A Marketer's Look at the EU’s New GDPR

EU Flag GDPRFor the last four years the European Union has been hammering out new legislation to modernize and reform the laws that address the handling of personal data. The General Data Protection Regulation (GDPR) is a sweeping piece of legislation that will have profound effects on global business, the digital economy, and direct marketing.

The 200+ page draft of the General Data Protection Regulation (GDPR) is now complete in substance and will be polished into the final version by mid-2016. It will be implemented and fully in force two years later – mid 2018. This new legal framework covers all aspects of personal data processing and applies to any business that handles the data of EU citizens, no matter where the business is based.

The GDPR establishes one unified set of regulations for all of Europe, replacing the individual data protection directives in each country. It is intended to simplify the complexities of doing business under different regimes in every country, and its implementation is starkly different than the previous legislation.

Previous legislation was a Directive. A Directive is a goal that all EU countries must achieve, but how they do so is up to them. Countries wrote their own laws, set penalties, created enforcement bodies, and most importantly had their own interpretations of what the directive meant.  The result was a patchwork of different regimes, with varying implementations, requirements, penalties, and specifics, that moved in a generally similar direction.

This new legislation is a Regulation, which automatically and irrevocably covers all states in the EU. It IS the law and every single country in the EU block is required to adhere to every provision of it, or face the consequences. The same of course goes for any business in any country that is collecting, processing, storing, selling or buying data on EU data subjects.

Perhaps even more concerning is the reality that there is a very powerful new enforcement body being formed (currently called the Article 29 Working Party) whose powers are both broad and irrefutable. This new body will have the right to search and seize records in question, conduct their own independent, sovereign investigations, and function as the only adjudicating body as to the outcome of the investigation. They are truly judge, jury and executioner.

When this body comes across violators, there are two tiers of penalties already approved and available:

  • For relatively minor operational infractions, the penalty is 10 million Euros, or 2% of the violator’s WORLDWIDE sales – whichever is greater
  • For more serious violations, the penalty is 20 million Euros or 4% of worldwide sales – whichever is greater

And given the depth and specificity of the requirements, it’s going to be pretty easy to violate the GDPR’s provisions.

Getting In Front of It

The GDPR is considered the most impactful piece of global data privacy legislation since the first legislation twenty years ago. Its scope is vast, its enforcement powers are wide ranging, and the penalties it can impose are severe. And yet, most businesses have not heard of it.

A recent report commissioned by TRUSTe, a leading data privacy management company, assessed "the state of readiness and awareness of the GDPR, its obligations and its likely impact on businesses in the EU and the US." Participants were 202 professionals with knowledge of data privacy, from companies with over 250 employees. 99 were from Europe (UK - 35, Germany - 34, France - 30) and 103 from the US.

The findings were remarkable for two main reasons. First, only half of the companies surveyed were aware of the GDPR, despite four years of high profile negotiations. And second, results from all four countries were the same. Half of US companies were aware of the GDPR, as were half of the companies in each of the 3 EU countries - UK, Germany, and France.

The Effect on Direct Marketing

The intelligent use of Personal Data is at the core of Direct Marketing and data driven marketing all over the world. In the GDPR, the definition of Personal Data has been expanded and now means any information that can be used to identify a person. This will in most cases now include location data and IP address.

Additionally, there is no distinction between roles of an individual and changing requirements depending upon that role. The person is the person and all their data, consumer or business related, falls under this new law.

The definition of Consent has been newly restricted, and now must be freely given, specific, informed, and unambiguous. In other words, Consent must be affirmative.The data subject must take an action, such as ticking a box, giving a signature, or choosing a setting in order for the consent to be acceptable. It is no longer adequate to NOT do something, such as not unticking a pre-ticked box.

In other words, not opting out does not constitute consent. The EU has become an Opt In market, and not an Opt Out market. This very fact alone will drastically limit the number of truly compliant records available for use.

Data that was not obtained under the new, stricter standards cannot be used as is. There is no grandfathering and no slack. All data must be refreshed by getting entirely new consumer consent that meets the new rules. All of them. Organizations must be able to clearly show how and when consent was lawfully obtained. Additionally, sophisticated and intricate mechanisms for record keeping related to the precise method and details of consent, and the source’s process for data erasure must be designed and implemented.

At the time data is collected, the data subject must be informed about how and for what purpose the data will be used. Consent must be obtained for each specific purpose, which will undoubtedly affect the availability of third party marketing data. For example, the data collection form must specify not just that the data being collected may be used for soliciting financial services products, it must further specify that those products might include credit card offers, mortgage loans, vehicle financing etc. A viable Opt In would require the user to check an unchecked box next to a clear description of what the user is opting in to.

One of the more confounding aspects is the use of data for profiling. If a data collector has lawfully collected data from, say, a group of 20,000 women, and wants to do some profiling on the data to build a propensity model, the data collector would have to have included that intention in their consent language. Failing that, they would have to go back to those 20,000 data subjects and request the right to profile their data. 

Under the GDPR, EU citizens must be given the easy ability to withdraw their consent, often called "the right to be forgotten". If consent is withdrawn, those data subjects have the right to have their personal data erased and no longer used for processing by the data collector, and by any other entity who has ever used or purchased that data. Companies in possession of the data have a downstream responsibility, meaning they must notify partners or other holders of the data that consent has been withdrawn and data should be erased. Those erasures must be documented and accessible to the enforcement body.

Data erasure may prove very difficult. Removal from a company's own systems alone can be very complicated. Yet there are often multiple databases, backups and syncs to contend with, and copies stored by cloud providers who often maintain data indefinitely.

The new requirements for disclosure are especially daunting.

Let's say an American brand hires asks their agency to conduct a campaign in Europe. The agency comes to a broker in the US to help them find the right audience data. The US broker contacts their fellow brokers overseas, in France and Germany. These EU brokers identify the right data in their local markets by going to the List Manager of the data sources they recommend. The list manager interacts with their client, the list owner/data collector. A deal is struck.

The GDPR has added requirements specific to data brokers - when data is not collected directly from the subject, the subject must be informed about where the data originated.

In this scenario, six parties were involved. To remain compliant, the advertiser must disclose every party that had anything to do with the data changing hands on every piece of marketing material and on every email. The disclosure must cite all six parties and include the company name, their address and a method of contacting them for all six entities.

This common place example highlights a huge concern in the list business: the idea of source confidentiality is gone forever. Now brokers and agencies have to disclose some of their most valuable partner and client relationships in writing for every deal they do.

The costs of the GDPR will be high, in both time and money. Deloitte's comprehensive report looks its economic impact on the EU as a whole, and industry giants seek solutions to the challenges posed for their specific industry. Larger companies will need to hire privacy officers and implement drastic, expensive systems overhauls. Companies will need to renegotiate vendor and services contracts to define liability now that all involved companies are, under the new law, liable for a violation by one.

A widespread complaint about the GPDR is that it is written without regard to the calamitous effects it will have on business, and no sector will be more adversely affected than list marketing. Many think the list industry in the EU may not survive the new legislation, and there is no question that it will be profoundly impacted even in a best case scenario.

Some industry experts in the UK predict a 50% loss of revenue for brokers and related services such as data cleansing, and everyone agrees that the amount of available, compliant data will drop and remain at a very low level for many years to come.

This is a hugely impactful form of unintentional disintermediation brought about by a law that ignores the practicalities of doing business. And the reality is, that the law is clear, it cannot and will not be changed, and its implementation is a foregone conclusion.