Ardi Kolah

Be prepared!

19th November 2015 • Opinions

by Ardi Kolah

Discussion may still be ongoing in Brussels but Ardi Kolah believes that database marketers need to prepare now for the new EU General Data Protection Regulation, which is due to come into effect at some point in the very near future – and here are some tips to get started.

There are few pieces of European Union regulation that have endured the level of intense scrutiny as the forthcoming EU General Data Protection Regulation (GDPR).

The proposed wholesale reform of the EU’s now decrepit data protection and privacy laws – including the UK’s Data Protection Act 1998  date back to the last century and predate Facebook and Twitter.

Negotiations between the European Commission, European Parliament and Council of Ministers are now entering the final phase behind closed doors in Brussels and are on track to be concluded in December 2015.

Several well-informed sources close to the ‘trilogue negotiations’ say that Christmas holiday leave for a small army of European language translators has already been cancelled and they’ve been told to stand-by to receive a “very, very big document” to be ready for New Year 2016.

In fact, the GDPR contains nearly 100 Articles and Recitals, so it’s not surprising that it’s taken since 2012 to get to this point. However, the need for reform has never been more urgent and the time for waiting is now over.

In the last month there’s been a spate of personal data breaches that have made the national headlines with some of the most famous household brand names including British Gas, Talk Talk, Vodafone, Carphone Warehouse, HSBC, Experian and many others. In all these and other instances, customers’ personal data has fallen into the wrong hands.

Regulators such as the ICO promise to take action in the wake of these reports but so far they are struggling to cope. Most Regulators (Supervisory Authorities) across the EU complain about lack of resources and a lack of tools to do the job properly.

GDPR promises to fix the latter by making it easier to impose administrative fines, as well as financial penalties for breaches of personal data. And in terms of resources, Regulators can expect to harvest a windfall in fines that will be between 2-5% of global turnover for a commercial organisation or Є100m.

Clearly this level of resource will help fund a more aggressive compliance regime and should create a new breed of watchdogs with much sharper teeth.

GDPR is a ‘game changer’ in a wide number of areas including the handling and use of personal data as well as creating the legal framework around the Single Digital Market.

In essence, every private and public organisation operating within the Eurozone holding 5,000 records or more will have to assess and change their approach to the data they handle or face sanctions for being in breach of the principles enshrined under GDPR.

Once GDPR has been agreed, there will be a two-year transition period where all organisations are expected to change their processes, policies and procedures as well as implement other changes such as staff training.

Ultimately, effective database marketing will now depend on achieving customer permission and this can only be achieved by building trust rather than through exploitation.

What’s also eye-catching about the GDPR is that it applies to all organisations across the world, such as outsourcing providers (data processors) in India that hold millions of records on EU citizens, so processors and controllers of data are for the first time to be treated on an equal basis.

In this new world, the European Data Protection Supervisor (EDPS), an independent supervisory authority whose members are elected by the European Parliament and the European Council, will become a very powerful body.

The role of the EDPS includes, among other things, advising on privacy legislation and policies to the European Commission, the European Parliament and the European Council and working with Supervisory Authorities to promote consistency.

The expectation is that the revised data protection framework will be in place by the start of 2018. And this isn’t as far off as you may think.

Marketers should start preparing now, and follow best practice guidance given by the ICO ahead of the EU Regulation as much of the Regulation will be a codification of this guidance.

Not doing anything now is a recipe for disaster and simply creates a business continuity risk that can so easily be avoided and will be viewed as an aggravating factor when an organisation faces a financial penalty because of a personal data breach.

What you should do

Create new data policies and procedures

How you should do it

Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.

What you should do

Mitigate known risks

How you should do it

Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so sales and marketing professionals should pay particular attention to passport details and other personal information stored on their servers.

What you should do

Invest in education and training now

How you should do it

Invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.

What you should do

Review how you currently obtain customer consent

How you should do it

Set very clear, fair and transparent rules for obtaining customer consent.

What you should do

Don’t hang on to data

How you should do it

Don’t keep data forever – unless of course it’s to ensure that you don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.

What you should do

Have a policy about out-of-date data

How you should do it

Create a policy for destroying out-of-date data and ensure that it is understood and followed by any employee involved in data management.

What you should do

Be prepared for an increase in consumer activism

How you should do it

Recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.

What you should do

Make data protection central to your marketing process

How you should do it

Integrate data protection fully into all business processes and not treat this as an add-on or side issue.

What you should do

Move your mind-set from compliance to competitive advantage

How you should do it

Consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.

What you should do

Treat your customers as real people

How you should do it

Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

« »