December 2015 saw the completion of the trilogue negotiations for the General Data Protection Regulation (GDPR) legislation text. May 2016 saw the GDPR become law, although it does not actually come into effect until May 2018.
Confused? Yep, we are too. As a key player in the data industry we recently attended a DMA hosted ‘Data Protection 2016’ event, which sought to offer clarification on what is a complex and multifaceted piece of legislation, with far reaching implications for the direct marketing sector, both B2C and B2B. But we came out none the wiser and we’re still struggling to get any clarification.
According to the DMA the negotiations have resulted in compromise, which has “avoided many of the worst case scenarios that the DMA feared would make it into the final text.” But should this reassure those of us for whom data is the essence of our business? The DMA went on to explain that the regulation opted for “unambiguous instead of explicit” in its definition of consent. The translation of which is “unambiguous offers more flexibility to marketers; e.g. being able to contact consumers via post or telephone on an opt-out basis relying on legitimate interest as the legal ground to process data.” That sounds positive, but is it?
So, do we know how the GDPR will affect B2B marketing? The answer is, No. No-one yet knows.
“The level of risk associated with the GDPR has catapulted
data protection into the boardroom.” Jane Finlayson-Brown, Allen & Overy
At present it is hugely unclear what the fine detail of the legislation will involve and even whether the Directive will have the same impact on B2B as B2C. The DMA and ICO are unable to shed any light on this. The big questions for anyone who holds or uses data as part of their marketing strategy are: what will the impact be and how must I adapt my business.
The ICO recently told CPB, and we quote “We are awaiting interpretation from our legal people before issuing specific B2B guidelines”. They were unable to give me any idea of timescale!
Let’s take a step back and put this legislation in context; why is it required and what it is intended to achieve?
The GDPR; a few facts …
In January 2012, in a bid to prevent rogue trading and put a stop to nuisance calls, the Directorate General for Justice at the European Commission announced legislative proposals intended to improve the protection of individuals with regard to the processing and use of personal data. The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. The GDPR is intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The Commission’s primary objectives for the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR places onerous accountability obligations on data controllers to demonstrate compliance and places emphasis on a subject’s consent to the processing of their personal data being ‘unambiguous’. Your data controller (you do have one, right?) is required to be able to demonstrate that consent was given. Existing consents should still apply, provided they meet the new conditions. Where personal data is processed for direct marketing the data subject will have a right to object and this right will have to be explicitly brought to their attention.
What Exactly is Personal Data?
In trying to define the impact of the GDPR we need to define exactly what personal data is. According to the EU, personal data is “any information relating to an identified or identifiable person.” So, any data, whether business or personal contact data, can be considered personal if the owner is seen as identifiable.
How is Consent Determined?
The proposed text of the legislation refers to ‘unambiguous’ consent rather than ‘explicit’ consent, which is a stricter definition. Under unambiguous consent, consent for postal and telephone marketing can still be given on an ‘unsubscribe’ or ‘opt-out’ basis. This provides some flexibility for the direct marketing industry, particularly in the B2B arena, as legitimate interest can be used as a rationale for contacting customers who have not opted-out.
But let’s not beat around the bush, the GDPR will have an extensive effect on all direct marketing, and will effect each sector differently. So what will the impact be for you?
Whatever the format and text of the final regulations, the way direct marketing agencies do business will change. In recent years marketers have been focusing efforts on data-driven personalisation, targeting individuals based on data held such as previous buying behaviours, demographics, geographical information etc. From 2018, personalisation, rather than being part of a perfect marketing strategy, will become, relatively speaking, poisonous. There is some debate over whether legacy data will be exempt from the new rules, or whether it will be rendered unusable. Again, it’s a ‘wait and see’ situation.
Below we list the key ways in which your organisation might be affected, depending on your business model, type and sector.
Take note – this is not a defined list, the devil will be in the detail and that is a way off being clarified yet!
How The GDPR Will Affect B2B Marketing
Direct Marketing as a Legitimate Interest
The text recognises that the processing of personal information for marketing purposes may be regarded as carried out for a legitimate interest. If an organisation relies on legitimate interest for its processing then it needs to make a careful assessment of the relationship between it and the individual.
The Onus on Online Marketing
- Analytics will become impossible as tracking of IP addresses will be banned
- Profiling and tailored online experiences will be practically prohibited without explicit consent
- Data will no longer be able to be used to target future marketing activity without express consent
The Effect on Email Marketing
- Profiling and segmentation will become difficult and patchy
- No tracking data will be allowed without explicit consent, making e-shot effectiveness extremely difficult and unreliable to measure
- Tailored content will be hard to target and harder still to measure
The Silencing of Social Media
- Marketing will no longer be able to be targeted based on profiling
- Campaigns will only be able to be analysed by the most basic measures; demographic analysis won’t be possible
The Muddle in Mobile Marketing
- Profiling information won’t be able to be used to target messaging
- No tracking data will be allowed without explicit consent
Difficulties for the Data Industry
This sector will be hardest hit of all. Most of the current activities will become heavily restricted or nonviable.
- Data will become impractical and expensive both to source and keep up to date; making it extremely difficult to form an accurate picture of your marketplace and target accounts
- Legacy data might be required to comply with new regulations, raising the spectre that prospect lists could be decimated
- List broking will be severely restricted
The Disorder in Direct Mail
- Expect a move from opt-out to opt-in; explicit consent will be needed to send any message to any recipient, with the exception of existing customers
- Existing databases may not be usable under regulation; this could decimate prospect lists
- Demographic information will have to be wiped
The Threat to Telemarketing
- Expect a move from opt-out to opt-in
- No cold calling to prospective customers will be allowed
- No profiling or segmentation will be allowed without individual consumer consent
Whatever your sector, you should bear in mind that the rules on consent will tighten up considerably. Information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language. Gone are the days when you could ‘hide’ consent in the small print or lengthy T&Cs.
As part of the new legislation, individuals will have the right to object to any processing of their personal information, including profiling, at any time. If an individual objects, their personal data can no longer be used for marketing purposes and must be deleted. Most marketers will use the legitimate interest grounds but the right to unsubscribe/opt-out must be clear and apparent.
The ICO has developed General Data Protection Regulation advice, outlining twelve steps companies can take to prepare for the reforms.
Many of the principles in the new legislation are much the same as those in the current Data Protection Act. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently. The new law will enhance the rights of data subjects and place more obligations on organisations to be accountable for their use of personal data. These twelve points are intended to be a helpful starting point, to help break down the legislation – which can appear daunting – into practical areas for action.
If you are already working within the guidelines of the DP Act and the DMA you’ll be well on the way to being compliant to the new GDPR. Here are a few tips from the ICO to help you think along the right lines:
Consent and control
- How far do you give your customers genuine control over what information you keep about them and how you use it?
- Do you rely on consent? And if so, do they know that they are consenting and the implications of this?
- Do you have effective processes in place to ensure that you are data protection compliant?
- Can you explain what these processes are and demonstrate that they work in practice?
- Can individuals easily find out not just what information you hold about them and how you might use it but also more generally about your personal data handling practices?
- Do you have the right people in place to help you understand and meet the requirements of the Regulation?
- If not, do you at least have some idea where you might get the necessary expertise from? It’s a myth that the Regulation will require every business to recruit a Data Protection Officer, but you will need resources to help you deliver the necessary change
The Rights of Data Subjects
- Be prepared for data subjects to exercise their rights under the GDPR such as the right to data portability and the right to erasure
- If you store personal data, consider the legitimate grounds for its retention – the burden of proof will be on you to demonstrate that your legitimate grounds override the interests of the data subjects
Privacy by Design
- What steps do you take to make sure that your systems and processes, particularly new ones, deliver data protection compliance as a matter of course?
- Are you reviewing the personal data you hold and why you hold it to ensure that you can meet the requirement for ‘data minimisation’?
- Do you know what a privacy impact assessment is? Have you used one yet?
- Do you have a breach management process in place? Is it ready to be activated even if you’ve been fortunate enough not to suffer a significant personal data breach so far?
- Does your process include arrangements to notify affected individuals as well as the ICO?
- Most importantly, do you have effective technical and organisational security measures to prevent breaches in the first place? Are you sure that these are kept up to date?
To Sum Up
All of this begs one huge question – is the GDPR really needed for the B2B arena? We get it for B2C, we understand the need to protect the vulnerable and those that do not, and cannot, have effective methods in place to protect them from unwanted intrusion. But B2B, really?
Has B2B simply been tagged on to the wider GDPR designed to protect the individual? Have EU legislators included B2B in the legislation because it ‘seemed a good fit’. This law could be seriously detrimental to a large sector of the economy. We hope these law makers in their ivory towers have thought this through and have sound and rational reasons for including B2B in the GDPR. But it appears not. I refer you back to paragraph 3 of this white paper where we point out that it is still hugely unclear what the fine detail of the legislation will involve and what the precise impact on B2B will be. The DMA and ICO are unable to shed any light on this. We are in a position where we’re subject to a law so ambiguous that even the experts cannot tell us what the impact on our businesses will be.
Of course no-one wants nuisance calls in their working environment either, but in this day and age we have established technologies and processes in place which protect the employee from such intrusions. Voice mail, the CTPS, gatekeepers, email filters and other technologies protect employees from unwanted intrusions. Do they need to be further protected by a law which will create havoc for the direct marketing world? We really do see the benefit of this law for the B2C world, but imposing it on the B2B arena simply adds additional cost into an already tough market.
Whilst we sit in the dark and wait for the powers that be to tell us what the impact of the GDPR will be, all we can do is stay aware, stay compliant and adhere to the twelve steps of the ICO’s General Data Protection Regulation advice.
We don’t yet know how the GDPR will affect B2B marketing. One thing is for sure, everyone involved in direct marketing and data must prepare for the imminent and unavoidable reforms.
To read more and be prepared please visit the DMA’s webpages on the GDPR.