Industry experts have significantly differing opinions on the impacts of the impending EU General Data Protection Regulation (GDPR). These span the gamut from positive:
“GDPR offers companies a unique chance to rework their customer strategy, changing a reactive stance into a proactive one.” ― Ron Tolido, Global CTO, Insights & Global Data Practice, Capgemini
GDPR in a Nutshell
The GDPR is a set of rules designed to provide clarity, transparency and protection for the personal information of all European Union (EU) citizens. It focuses on protecting this information from unauthorized access and ensuring customers understand and can control how their personal information is being collected, used and shared.
GDPR goes into effect on May 25, 2018 and will apply to any company world-wide that stores personal information of EU citizens. Any company that fails to comply faces significant penalties as a result.
Several components of the GDPR revolve around ensuring companies have robust IT and security practices. The regulation offers specific timeframes for reporting security breaches. Systems must be designed to ensure that personal information has high quality and accuracy, is consistent across databases, has adequate security and privacy protections and provides clear data lineage. Processes must let consumers see, receive and correct (if necessary) all personal information stored in company databases. And direct accountability for oversight of all GDPR mandates must exist within the company in the form of a qualified Data Protection Officer.
The remaining components are organizational, aimed at providing customers with much more control over their personal data. Obtaining clear and unambiguous consent from customers for communications and solicitations is mandated. Customers must have the power to “be forgotten” which means they can ask for their personal information to be removed from company databases. Personal data cannot be retained past a “reasonable use” timeframe. And customers have the right to understand and agree how their personal data is being collected and used.
Back to the Personalization Drawing Board?
The IT and data security requirements of GDPR could place significant burden on companies, particularly those with antiquated legacy applications, siloed business units and databases, and less than mature data governance practices.
However, the impacts on marketing are arguably even more significant.
Marketers face growing pressures to improve customer experience, personalize messaging and react in real-time to customer needs. The most powerful tool we have for accomplishing this is data. What’s more, the explosion of information generated from digital activity and IoT has put us on the cusp of being able to truly know our customers: to recognize those “moments of now” when our actions can have maximum impact.
And the jury is out (at least in my mind) as to the extent the GDPR might limit our ability to fully use this data in the ways we are starting to do today.
Marketers, Take Note
Three areas of the regulation apply in particular to marketers: consent, clarity and transparency, and profiling:
The GDPR mandates consent must be "freely given, specific, informed, unambiguous," and articulated by a "clear affirmative action."
This means marketing can no longer rely on soft opt-in processes, lack of opt-out or simple blanket opt-in check box for all communication and analysis activities. At best communications, campaigns, web and mobile applications must ask for and store consent on a more individualized action-oriented basis.
And these consent forms must be captured, stored and auditable, so the company can prove when consent was given and for what. At worst, companies may need to review all customer databases to understand whether the consent they have obtained meets the GDPR requirements.
Clarity and Transparency
Ensuring clear communication to customers on how personal data is collected and used presents challenges, particularly when the use involves big data, artificial intelligence (AI) or machine learning (ML). These challenges are significant enough that the Information Commissioner’s Office has produced a 114 page guidance document on the subject.
Of particular concern is the collection of digital and IoT data with a personal identification component. At minimum, marketers will have to answer certain questions here. Do individuals know when this data is being collected? Do they understand how it is being used, especially when artificial intelligence or machine learning algorithms (where the decision parameters are less transparent) are making decisions based on that data?
Another concern raised by the guidance document involves using personal information to profile or analyze customers.
GDPR defines profiling as:
“Any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Marketing will have to prove that this type of analysis meets certain criteria. Is the resulting decision in the best interest of the customer? Can the customer get a clear explanation of these decisions? Is the company taking measures to prevent discrimination on the basis of ethnic origin, political opinions, religion, etc.?
A Time of Reevaluation
Regardless of the sentiment this legislation generates, one thing is clear: the GDPR will have a profound impact. An impact that will force marketing to reevaluate both analysis and data collection practices and customer communications. An impact that will forge close partnerships between the Marketing, IT and Security or Privacy Departments. And an impact that will bring the data quality, lineage and architecture aspects of data governance to the forefront of company thinking.