The impact of GDPR for Creative Agencies

The impact of GDPR for Creative Agencies

What do you Creative Agencies need to know for GDPR?

From the 25th May 2018 the General Data Protection Regulation will come into force across all the EU member states, currently 28 as follows: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. Clearly the UK will still be a member and therefore affected in the same way by this EU law that replaces the Data Protection Act which has been around for 20 years, but now the regulation comes with the full power of the EU courts making it a legal requirement for all companies to adhere to the regulations, or face some heavy fines up to €20 million or 4% of a company’s global annual income (whichever is the larger amount). Even after the UK officially exists the EU the same legislation will largely apply on the basis that many companies are still trading or performing some function in Europe and therefore still liable based on this regulation, and this has been confirmed as extending out globally to any company in any country processing European citizen data.

So, what does this mean for creative marketing agencies?

Data is everything in marketing and advertising. It gives an insight into the consumer; who they are, what they like, and what they want from a company. But in a world where ’data is the new oil’, there is a new control function to ensure that this is safeguarded, rather like all the issues we have had with Diesel recently! and here are a few points for marketers to bear in mind:

The Basics

Under European Parliament, GDPR will protect personal data for all individuals within the European Union (EU). This includes the export of personal data outside of the EU. Personal data can be anything relating to an individual within their private, personal, or public life. This includes names, photos, posts on social media sites, or a computer’s IP address. In fact, at the last count there were over 100 areas pertaining to personal data:

browser fingerprint; business contact; children; canvas fingerprint; call data record; cell location; contact information; convictions; cookies; credentials; credit card; credit information; criminal record; description; device fingerprint; device id; diary; DNA; drivers licence; duration;  eavesdropping; email address; email content; employment; ethnicity; faceprint; family fax; film; CCTV video; finance; fingerprint; gender; health; household Id; Local identifier; shared identifier; images; ip address; location; mapping; marital status; medical membership; message monitoring; nationality; name; network id; personal activity; personal affairs; personal space; photograph plugin; politics; postcode; preferences; private correspondence; private information; profiling; pseudonym; publication; publicity; purchase history; quantified self-race; reliability; religion; RFID; salary; sanctions; security; sexual orientation; sexual practices; SMS; social media; social security number; student; substance abuse; surveillance; taxation; tax residence; telephone; time tracking; trades union; works council; traffic; typing pattern; text message; voice message; voiceprint; wages welfare; WIFI network; zip code

A Quick Summary

  • The data subject (individual consumer) must explicitly opt-in to allow personal data to be processed - pre-ticked boxes, or an assumption that consent is given by default, will not be sufficient.
  • Organisations will need to be specific about what will happen with the data.
  • A data subject has the right to withhold consent for their data to be processed, and the organisation should not stop them from using a service if they choose to do so.
  • The tracking of consent is mandatory. The data controller (organisation that collects the data) must know when consent was given.
  • Data subjects have the right to access information collected about them and a "right to explanation", in which they can ask why an algorithmic decision was made about them.
  • Organisations may appoint a data protection officer, who has the responsibility of ensuring the organisation compliant with GDPR. This is only necessary if you are carrying out large-scale systematic monitoring of individuals, carrying out large-scale processing of special categories of data or are carrying data relating to criminal convictions and offences.

The Possibility of ’Slowing- Down’

A couple of decades ago, data in marketing and advertising referred to simple things like demographics and response rates. Fast-forward to today, we live in an interconnected world where information is everywhere. Directing and capturing this data enables businesses to build brands, and drive development and sales. A recent study by DataMeer found that customer analytics made up 48% of big data use in sales and marketing. This plays an important role in the prediction of customer behaviour. Marketers can target ads to an individual knowing information such as their annual salary, their internet browsing habits, and loyalty data. This allows marketers to get beyond campaign execution and focus on customer relationship management (CRM). However, with GDPR in place, there is a possibility that there will be a decrease in access to customer data. Which, may slow down marketers and restrict their ability to target individual consumers based on personal data collected.

Adapt to Survive

There’s no doubt that GDPR is going to shake up the digital marketing landscape. So, it is important for businesses to ensure they are ready to implement the changes necessary to comply by May 2018. With the possibility of a slow-down in the progression of marketing ensure your business is ready to adapt and shift to tackle this. Don’t just accept it, do what you can to drive business development and sales, plan-ahead. Determine if and how you will be affected. Analyse your data processes, how data is:
  • Collected - get the specifics of your opt-in statement right
  • Recorded - this must be provable
  • Stored - privacy and safety is paramount
  • Retrieved - the data subject has the right to request access to data stored about them
  • Disclosed - you must be transparent about who you share details with and share responsibility with any third parties.
  • Erased - the data subject has the right to be forgotten.
The penalties for non-compliance are significant so it is important to understand and be prepared to meet the requirements. Whilst also striving to excel in business regardless of any new restrictions.

The Ready Reckoner for Consent

  • Separated from other terms – Request for consent must not be bundled in with other terms and conditions, this also means that consent cannot be a condition of signing up to a service unless this is a necessary aspect of having the said service.
  • Tracked and documented – You should keep thorough documentation that will demonstrate what consent has been agreed upon, how they were told of said consent, as well as when and how this took place
  • Third Party Names – If data will be passed along to a third party the third party must be named, simply providing a category that a third party falls under will not suffice
  • Individuals must actively opt-in – Tactics such as having the pre-ticked opt-in box will not be accepted, under the new regulations, individuals need to actively and explicitly tick the opt-in box as well as the instructions for them to do this must be given in a concise and clear and unambiguous manor
  • Withdrawing consent – Individuals must be provided adequate guidance and information as to how to withdraw their consent, this should be a simple process and be made clear to them from the outset
  • Duration their data will be held – Might be worth considering stating how long the information will be held for, as well as preferred durations

GDPR : The Opportunity?

GDPR can be a fantastic opportunity for creatives, your clients will be looking for new and exciting ways to increase inbound activity, that's where you come in. Rather than sending 1000s of emails nobody engages with, look at the opportunities of creative inbound campaigns Its not all doom and gloom!

Conclusion – Don’t Panic.

There’s been some scaremongering around the topic of GDPR. The usual offenders, The Sun, posted a catchy headline earlier this year that reads "Builders, cleaners, and gardeners could face huge fines just for sending an EMAIL to drum up business thanks to draconian EU laws on data protection". This reads in line with their usual over exaggerations, and although GDPR is presenting business with the biggest adjustment in data protection laws since The Data Protection Act 1998, it is evident that an update was well overdue. The individual is at the heart of GDPR. It is, after all, designed to protect them. That includes me and you, and everyone you know within the EU. With all the excellent things that consumer data can offer the marketing and advertising industry, hackers also have nefarious motives to get their hands on this information. So, it’s important to remember that it isn’t about making life difficult for businesses but in the best interest of us all. It may be a relief to know, the first sanction is a written warning, in the case of non-intentional non-compliance, and if you also check out the ICO’s website the cases and fines are levied in line with the breach.

What Next?

If you are unsure of what to do next or would like to know more? We can guide your journey towards GDPR compliance with our easy, affordable and jargon free approach. Simply, click here to book a call with one of our consultants. Alternatively contact us here:
  • This field is for validation purposes and should be left unchanged.