in an interconnected world where information is everywhere. Directing and capturing this data enables businesses to build brands, and drive development and sales. A recent study by DataMeer found that customer analytics made up 48% of big data use in sales and marketing. This plays an important role in the prediction of customer behaviour. Marketers can target ads to an individual knowing information such as their annual salary, their internet browsing habits, and loyalty data. This allows marketers to get beyond campaign execution and focus on customer relationship management (CRM). However, with GDPR in place, there is a possibility that there will be a decrease in access to customer data. Which, may slow down marketers and restrict their ability to target individual consumers based on personal data collected.Adapt to Survive
There’s no doubt that GDPR is going to shake up the digital marketing landscape. So, it is important for businesses to ensure they are ready to implement the changes necessary to comply by May 2018. With the possibility of a slow-down in the progression of marketing ensure your business is ready to adapt and shift to tackle this. Don’t just accept it, do what you can to drive business development and sales, plan-ahead. Determine if and how you will be affected. Analyse your data processes, how data is:- Collected - get the specifics of your opt-in statement right
- Recorded - this must be provable
- Stored - privacy and safety is paramount
- Retrieved - the data subject has the right to request access to data stored about them
- Disclosed - you must be transparent about who you share details with and share responsibility with any third parties.
- Erased - the data subject has the right to be forgotten.
The Ready Reckoner for Consent
- Separated from other terms – Request for consent must not be bundled in with other terms and conditions, this also means that consent cannot be a condition of signing up to a service unless this is a necessary aspect of having the said service.
- Tracked and documented – You should keep thorough documentation that will demonstrate what consent has been agreed upon, how they were told of said consent, as well as when and how this took place
- Third Party Names – If data will be passed along to a third party the third party must be named, simply providing a category that a third party falls under will not suffice
- Individuals must actively opt-in – Tactics such as having the pre-ticked opt-in box will not be accepted, under the new regulations, individuals need to actively and explicitly tick the opt-in box as well as the instructions for them to do this must be given in a concise and clear and unambiguous manor
- Withdrawing consent – Individuals must be provided adequate guidance and information as to how to withdraw their consent, this should be a simple process and be made clear to them from the outset
- Duration their data will be held – Might be worth considering stating how long the information will be held for, as well as preferred durations
You must be logged in to post a comment.