I love The Economist, but as most readers can attest it has gone into a very ‘eeyorish’ mood since Brexit and the Trump election win. In this mood, it has just published its annual supplement on the outlook for the year ahead, and leads off the business section with gloomy long-term projections on the impact of GDPR on European business.
The article quotes Christopher Kuner of the Free University in Brussels: “[It is] the most complex piece of legislation the EU has ever produced.” It’s an ill wind…Mr Kuner is apparently hard at work producing a 2,000-page commentary on the regulation with the help of 20 collaborators.
The Economist does usefully point to some negative unintended consequences of GDPR – especially around the Internet of Things. It will be more difficult, for example, to aggregate data from motorists or bank customers to support road safety and fraud prevention measures. But, of course, it is not GDPR alone that is highlighting the trade-off between individual privacy and public advantage. In the US, the Supreme Court is deliberating the extent to which police access to mobile records contravenes the 4th amendment on privacy. It looks from the oral arguments and questions that both liberals and conservative justices will rule against the government’s opinion that the public can reasonably expect police access to all telecommunications data.
Back in the world of marketing, here’s how to ensure the mist around GDPR lifts:
Most organisations are to a greater or lesser extent coming to grips with the implications. I have spoken to many practitioners in the last few weeks, and here are 5 steps to bear in mind that will ease the path to full compliance.
- Don’t get in the weeds too soon. Establish your core strategy and approach, based on sound decisions before you begin to execute a plan.
It always helps to identify the key decisions you have to make and then develop a plan accordingly. For most marketers, this will revolve around the question of consent. Legitimate interest, unambiguous consent, or a mix depending on the data asset? Any confusion around these decisions will lead to a horrible mix of objectives. These are ‘or’ choices – a bit of this and a bit of that will not work. (So you can’t decide on opt-in then move to legitimate interest for records you are unable to opt-in within the same data group. It destroys the legitimacy of both.)
- Make sure the plan is realistic. The plan has to be realistic in two senses:
- You must be able to achieve it and so it must be correctly funded, resourced and executed. Do not be over-optimistic about how many opt-ins you will receive, for example, if you are not prepared to invest in obtaining them
- The plan must align with the requirements of the regulation – and so at this point you must get into the small print to align process and technology
- Budget.
For those of you with a calendar financial year, now is an especially good time to make sure your budgets are lined up. Don’t be shy of asking for more if you can justify it – impending legislation is always a good lever!
- GDPR is a supply chain effort.
One of the most common misconceptions of GDPR is that only the data controller has to be compliant – particularly when it applies to 3rd party data – and that somehow compliance is transferable or passed on. But no-one can ‘grandfather’ compliance to another organisation. If you were a chemical company manufacturing toxic materials wouldn’t you want your transport company to be equally compliant with health and safety legislation? The same goes for GDPR. Make sure that everyone from whom you accept or deliver data is aligned.
- Log and note.
It has been encouraging to see best practices develop among practitioners. Several of the companies I have spoken to are making a point of logging conversations with their data partners so there are no mis-steps in compliance and they are happy with their approach. These calls and meetings are best logged so everyone is clear on expectations. But apart from the due diligence aspect, many are welcoming the opportunity to share experiences on the GDPR journey.
The Economist concludes: ‘If Y2K was a damp squid, the GDPR promises fireworks.’ This is a comparison with the much-feared millennium bug back in 2000. But let us hope that 2018 will be fireworks-free!
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.