For more than a year now there has been speculation about what the forthcoming EU data law will entail. Briefings from Brussels are given to the Information Commissioners Office (ICO) and others, who pass knowledge down the knowledge chain. But much of this has been based on informed speculation.
However, an inside look at the unreleased document upon which the regulation will be based provides unique insight into to what the new law will mean to those working in IT departments. For some it is going to involve large scale challenges.
Firstly, it is helpful to outline the broader points before what specifically will apply to IT. When General Data Protection Regulation (GDPR), comes into force all companies will need to ensure contact data used to communicate with consumers will meet a more stringent compliance standard. The date for the introduction of GDPR is yet to be decided, and it could be as far away as late 2017, but given the amount of preparation needed by those with even a modest database time is not an abundant commodity.
At the top of the ‘to do’ list will be auditing existing data to establish whether or not it meets the new opt in standard. It is very unlikely it will be compliant, which means contacting every consumer on a database to upgraded opt in permission. In addition, the new law will require every completed consent form, whether electronic, paper or verbal, to be stored for presentation to the ICO upon request. Finally, every company will have to introduce a data removal system for members of the public to apply their right ‘to be forgotten’.
The new consent level required for existing and future data collection will be significantly more testing than the current opt in rules. Initially the European Parliament put forward draconian measures that would have made the use of marketing data very difficult, but it has subsequently been watered down by the EU Council and Commission. Opt in will be based on consent being ‘unambiguous’.
Perhaps the best way to describe how opt in permission will work in future is that it will be like a traffic light system. Consent will have to be sought and provided if you want to convey information about a given subject to a customer or prospect through a given communication channel - for example, information about promotional discounts on bedroom furniture to be sent via email. If at a later stage there is a desire to communicate about another subject, or in another way it is like stopping at another set of traffic lights at which new permission must be asked in order to move forward once more.
What this means is that the majority of existing data will have to be refreshed for consent. For some companies that will mean a huge amount of time and effort just to maintain consumer information.
Storing individual consent forms is something that most data owners have never done as it has not been necessary. Until now simply presenting the ICO with the terms seen by consumers during the opt in process has been enough. In future, there will have to be proof of consent in every case, and that means capturing and storing forms no matter what the format. For IT departments this presents a challenge because there are currently very few, if any, CRM software systems that contain the required facility.
The burden of establishing a data removal request service will also lie heavily with IT. The new law will require that the contact point for requesting information be erased should easily identifiable, and that the mechanic that lays behind it must be quick and efficient. Current software again presents a problem in that many CRM systems have no data removal option.
Despite the temptation to cut corners, or simply ignore some elements of compliance, the risks will be too high for most companies. The EU Parliament initially proposed fines running to hundreds of millions of euros, or 5 per cent of global turnover, and this has subsequently been diluted a great deal, but nevertheless, the ICO will be able to impose very heavy penalties.
Also, there may yet be a right for consumers to seek individual compensation for misuse of data, which could trigger a PPI type scenario. Plus there will be potential damage to brand reputation. The gamble involved in not becoming complaint will be too high for most. A recent briefing from the ICO declared that if companies make what appears to be a genuine attempt to become GDPR compliant, but do not met the new standard they would be given leeway to put things right, but token actions will definitely not count.
There will be some that point out the UK may not be an EU member in two years time, but this does not mean GDPR will not apply. Countries outside the Union, but benefit from trade agreements have to abide by many of the rules members do. GDPR may well be among them.
What this means is that IT and marketing departments in consumer facing companies are going to have to work together closely in the two years ahead, but neither will be equipped to manage compliance tasks on their own. It is therefore important to take as much advice as possible, but only from established reliable sources. Inevitably an industry of compliance consultants of various types will emerge, but only those with an existing background in handling compliance involving high volume data and market planning should be considered.
What is likely to be helpful in preparing for compliance is the nomination of individuals in relevant departments who become responsible for leading change. One of the key jobs should be to produce guidelines on GDPR, which are distributed to all relevant personnel. Having an across the board clear understanding of regulation among relevant staff will be important.
Once the new compliance standard has been met it will be sensible to adopt a data regime that includes regular reviews. It is easier to put problems right through scheduled checks than risking sanctions, or having to undertake potentially destabilising major overhauls.
For most there will be considerable cost and work involved in becoming GDPR compliant. It is not something to be welcomed, but it does present a positive opportunity. If you have to refresh opt in permission by creating dialogue with customers and prospects, you can use it to find out much more about them, their true buying potential, what their trigger points are, and even make direct offers. GDPR has to be tackled, so it is worth considering using it as a catalyst that enables information gathering that drives income beyond the time and costs imposed by new regulations.
The new EU law presents companies of all sizes with an unwanted challenge in understanding and working to the new regulations, and it means IT and marketing have to work in tandem to meet the challenge.
By Jeremy Whitaker, chairman, Verso Group