Since General Data Protection Regulation (GDPR) took effect in Europe last year, creative agencies, brands and data privacy experts have been waiting to see which unfortunate businesses would be hit first with hugely increased fines.
Many speculated it would be the giant American tech companies. But last week the Information Commissioner's Office (ICO), the UK’s data protection authority, gave significant fines to British Airways and Marriott International for violating GDPR. British Airways incurred £183m for leaking the personal data of 500,000 of its customers. And Marriott International was hit with just over £99m for exposing personal data from 339 million guest records globally.
News of these fines broke just two weeks after the ICO released a report focusing on how the ad tech sector should comply with GDPR. The report highlights multiple issues marketers and agencies will have to address. Like the fact that customer data acquired through a legitimate interest can’t be used later to process bid requests. The only option for businesses is to obtain consumer consent again.
These developments are part of ICO's strategy to remind businesses and their creative collaborators that they should have ensured their GDPR compliance by now. The grace period is over and the witch hunt has begun. GDPR is real and the consequences for businesses that fail to meet it can be disastrous: not just financially, but also in terms of consumer trust. Trust is more important than ever. Waves of new technology haven’t just transformed the experiences we help our clients create for consumers. They’ve also created an information revolution. The sharing of data is now a contract between brands and consumers. How, then, can we help the brands we work with stay trustworthy?
Here are three important ways for marketers to work more effectively with GDPR:
Firstly, we can educate people on this revolution. There’s an unbalanced awareness between brands and customers when it comes to the data economy. People tend to fear what they don't understand and brands should be looking to soothe those fears, not just tick the regulatory boxes of GDPR.
BA and Marriott have been fined because they failed to protect the data of their users. Designing a secure system to protect your data is as essential as obtaining your user’s consent. By developing a clear data strategy, the collection of data will align more closely with the customer experience we as experts working in marketing and advertising aim to create. And it has to be a group effort between marketers, data leaders and IT.
Finally, we should acknowledge that honesty always pays. The 2018 Forbes Insights report “Fallout” highlights that 46% of companies were left with damage to their reputation and brand value after a breach. In 2013, Yahoo had 3 bn of its user accounts hacked. This was the most significant data breach in history. What’s more, it became a case study of what not to do when a data breach happens.
Yahoo has been blamed for doing too little, too late. It took two years for the company to tell users their data had been stolen. They were also criticised for declaring, just a few weeks before the disclosure, they were unaware of any security breaches. Not only was Yahoo’s reputation affected but they eventually offered $117.5m to settle the resulting lawsuit. Honesty isn’t only about transparency, then. It’s about timing as well.
If marketers and creative agencies keep these pointers front-of-mind, we’ll create better work for our clients and more valuable experiences for the consumers who share all this data in the first place.
Hanan Belarbi is head of data for EMEA, R/GA