Now that the 25th May has come and gone, I really felt I had to mark the event with some commentary on the General Data Protection Regulation (GDPR). I hasten to add that I am far from able to give any definitive legal advice on its application, but I felt that some consideration of the practical aspects of its implementation, with which we are all struggling as marketing professionals, does fit in with my theme of The 2020 CMO. You cannot be a CMO in 2018, let alone 2020, if you do not have some understanding of the GDPR.
1. Basic Principles
In essence, the GDPR is based on simple, even obvious, principles. I am setting out a very brief summary below to give you a framework for the rest of my discussion of the GDPR. For the full text of the GDPR, please click < HERE >
A. Who Does What
Personal Data: any information relating to an identified or identifiable natural person
Data Subject: the natural personal to whom a specific set of personal data refers
Controller: the entity which determines the purposes and means of the processing of Personal Data
Processor: the entity that processes personal data on behalf of the controller
Data Protection Officer: independent compliance officer to be appointed by a controller if processing is carried out by a public authority or on a large scale
Supervisory Authority: an independent public authority that is established by a Member State to be responsible for monitoring the application of the GDPR. (In the UK this is the Information Commissioner.)
B. Collection, Storage and Processing of Personal Data
Personal Data should be:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(d) accurate and, where necessary, kept up to date;
(e) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
(f) processed in a manner that ensures appropriate security of the personal data.
C. Lawful Processing
The processing of Personal Data is lawful if:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation or to protect the vital interests of the data subject or of another natural person;
(d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(e) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
D. Giving Consent
Where consent is the basis for lawful processing, the controller must be able to demonstrate that the data subject has given his or her consent to such processing (requirement for audit trail).
The data subject has the right to withdraw his or her consent at any time.
E. Rights of the Data Subject
The data subject has the following rights in respect of his or her personal data:
(a) to access it;
(b) correct it;
(c) to erase it (right to be forgotten);
(d) to restrict its processing in certain circumstances;
(e) to transfer it from one controller to another (data portability);
(e) to object to its processing.
One very important point that should be made here is that the controller cannot deal properly with a data subject who wishes to exercise any of his or her rights unless all personal data held by the controller is properly stored and searchable. For many small organisations this may be relatively easy, but for large concerns a serious data audit may well be needed, together with the institution of proper procedures by the controller’s processor to make sure that new personal data is added to the current data base in the correct form.
2. The Legislation
The above looks fairly straightforward but as always the devil is in the detail, and in the case of the GDPR there is a lot of detail.
A. The Regulation
The text of the GDPR occupies 88 pages of the pdf downloaded from the Eurolex website. The first 173 paragraphs are preamble explaining the scope and purpose of the GDPR, before we get to the actual provisions themselves. About a third of the remainder of the document fleshes out the details of the summary I have given you above, and the remainder covers detailed administrative and enforcement provisions, in particular cross-border coordination between member states to ensure that the GDPR is operated uniformly across the EU.
B. The Data Protection Act 2018
This is not the end of the story so far as the UK is concerned. We also have the Data Protection Act 2018. This runs to 339 pages when downloaded as a pdf from the UK government website. The GDPR is directly applicable in the UK and the Act is therefore stated to “supplement the GDPR” and to apply “a broadly equivalent regime to certain types of processing to which the GDPR does not apply”. However, the Act, in fact, repeats in greater detail many of the provisions of the GDPR itself and also takes advantage of what flexibility the GDPR has given to member states to tailor the operation of the GDPR to better fit their particular circumstances.
For instance, the GDPR leaves it to member states to provide whether personal data about dead persons is included within the data protection regime. The 2018 Act applies the regime only to personal data about living persons.
For those of you who wish to take a look at the Act, click < HERE > .
C. Guides to the GDPR
The legislation is extremely complex and difficult to understand. Even those who would regard themselves as experts on the subject are frequently not as definitive as one might wish. This has led to a great many guides to the GDPR, from many different sources, attempting to explain this detail in simple language (many of them far more competent than my attempt in this blog).
Nevertheless, no guide can be regarded as definitive. In the end, the interpretation of the legislation is a matter for the Courts. So far as the GDPR itself is concerned, so long as the UK remains in the EU, this means the European Court of Justice. For the Data Protection Act 2018, in so far as it supplements the GDPR, the Supreme Court of the UK is the final arbiter. Whether the current status of the two Courts will remain the same after Brexit is, of course, still not decided.
3. Implementation on 25th May 2018
This situation has led to a great deal of fear, uncertainty and doubt for those of us who are trying to comply with its provisions. Leaving aside public bodies, I have attempted to make a short survey of the way in which private entities are dealing with the situation.
B. Nature of the Controller’s Relationship with Data Subjects
Once this has been done, the real question is how should a controller approach the data subjects with whom he or she currently has some kind of relationship.
This clearly depends on the nature of the relationship. For marketers, the following two types of relationships are of the most interest. First, those with a data subject who is an existing customer. Second, those with a data subject who is not yet a customer and at this stage merely on the circulation list for information about the controller’s products and services without the existence of any business relationship.
C. Current Customers
Grounds for Lawful Processing
When dealing with current customers, the most likely basis for lawful processing is performance of a contract or of the preliminaries necessary to enter into a contract. The controller can also rely on the legitimate interest ground to process information about the data subject’s past dealings with the controller so as to provide him or her with information about other products and services that might be of interest. A simple example here is Amazon. Registered customers have an account with Amazon, and Amazon processes the data it obtains from those customers to fulfil the orders they place with it and also to send them information about other products that might be of interest. In addition, all customers have direct access to the information that Amazon holds about them, such as past orders.
The Role of the Marketing Professional
“We care about you and your data. We will keep it private and store it securely. We will not misuse your data. We want to make use of it to provide you with a better and more targeted service, and to help us run our business more efficiently. This is not just a routine compliance project imposed by bureaucrats.”
When Is a Customer “Current”?
Finally, the real problem is deciding whether or not a particular customer is “current”. Where the customer obtains goods or services from time to time, how long a period of inactivity will require the controller to take data subjects off the list of current customers, treat them simply as recipients of general marketing information and therefore be obliged to seek their consent to continue communication with them?
This can only be a subjective decision. In my own case, for instance, I arranged a holiday in early 2015 using two service providers. I have not used either of them since.
Company A sent me the following communication:
As it may have been a while since we last contacted you, we have removed you from our future mailing lists. Want to receive marketing communications from XYZ in the future? Please click on the link <here>.
On the other hand, Company B continues to send me information on the services it provides, treating me as a regular customer. The only difference I can see is that I had used Company B on more than one occasion prior to 2015, while the first and last contact I had with Company A was in respect of the 2015 holiday. It therefore seems logical that Company B would feel it had some justification to treat me as a continuing customer. Holidays are not always booked with the same supplier every year, and my past relationship with them would make it more likely that I would (as indeed I might) book a holiday through them again in future.
D. Recipients of General Marketing Information
The Requirement for Consent
A typical message I received was the following:
We have been sending you topical updates and event invitations and would love to continue to do so. We want to make sure that we only stay in touch with you if you want us to.
To confirm you still want to hear from us please click on the box below. If you do not click the box below, we will not be able to continue sending you such messages.
Asking Consent by Email
There are two problems with asking for consent by email. First, many such emails end up in the spam folder and are never seen. Second, it is very easy to ignore emails, particularly if they ae not well worded. Short ones that are quite common – “We cannot talk to you again if you do not give us your consent by replying to this email” – often do not go down well. The marketer can help by crafting a message that tells the recipient why it is in his or her interest to keep receiving communications. Of course, many of the campaigns around seeking consent in this situation take a scatter gun approach, covering as many people as possible in the hope that a reasonable proportion will reply, but in the knowledge that many such messages will either fall by the wayside or be rejected by the recipient.
Personally, I feel the greatest service the GDPR has done for me is to show me how many entities that I have never heard of have my email address. Receipt of a request for consent to continue communicating provides a splendid opportunity to ignore them so that I disappear (I hope) from their list.
E. Other Relationships
Clubs, societies and charities also have to contend with the GDPR.
Current Members and Regular Contributors
If there is any area of uncertainty here it most probably arises where the current member of a club or society pays no subscription to be a member, The argument that there is a contract between the member and the society becomes somewhat tenuous. The only ground for legal processing that is applicable has to be that such a society has a legitimate interest in processing the data of its members for the purpose of running the society.
I received the following from a club of which I am a subscribing member:
As a Member of [ABC CLUB] we ask that you pay special attention to the privacy notice attached as it pertains important information on who are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
And the following from a charity I contribute to regularly:
Where a charity has had only sporadic contact with persons who have expressed some interest in its operation or who have at some time (but not recently or regularly) made donations to it, the position should approximate that of recipients of general marketing information rather than that of current customers.
I received the following from a charity with which I had had some sporadic contact in the past:
4. Opting In
A. Where Consent Is Required
There has been much discussion about this principle. In general, it can be found in the requirement that consent must be given positively. Its simplest application is that the tick boxes for the various items for which you are asking consent to process personal data must be left blank. It is for the data subject to tick them to signify consent. It is no longer possible to tick the boxes and ask data subjects to untick them if they do not want to give consent.
B. Other Grounds for Lawful Processing
C. Cases of Uncertainty
Controllers who are uncertain of their position and hesitant to rely on the other grounds for lawful processing are still sending out requests for consent along with their privacy policies, even when they really have no need to do so. However, it is true that the other grounds tend to be narrower than the position that can be obtained by asking for consent. For instance, it is doubtful whether sending personal data to third parties who might have products or services of interest to the data subject would in all cases fall either under the contract or the legitimate interest ground, so receipt of a positive consent to share the personal data for this particular purpose would be required.
5. Data Processing and Artificial Intelligence
A. Legitimate Interest
In my second blog, when discussing how to manage data, I summarised Roger Camrass’s views on the application of Artificial Intelligence to analyse raw data in order to drive decision-making and extend customer intimacy (data-driven decision making). Where it is not possible to identify a natural person from the data collected, it will not qualify as personal data and the GDPR will not apply.
To access my second blog click here.
However, where the data to be analysed does (or may) qualify as personal data, seeking consent is not going to be practical. In this case, organisations are relying on the legitimate interest ground. which enables them lawfully to process customer data for the purposes of improving their business processes, supplying current products and services more efficiently and developing new ones.
One very large organisation where I am a regular customer described this legitimate interest ground in summary as follows:
It is in our legitimate interest to use your personal information to operate and improve our business.
B. Automated Decision Making
The one area of the GDPR that might impact on this activity, and which does need some consideration, is the right of the data subject not to be “subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her.” The examples given in the GDPR are automatic refusal of an online credit application or e-recruiting practices without any human intervention, but simply based on the use of an algorithm to analyse the applicant’s personal data. It would seem that in most commercial contexts this would relate to a refusal to do business with a data subject.
However, the only sort of automated decision making relating to a particular data subject that we would be concerned with in terms of marketing would be a targeted offer of products or services based on analysis of prior interaction with the data subject. For instance, online booksellers will have a process that automatically notifies a purchaser of a book about the availability of other books with the same subject matter or by the same author. Such an offer would not produce legal effects concerning data subjects or significantly affect them. The same would be true in the case of targeted advertising based on an analysis of a data subject’s online activity.
The Regulation of Automated Decision Making
Automated decision making that does have such effects can only be carried out in particular circumstances where the law of the EU or of the relevant member state provides that it is lawful to do. Where such lawful decisions are made, the data subject must be notified that they have been taken. He or she then has the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. In the UK the relevant provisions are to be found in the Data Protection Act 2018 ss. 49 and 50.
Automated Order Placing
One further exception to the automated decision provisions is where the data subject has given consent. This could become really important to marketers in relation to the Internet of Things. As a current example, when purchasing an HP wireless printer, the purchaser can enter into a contract with HP whereby consent is given for the printer to transmit a warning to the supplier when the ink cartridge is near exhaustion. Based on the warning, a new cartridge is sent automatically and the purchaser’s credit card or other means of payment is accessed automatically. As the Internet of Things becomes prevalent, this type of automatic restocking of domestic supplies will become common. Provided in each case the customer has opted in to the arrangement, the element of automatic decision making will not prove a problem.
6. The Future for the GDPR
A. Stefan Fafinski
At our Spring Lunch in April, we were privileged to have Stefan Fafinski, Master of the Worshipful Company of Information Technologists, give us his views on the GDPR. In summary, his position was that, properly approached, the GDPR was a necessary measure for the protection of personal data that should be approached positively. The initial implementation period offered an excellent opportunity for further contact and interaction with consumers on a responsible and productive basis, and the GDPR would continue to provide such opportunities in the future.
You can read the text of Stefan’s speech here.
With respect, I would agree with him.
B. The GDPR in Steady State
However, once the initial period of implementation is over, things will settle down. Where new relations with data subjects come into existence, consent will be sought on the opt in basis where necessary and otherwise businesses will rely on the contract or legitimate interest grounds for lawful processing of personal data.
It is likely that commercial organisations who respect the privacy and security of their customers will in future find the GDPR just one more aspect of regulation required when dealing with their customers. I continue to believe that the biggest issue they will face is not their own misuse of personal data but the danger of security breaches from unauthorised access to personal data by third parties.
C. Security and Privacy
There will thus be a continuing and increased need for technical expertise to keep all personal data properly organized and above all secure. As Dr. Henry Pearson said in our second lecture on Cyber Security and Privacy, privacy and security are closely related. You can read a summary of his lecture (particularly Part Two on the GDPR).
I believe one quote from a supplier’s letter that I received sums up the impact of the GDPR well:
We have always taken seriously how we look after your personal data. Generally, there will be little difference in the way we collect and handle your personal data, but we will have to provide more information when we do collect it and may have to ask you for explicit consent if we process any special categories of personal data … . You will have enhanced rights to ensure that we correct any inaccurate personal data that we hold and that we only retain it for so long as necessary.
Reputable and conscientious suppliers, committed to serving their customers properly, will not find the GDPR a hindrance to carrying on business, and, indeed, may well derive benefits from the greater sense of security that their customers will feel from the increased protection afforded to their personal data by the implementation of the GDPR.