The General Data Protection Regulation (GDPR) comes into effect in May next year and is currently the hot topic across the industry, with both sides of the supply and demand chain needing to work out exactly what it is going to mean for them.
The regulation is a new set of rules that are designed to improve how much control individuals have over their personal data.
The implications of GDPR on digital marketing
From an agency media planning perspective, it won’t directly affect those of us in advertising. However, it will affect what data we can buy for our clients, and therefore potentially hamper campaigns and strategies unless we are ahead of the curve.
Regarding the implication on digital marketing, it looks like location, IP and device ID will be included. Part of the issue with GDPR is that it contains grey areas, so no one seems sure exactly how it is going to affect them. The key one for me is what constitutes ‘personal information’. This is going to cover more than our traditional concept of personally identifiable information (PII).
Failing to comply with GDPR will result in fines of up to 4% of annual global turnover. Demand side platforms are going to have a duty to make sure that every source of data they buy and sell is audited, and there is precedent for ad partners being fined for gross negligence. In 2016, mobile ad partner inMobi were fined $950,000 for privacy breaches – for not only failing to gain consent for tracking hundreds of millions of users’ locations, but also directly ignoring consumers’ clear privacy preferences.
The consumer is theoretically the beneficiary from data protection being increased. However, this is also likely to remove some of the more targeted advertising that occurs.
I would personally rather see relevant adverts for products I am likely to buy (which GDPR will hamper) but this should mean the end of incessant ‘spray and pray’ retargeting campaigns. No longer will consumers be followed around by a B&Q spade for the rest of time.
Establishing explicit consent from users
Consumers are now going to need to be re-informed about what data is being collected on them, and will need to be offered a way of opting out. An example of how to tap back in to these data sources is by encouraging or mandating user sign ups as a reward for content. The BBC have recently done this and are setting a clear precedent for other publishers going forward.
Establishing explicit consent from users is going to be paramount if publishers are to comply with the new GDPR rules. But finding an unobtrusive way to do this will be the challenge for them going forward. Organisations are seeking help to ensure they are GDPR complaint, with 48% of those surveyed by Varonis obtaining a Data Protection Officer already, with a further 36% looking to hire someone to fulfil that role in the next 12 months.
With precedent of fines among ad partners for data privacy breaches, it is important agencies maintain their responsible attitude to data privacy. This means an extra level of vigilance when GDPR comes into effect. All data transfers will need to take place via a third party onboarding partner to ensure that ourselves, our clients and our partners are not exposed to any risk. When purchasing media on a client’s behalf, it is imperative that we ensure who we work with is following data laws to the letter.
GDPR legislation as ‘common sense’
GDPR will signal the first time Europe is governed by one definitive set of rules to follow regarding data. However, according to the 2017 Risk: Value Report commissioned by NTT Security, less than half of global executives believe GDPR compliance is relevant. Theoretically, this should be a good thing for marketers as it should ultimately eradicate the less clean players in the market; if you cannot clean up there’s an argument that you shouldn’t be sitting at the table in the first place. Bernard Marr, of Hiscox, the small business knowledge center, has largely referred to the GDPR legislation as “common sense,” so we have to hope that this is the case when it comes to implementation of the new rules. It will also be interesting to see in practice how this is enforced.
While there are large and scary penalties on the table, the practicalities of enforcing these penalties will be interesting to see.
Regarding risk, the current penalty from the Information Commissioner's Office (ICO) is £500,000. The 4% of worldwide turnover fine stretches to €20m. While £500,000 is not an unsubstantial amount of money, it pales in comparison to what the penalties can now reach, and has the capability to topple a business. It is imperative that agencies are helping to guide their clients on this topic, not only from a media stand point but also regarding the wider picture. A company with no money cannot spend any of it on media.
The bigger players in the market are likely to come out on top; the likes of Amazon and Google already have a direct relationship with consumers and are considered to be trustworthy.
Interestingly, Google are now serving a pop up asking users to agree or disagree with the statement ‘I can easily find out how my personal data is used by Google’. Often there are partners working in the background who don’t have household names but are imperative to the media space in terms of how we target ads to the right person. It is considerably more likely that a consumer is going to opt in to a company name they know and trust rather than one of these unknown partners.
How these partners gain consent without seeing huge dropout rates is going to be interesting to see. In particular, the hope on our side is that consumers realise they are always going to be served adverts in order to be able to access free content – it is a value exchange – and, by consenting, what they see is going to be significantly more relevant. Personally, I would rather see adverts for shoes than men’s workwear, and if an opt in is required for that to happen, I’m happy. Time will tell if the average digital consumer feels the same way.
Lucy Cunningham is head of mobile at online performance agency Roast.