One year and counting, and still almost 25% of marketers have yet to act on GDPR
It is exactly one year until the new EU-wide General Data Protection Regulations (GDPR) regulations come into force. But, as The Drum has found, many organisations lag where they ought to be if they want to avoid the potential heavy penalties in place for misuse of consumer data.
According to a survey from the Direct Marketing Association (DMA) released today (25 May) a quarter of companies (24%) have yet to even start a GDPR plan while little over half surveyed believed their organisations will be ready for the 2018 deadline.
Lack of understanding about what the regulations mean, plus confusion over whose responsibility it is have plagued businesses until now, but as one consultant guiding brands on GDPR compliance told The Drum, pleading ignorance is not an option, and many brands are now in danger of leaving it too late to do little else.
The European Commission approved the GDPR data privacy legislation last year in what was widely considered to be one of the most wide-ranging reforms to be passed, with the regulations set to come into effect in May 2018.
At the heart of the new guidelines – which cover everything from a consumer’s ‘right to be forgotten’ to data breach notification and accountability – is a fine which will be imposed on companies found to be falling foul standing at €20m, or 4% of an organisation’s global revenue.
To put it into perspective, if Tesco – which last year suffered a data breach affecting 40,000 customers – were to have been hit with the maximum penalty, it would have been out of pocket to the tune of £14.9m.
With such risk on the table, this should be the priority for any business which handles customer data no matter what form that takes. But, as recent statistics show, that’s not the case.
According to an earlier survey from YouGov and the Chartered Institute of Marketing (conducted last year), 16% of marketers don’t think GDPR is relevant to their business, and 9% said it had been mentioned in their offices but nothing had been formally discussed.
This seems to ring true. One top marketer at a UK brand told The Drum in March that they had been sent an email about GDPR compliance but didn’t know how their organisation was approaching it. They are not alone; the CIM found that only 6% of UK marketers fully grasp what the EU-wide privacy rules will mean for their business.
“Organisations are not really sure where it fits. It definitely has a legal dimension to it, but it’s also got a technology component – so you’ll have the chief information officer saying that they can look at the security piece and then marketers, who are saying the data is important to them but that it’s not their responsibility,” explained Russell Marsh, managing director at Accenture Digital.
“No one is taking responsibility for it because it is complex. And marketers like simplicity. So, they’re trying to move away from taking responsibility for it. But, ultimately it will be the marketers that it impacts most. Everyone holds their hands up and says yes it’s important but trying to work out how those different pieces of the organisation come together and work together to solve the problem is often the issue.”
To resolve that problem, many clients still need a third-party to hold their hands through it and in that regard business is booming for management consultancies like Accenture. Marsh said since the turn of the year it’s seen a considerable uptick in clients needing help and is scaling its own GDPR team and investing in risk assessment technology to help baffled executives get a grip of it.
“But [now] we’ll find there will be more press coverage and brands saying ‘oh my god we need to sort it out’ and then we’ll see a really massive spike in demand [for our services]," he predicted.
Board level buy-in
While it’s arguably the marketers who need customer data the most (ergo they should ensure the business is prepared), from what Marsh has witnessed, the companies getting it right are the ones where the chief executive officer has taken control rather than syphon it off for legal or IT to deal with.
“Put together steering groups that pulls together the legal, technical and marketing side of the business,” he advised. “Each of them will be looking at it through a slightly different lens and not one of them can solve the problem. When you find organisation that are only approaching it from one side you find holes in what they’ve put together.”
But for some businesses that is easier said than done and some are finding it inherently faster to adapt. As Keith Moor, chief marketing officer at Santander notes, it is a financial company and as such is already kept in check by various regulatory bodies. And, it already handles huge amounts of data, so over the years has developed robust systems to ensure it has the right permissions and infrastructure to manage it.
“As a bank we have to be ready for it because we handle huge amounts of data. Not that I’m disrespecting the work that FMCG companies have done in preparation but those businesses are not based on data in the sense that they build and make things,” said Moor. “Whereas our business is entirely reliant on data so our data architecture and infrastructure have to cope with and accept the GDPR implications. Consequently, we will adapt as required in the timescale”
Similarly, Margaret Jobling, director of brand marketing at British Gas, said it hit the ground running when the new plans for regulations were announced as it already had a data team plus a chief information officer who took control. But, it is nonetheless seeking the advice of consultants to ensure it will be up to code.
“We have governance. There’s a lot of work going on and we’re working with consultancies on what we need to do and how we make sure we have the right marketing permissions as well as looking at those we’re missing,” she said.
For the likes of Santander and British Gas, preparing for the GDRP deadline could be as simple as redrafting policies. But for others, particularly companies that don’t have direct-to-consumer relationships, it is a harder task. Procter & Gamble, Mondelez, Unilever are all among the world’s biggest advertisers and rely heavily on third party data, as well as what they glean from retailers or their own e-commerce platforms.
“If they’ve got multiple legacy systems and are collecting data from all over the place – Twitter, Facebook, cookie data, media data and sales data and that’s in different systems all around the organisation – then that’s a big problem to solve,” continued Marsh.
“They’ll have to think how to connect that technology, what the processes are, how that data is processed – they actively have to be able to show that – and then how they manage it and the opt-in/out.”
Global beauty giant L’Oreal has managed. UK chief marketing officer Hugh Pile said it has established two steering groups in its key markets, Belgium and Paris, in an effort to prepare its global company and develop a clear plan as to what this means for the business, including marketing, come next May. “We need to take it seriously,” conceded Pile.
But even if a business is investing time and resource to meet the GDPR criteria ahead of schedule, the Information Commissioners Office (ICO) – the body issuing the guidance – is making constant updates that mean they could still find themselves out of date.
Chris Combemale, chief executive of the DMA Group pointed to the example of the RNLI, which last year made the high profile move to re-contact its entire database to make sure that they only contact people who have positively opted-in.
“They did this in consultation with the ICO, but prior to the publication of the recent guidance on consent. The statement they used does not meet the overly strict interpretation the ICO proposed,” said Combemale.
“Does this mean that all the work that RNLI has done, while consulting with the ICO, will not be compliant come May 2018? The result for the RNLI and other proactive organisations could be incredibly damaging and the financial impact could be catastrophic.”
It’s not just about your business being up to scratch
But as well as getting to grips with their own internal processes and aligning them to changing ICO guidance, these organisations will also have to ensure than any supplier they work with is also compliant (a prospect that might send chills down the spine of a marketer reliant on what P&G’s Marc Pritchard described as a “murky at best” media supply chain).
Accenture's Marsh described how his outfit works with brands: “Out of that we might find they’ve got a hole in terms of how the data is passed and used with agencies, we then advise them to get the legal team to look at those contracts... But we wouldn’t make legal judgement on whether [agencies] are following GDPR legislation.”
In that sense, marketers will rely on industry bodies like the World Federation of Advertisers (WFA), the Institute of Practitioners in Advertising (IPA) and ISBA as well as the ICO for guidance both in the lead up to the new legislation being enforced and long after it.
“I sit on the ISBA council and this something that we discussed earlier in the year and we need to partner with the WFA in making sure that we represent the needs of advertisers to the EU,” said L’Oreal’s Pile.
David Wheldon, chief marketing officer at RBS and president of the WFA said the trade body will issue guidance on GDPR in the coming months, such as how to its membership should approach compliance, plus what it will mean for the wider ecosystem in Europe.
A blessing or a curse?
While there is undoubtedly lingering confusion, concern and resistance to change the system, there is also growing sense of opportunity that this will present to the industry.
Yves Schwarzbart, head of policy and regulations affairs at IAB UK said during and Ad Week Europe panel session earlier this year that while hugely challenging it is a chance for many businesses to really understand what data they process and where it sits as well as who has access to that data.
“More importantly than these things is how [brands] explain to users why they collect the data in the first place and how they use it. For me there is perhaps a misunderstanding about the value exchange and oftentimes companies would rather collect as much data and then find out later whether they can actually use it,” he said.
And as the public is given more of a say in how their data, their preferences and their networks can be used, Mark Ranacus, the chairman of the DMA board believes brands that embrace the chance to show that they can be trusted will benefit from the implementation.
“We could say no. We could say this is bad for business. We could say will be a disaster for marketing and for the economy because it will slow growth. But that isn’t true. Giving the public more control of their affairs is a huge opportunity.”