The GDPR Interview

A

Welcome to the Digital Marketing Podcast brought to you by targetinternet.com hello, and welcome back to the Digital Marketing Podcast. My name is Kieran Rogers, and today we have an expert on the line and we're going to be talking about GDPR legislation, which I know is probably one of those subjects that, you know, everybody out there is concerned about. If any of you have done any kind of database marketing or email marketing, you'll most certainly have heard about it. I know we touched on it on a previous podcast episode, but we really wanted to dig into what it is and what it means. And to help us with this, we have an expert on the line whose name is Mike Morrissey. Hello, Mike.

B

Hi, Kieran. How are you?

A

I'm good. Thank you so much for giving us your time and joining us. Now, just before we get started, can you tell me a little bit about yourself and the company that you work for?

B

Sure, no problem. So I'm a certified data protection practitioner as well as the Chief Commercial Officer in Cytorus. We're based in Dublin and in London. What we are, who we are is we're a team and organization of data protection practitioners. So we specialize in privacy. So we help companies understand how to effectively ensure they have proper privacy controls built into their systems and processes. It's not security, it's more the esoteric area that marketing people obviously would know very well, like consent, fair notice, how to make sure you have the right retention periods on data, how to get rid of it, and how to make sure fundamentally you're operating fairly with the personal data of individuals who you're processing.

A

Fantastic. And just to sort of summarise, because we're going to be focusing in on GDPR legislation today. In a nutshell, what, what is it? Because there's a lot of noise out there in the space, but I really want to kind of really focus in on what is this thing.

B

Okay, so we've had privacy laws in Europe for a number of decades now, and they have gradually evolved over time. And this particular GDPR General Data Protection Regulation is a major change in legislation. The last time we had anything of significance was in 1995 as a directive in the European Union. And obviously your listeners will be familiar with the 1998 UK Data Protection Act. What the GDPR is, is it's a step on again from that older legislation. Specifically, what it does is it enforces on all organizations who process personal data, whether that's employees or whether it's the data of consumers, living individuals, if you will. It enforces very strict controls over how they can process that data and more to the point, how they provide evidence that they're operating fairly with that information and that they're always operating in the best interest and they're keeping the data secure of those individuals who that data is about.

A

Okay, so it's fairly serious stuff. Then you think it's going to have as much impact as the Data Protection act did?

B

Oh, I think it'll have much bigger impact. This is fundamentally basing a new approach where there's an assumption that companies and organizations are guilty until they prove innocence. With regards to the Information Commissioner's Office, fundamentally what we mean by that, because it's an evidence based model, the burden of proof rests with companies to actually demonstrate to the ICO that they have implemented all the necessary privacy and security controls around this data. So that obviously wasn't the case in the past. And very interestingly, unlike here in Ireland, where I'm talking to you from at the minute, in the uk, your regulator has not had the powers to go knock on doors and say, I'm the ico, I'm here to do an audit. We've had that in Ireland for a number of years and we've seen directly the impact of that approach where effectively the regulator can basically show up unannounced and can effectively commit an audit there and then, and the necessary consequences come from that. So at a practical level, there are some very significant changes to the powers actually that the ICO are being given, which will allow them to have a broader reach. And may I add as well, Elizabeth Denham, the Commissioner has significant, significant powers to increase the actual numbers of staff she has, and she's publicly stated that the ICO will be the largest privacy regulator in Europe, certainly no later than May of next year.

A

So, just so people are clear on this, who are the ico.

B

So the ICO is the Information Commissioner's office. They're the statutory body set up by government to effectively monitor and manage the data protection legislation and to ensure it's been effectively deployed, engaged upon and utilized. And they're, if you will, the watchdog, so the privacy watchdog. They're different to consumer rights in the sense that their specific agreement is the Data Protection Acts. And what they do is they will enforce true through financial penalties, through the equivalent of court orders, as enforcement notices, as well as notification orders as well, notification notices to companies with regards to changes to their processes, systems or penalties, fines they have to pay if they're found to be operating outside the laws as dictated in the uk.

A

So the ico, they're a body who police this within the uk. If I'm outside of the uk, but I'm marketing to people within the European Community, does this still affect me?

B

Yeah, it does. Basically, where you're processing personal data of European citizens, or where you're an entity, a legal entity based within either the European Union or the UK or the European Economic Areas, such as Norway, Switzerland and other countries, you have to comply with this legislation. So if we actually take a broader remit and we look at, for example, if you're marketing to people in the United States out of the uk, you're still going to have to extend the same privacy rights to those citizens in the US that you would have to give to UK citizens or European Union citizens.

A

Wow. So it's not just. You can't just say, oh, you know, we won't bother with Europe anymore, it's too difficult.

B

No, no. And interestingly enough, if you're outside the European Union and the UK or the EEA and you're a processing person there, let's say you're an actual marketing firm in Albuquerque, New Mexico. I don't know why I always pick Albuquerque, but never been there. But anyway, and you're processing the data of European citizens somehow, and some way you have to comply with European legislation as well, you have to offer the same privacy rights. Now, there is a legal framework in place between the United States and the European Union called Privacy Shield, which effectively is a system that American firms who are processing European citizens data, and you find a lot of the technology companies now sign up to this. You have to sign up and effectively you're promising to process that data with all the necessary privacy and security controls to ensure that the data of those European individuals has been given the same protections as if it was in the eu. Now, there's additional elements to this as well, around the ability for consumers in Europe to seek satisfaction in the courts of the US Et cetera. The three companies, for example, who were declaring to be part of Privacy Shield in the US were prosecuted by, I believe, the Federal Trade Commission in the US there a few weeks ago for incorrectly stating that they were signed up to Privacy Shield. So it is being treated very seriously. Having said that, and we can talk about this a little bit later, there are very specific things you need to think about. If, as a business, you are processing data outside of the uk, outside of the European Union, and steps that you need to take that are required now under the gdpr, they are required currently as well. But since we're talking with the gdpr, you really, really need to make sure you have, at a practical level, implemented before May 2018.

A

Okay, so is there anybody it doesn't.

B

Apply to very few. I mean, the only scenario where it really doesn't apply to, at a theoretical level is a sole trader who's effectively not really processing personal data in any way. But we all do. I mean, whether you're, you know, whether you're a gardener and, you know, you've got 50 clients on the books, that's still 50 people whose personal data you're processing. And it's obviously small. There are certain things you need to do. In reality, you're not, in the bigger scheme of things, a major concern, I would argue, for the ico. But then take the other side to this. Take the NHS as the public body. Think of all of that personal and what they call traditionally, what's called sensitive personal data, what's now been known as special categories of data, such as in this case, information about individuals, medical condition, physical or mental. There are very strong controls around how you're allowed to process and share that data and uphold the privacy rights of individuals. So it gets incrementally complicated as you get bigger as an organization and as you have more and more processes. And that is the big challenge for most businesses now coming up to the May deadline is are they really in a position, bearing in mind what I said earlier, Kieran, this is an evidence based framework to demonstrate a thorough approach, thorough evidence that they've accounted for the privacy and the security aspects of how they're using this data. And that's the big, big, big challenge.

A

Okay, so at this point, for everybody listening who's just sort of been glazing over and going, ah, it doesn't really affect me, I'll be right. Sort of allow yourselves a moment just to heave a big sigh and kind of let that frustration out, because actually it does, it is going to affect you and you do need to pay attention. But fear not, listeners, we are here to try and give you some practical guidance and advice on some practical things that you can do to make sure you are a bit more covered with this. So let's kind of discuss that. Michael, what do people need to consider in terms of their existing approach to data protection and how that's going to change when this comes into effect?

B

Well, I mean, think about this first. As practitioners ourselves, as business people ourselves, we implicitly understand that data protection should be, and in truth probably really is a fundamental part of how people do business with regards to processing the data of individuals, we all know not to be loose and fast with sharing the data of consumers. For example, if you're working in a bank, we all understand implicitly the reason why you need to have good security controls. General approach is we all do want to do the right thing with regards to data. That the problem is, is that there are temptations. And one of the big temptations, for example, in the marketing space is the problem of consent. Am I actually, I really, really want to market this person about this product, but am I sure that I actually really, really can, Can I get away with it if I don't actually have the legal permissions to do it? These are the big challenges. So culturally the biggest problem, setting aside the actual evidence framework, the big challenge most businesses have is a comparison of what the requirements of the GDPR state versus how your business actually operates. And are you doing something that's flying blatantly in the face in the wind of what the GDPR is looking to enforce? And if the answer is yes, at a very practical level, that's the first thing you've got to fix. Get that right, because if you don't, the balance of probability is at some point down the line, you're going to become a cropper here. And if I take marketing as a good case, case in point of this, we've a lot of experience working with marketing. We've worked with marketing companies and marketing departments for a number of years now. One of the big challenges in marketing now is in the data sharing space. It's buying and selling databases. There's major challenges in terms of doing that because the way it works under the GDPR and a new E Privacy Directive that's coming down alongside this around digital electronic data is this notion idea of have I got consent to actually communicate with this person? So in other words, have they either given me explicit consent in order, they've ticked a box to say, yes, I do want to receive this information, or have they in other circumstances not ticked a box to opt out of further communication? And the wording of the current UK Data Protection act, the wording that we expect to see within the upcoming UK Data Protection act, as well as this new E Privacy Directive that I just mentioned a minute ago, are going to become critical here to how businesses operate. But the one thing you have to work off at a very practical level from a marketing perspective is am I making sure that I'm avoiding surprises for a consumer that they're not expecting me? You know, is that a problem is that going to be a real challenge here. Setting aside the legal requirements, and if you're not sure that answer, or if the suspicion is, yeah, these guys don't know me from Adam, then there is. It only takes one person to complain to the ICO and there's an investigation and all of the problems that come with that. So you look, it's a. It's a real practical problem and there's a lot of advice going out there in the market. People are saying, oh, you got to delete all your data, you got to start again, you got to do this, that and the other. And the reality is what you need to do is you need to take a deep breath and look at this practically. And there are answers everywhere. But admittedly, the gray areas that existed in this space over the years are starting to become a little bit more black and white. But, you know, no dramatic reactions is what I would say strongly recommend businesses to do initially in the marketing space.

A

So let's just focus in on some practical things that people might be doing now, which are going to be a really bad idea if you don't want to avoid getting into trouble once this legislation is in place.

B

Yeah, I suppose from the perspective of practicalities and at a generic level, let's take into account all different types of businesses. The very first thing you need to do is you need to understand what implications does this GDPR have on my business and how my business operates. And you've got to have a very broad perspective on this, because you've got to look at this from your employee's perspective as well as consumers. I'll give you an example why, pretty much every law firm in the UK in an employee employer dispute, every trade union in the UK in an employee employer dispute, will urge employees or union members to put in what's called a subject access request to an employer to get a copy of what information that employer has. The reason why they do that is it's cheap. In fact, under the GDPR, you can't charge for it anymore and you've only 30 days to respond. And what the mechanism allows an individual to do is get a physical copy of all information held about them by, in this case, an employer. So this is the laws of unforeseen consequences. Right. When the Subject Acts requests were first mooted and as instantiated since at least 1998 in the UK, and obviously reinforced further under the GDPR, there's been various ways in which this has been used now. So anybody who's an employer, anybody who's working in a senior management role. Who's listening today? One of the consequences that you need to consider is what's the likelihood of us receiving these subject access requests and how do we respond to them? Because if you fail to respond, there will be a complaint to the regulator, there will be an investigation and any excuse that the ico, if you will forgive me saying to knock on the door, the consequences of which could be significant because they have the powers now to do investigations further and broader than probably what they've ever done before. Right. So at a practical level, the first thing you've got to do is ask yourself as an employer, are we doing enough to make sure that we're accountable for the data of employees we're using? What data do we have and how do we make sure we minimize the information so we don't need any more than what we need? What does HR really need to do their job? From a marketing perspective, it's nearly always around consent. So do we have the right consents for the various forms of communication that we have, whether that's postal, which is obviously becoming more popular now because there's more opportunities to do postal marketing, or whether it's email or phone based marketing, et cetera, et cetera? And you really need to get that right and put a plan in place to get it right and work through it. And then of course, the other big one then is, you know, retention periods and working with your IT department to make sure data is secure, that you've got encryption in place for your laptops, for your mobile phones, that your IT department has some form of appropriate security measures in place around the network and the infrastructure, and that IT are supporting you in any data retention, data deletion practices you need to do because you no longer need the data. As mentioned earlier, the last big thing is suppliers. So where you're working with suppliers, you need to make sure that those suppliers have appropriate contracts where it's very clear what they're doing with the personal data you've given them remit to manage and that they're putting again the appropriate controls in place, such as security controls as well. They're the fundamentals. Now, there are a number of things under the GDPR that you need to have, because that's the evidence framework that they will require under the gdpr. But we can talk about that later. But if I was to say to any company right now, get a sense, check on what data you have, personal data you have, how you're using it, and make sure HR is very clear about what they're using and minimizing marketing are very clear on their consents and managing that. Right. And IT are supporting you on data destruction, data retention periods and security.

A

Okay. And just to touch on a couple of points you picked up there. So just so I've understood this clearly, if I'm an employee, I can ask smart employer for, you know, what information they have on file for me and under this legislation they'd be required to give that to me without any charge, Is that correct?

B

Yeah, they can do that now as well under the UK Data Protection Act. But there is a charge, a minimum fee, a few pounds and you have approximately 40 days to respond. Under the GDPR there is no fee and there's 30 days. Bear this in mind that it's not just employees, it's anybody who you have data on. Like you can contact your bank, you can contact your mobile phone provider, you can, you know, there's no limitation.

A

So as a customer, I can put in these requests as well?

B

Yes, yeah. I mean, I'm familiar, for example, with one media company in London who the National Union Journalists, for example, NUJ are in dispute with and the journalists, for example, are putting in subject access into the editor every day. You know, so there's mechanisms and you're entitled to do it. There's nothing wrong with it. Absolutely. Why not? You know, you know, but you can imagine the overheads in managing this, you know, so there's, I've said it before, the law of unforeseen consequences is something which can be a major pain, to be honest with you, with some of the data protection legislation. And at a practical level, you've got to manage. Certain industries are going to get hit very hard with subject access requests, particularly when there's no fee that can be charged now. And the media just. Media companies are one example of that. I mean, Google, for example, the right to be forgotten, which we probably have heard of with Google, is now being reinforced into the gdpr. Everybody's got to manage this. So you're getting into this scenario now where you're going to have people asking, what information do you have on me? This information is incorrect, I need you to change it. Or this information is completely incorrect or you have no reason to hold it anymore. I want you to get rid of it and you're going to have to uphold all that. Now, operationally, that's going to be a very difficult thing to do, particularly at scale. But these are. Bear this in mind. The GPR fundamentally, massively reinforces the rights of consumers and individuals in terms of how their information can be used by companies or public bodies. And I think the big danger here is less the issue of am I compliant by May versus am I ready for the consequences of this legislation operationally when it hits? Because it's going to have, it's going to have implications. Again, I've been told on very good authority that two of the PPI law firms, because PPI is coming to a close now in the next number of months, two of those PPI law firms are moving into the GDPR space. So the threat and the possibility of the equivalent of class action lawsuits, for example, and that kind of stuff is something that I think at a practical level you've got to prepare for as well. You've got to be aware of and think, is that a possibility? How could that potentially affect me as well? So, yeah, there's a number of implications here. Some of which are, to be honest, Kieran, aren't fully understood yet. But the legislation gives people very strong powers now to uphold how their data is actually being used by organizations.

A

The prospect of the PPI industry moving into this space fills me with utter dread. Oh, a whole fresh new round of unsolicited SMS techs. It's kind of ironic because actually that industry is one of the worst for.

B

Kind of flouting privacy without naming specific industries. There have been some industries that lobbied very heavily to be made exempt from the GDPR to no success. And again, there are certain industries that are hugely affected by this. If we come back to the marketing thing again, the charity space is hugely impacted here. Fundraising, the modus operandi of fundraising, it's driven more by an ethical desire to do good as opposed to a consequence of should I be allowed to contact this individual based on their privacy rights. There's a fundamental mismatch here and charities have to figure out at a very practical level, what will they do here? What's the decision they're going to make? There are certain big companies, like for example, Wetherspoons, I believe it was, they announced about two months ago their CEO did a public statement where they made a decision to delete their entire newsletter database, however many records. That is because they didn't feel they had or had the ability to get the correct consent to continue to market individuals or to send those newsletters. So there are consequences here for certain industries or certain parts of industries or business units that, that are very significant and maybe some people might be overreacting. Others, I think, are going to make a decision caring. Do you know what to have with it. I'm still going to do what I need to do. And you know what, good luck to you. And if you are, be very careful here, because the regulator, the ico, is going to have very strong powers, much bigger unit, a bigger team, more proactive rather than reactive. And there are more and more air touch points now where consumers can complain to the regulator where they're not happy. It's not just about, oh, I didn't get a Subject act request or I didn't give consent. It's now the right to be forgotten, right to rectification, data portability. These technical terms under the GDPR are all points in which people can complain. And they will, it will happen.

A

So, okay, let's move on into the sort of marketing sphere of things and let's talk about consent. What's actually changing on that front?

B

There's a little bit of confusion in this space because there's actually two pieces of legislation here that have an impact on marketing. There's the GDPR and then there's an E Privacy Directive coming down from the eu, which is going to be modernizing current electronic communication type regulation that we have at the moment in the UK and in Europe. If you look at the GDPR and where an awful lot of initial concern was coming out, the GDPR was specifically stating that consent for marketing, for electronic marketing such as email, had to be explicit. And what we mean by that is it has to be an unticked box that a person has to opt in. They have to tick a box and explicitly opt in, which most people won't do. I mean, it's probably under 10% of people who will actually tick a box and go, I really want to hear from you guys again. That's a problem. From a marketing perspective, the Privacy Directive that's coming down, that I believe, and I am subject to correction on this, but from what I understand is coming into legislation or from a European perspective at the same time. But bear in mind, it's a directive, not a regulation. So it's going to take a number of years for that to effectively become law in the uk. But what's very interesting about the C Privacy Directive is it will allow organizations to assume or to have opt in with the ability immediately and ongoing basis to opt out for all forms of digital marketing. So phone calls, you know, emails, you know, you name it. Obviously, if people are on a do not call list and so forth, then you have to obviously comply with that. But at a fundamental level, the Directive is going to give a lot More power? Not power, but it's going to be, I think, probably a little bit more democratic to marketing companies in terms of how they can actually market individuals. The other thing I'll mention as well is the cookies policy that we've all probably heard of is also going to change under the Privacy Directive. And what they're looking at is actually allowing consumers to manage their cookies preferences through browsers. So in other words, they'll be able to manage centralized marketing consent through Firefox, through Chrome, through Edge, etc, etc, which I think would be great, as opposed to companies having to manage that themselves with their own opt in and opt out of cookies, which can be very, very painful because a lot of organizations have a lot of cookies, most of which they don't really know about. You know what I mean?

A

Sure. Actually it's an interesting parallel to make because I remember when the European Cookie Directive came out, there was a lot of fuss and the world was going to end imminently once it came into being. And actually not a lot happened when it did. A lot of sites troubled to add in those cookie consent forms. It's almost like a little obligatory dance you do with every website you visit now, isn't it, to consent cookies. Oh yeah, that's kind of fine. So that's still going to be in place. Right, but you're still saying that there could be steps by the browser technologies to simplify that?

B

Yeah, no, absolutely, from a management perspective for consumers. But the cookie sting is the thin edge of the wedge of what's a bigger problem anyway, which is called profiling under the gdpr. And marketing does play an important role in this. And I've seen marketing solutions that are used, analytics solutions using machine learning, of course, which is something we're all hearing about. It's the modern reinvention of artificial intelligence. And what's interesting about profiling, and this is something to be very, very careful about for marketing departments, is where you're creating new information about an individual, where you're using disparate data sources. So for example, I'm using a CRM database I have here, I'm using a social media over here, I'm using a database, a consumer database I bought from a marketing firm over here. And I'm basically at an individual level profiling people. Let me give you a very good example of this. In the charity industry industry, it's common practice, for example, to target high net worth individuals, to identify a person and then to create a profile about that person across various different data sources, some external, some internal in order to make an appropriate decision. Should we contact them? How much should we contact them for? You know, what's the best way to get in contact with them? And that type of profiling, and there's much more complicated profiling involving, as I mentioned, machine learning and automated decision making, that there is an ability for an individual to opt out of that type of activity going forward. And where profiling might be involving special categories of data like medical information we mentioned earlier, sexuality, religious belief, trade union membership, political opinion, ethnicity and or any ongoing or previous criminal prosecutions against an individual. In that case, they have to explicitly tick a box and opt in in the first instance. Now, to be fair, there is a lot of work going on in this space. So a very good example. I don't want to be plugging because I don't use Facebook, but I am familiar Facebook use a targeted audience model where you effectively will upload your list, your sales list of individuals to the system. They then encrypt it, they hash it basically, and then they compare those hashes against other hashed encrypt data they have where they're identifying those individuals within the Facebook database. And then you're able to, then, although you're not doing it, Facebook does it on your behalf. They would then market to them on your behalf. And that's fine because in that instance, they're already on Facebook. You don't need to know who is or who isn't on Facebook. Facebook aren't taking your information per se, because what they do is they immediately delete the data that doesn't match in the hashes. And because they're hashed the stuff they don't have in their database, it doesn't make sense. They don't know what it means. So there's some smart stuff going on there that allows for using social media and technology to really engage correctly and legally from a marketing perspective with individuals. So there's light at the end of the tunnel in that sense.

A

It's interesting because you've got other sort of halfway house systems like for instance, LinkedIn have their proprietary InMail which enables them to, well, enables marketers to send out effectively email messages. But they're not going to email. They're going to the LinkedIn profile's little inbox, which is kind of, kind of separate. Are things like that going to be affected by this?

B

No, no, I see they're safe zones, as I call them, because if I sign up to LinkedIn and I use LinkedIn myself a lot, and I sign up to LinkedIn I'm signed up to their privacy policy, their terms and conditions. Fair notice has been given to me by LinkedIn as to how my information is going to be used. And some of these social media sites, you know, like Google for example, to be credit, to give them credit here, they've done a lot of hard work in terms of getting consent. And every now and then we go in and maybe we might take the shortcut and go, yeah, everything's fine, but we're asked to reaffirm consent. Right? There is a lot of that kind of stuff going on. So it's completely. It's a legitimate safe zone for marketing firms to go through that process where it becomes a problem. And we've done this with recruitment companies where they're looking to pull information from social media and then trying to guess the email addresses of individuals to contact them. And where you're dealing with individuals in that sense, where you don't have either a safe zone to communicate with them through like a LinkedIn or Facebook, or where you're trying to, you have no relationship with them at all, you're in a much, much, much more dangerous space. And bear this in mind just for marketing people as well, Very important point, and there's a lot of confusion in the market here. And what I would like to do is try and clarify. There's B2B and B2C and B2B, generally speaking, where you're communicating with an individual on the basis of their role within a company, whether that's the head of procurement, the head of it or whoever you're marketing. From a B2B perspective, it's fine to market to them so long as you give them the ability to opt out if they don't want further communication. Right. For B2C, that's where it's a little bit more problematic. And for recruitment industry, bear this in mind. And again, we very clear on this. Our understanding is that where you're looking to recruit an individual, it's not B2B, it's B2C because you're recruiting that or you're communicating with that individual based on their personal skills, not based on the fact that you're CEO of this business. I'm recruiting you because you have these attributes, behaviors and interests that I feel match with my client and a personal history that demonstrates your capabilities. So that's slightly different. But for B2B where it's very clear there's no change in the rules of engagement from a marketing perspective.

A

So this is something that's going to impact B2C activity more in a marketing space.

B

100%. Yeah, very significantly. And just the one thing I need to add here as well, Kieran is on top of the considerations around consent and the definitional aspects of this. Going back to the very first point that I was making, this is an evidence framework. There are a series of logs, there are a series of activities that you as a business, you have to do. And when and if the ICO comes knocking, they're going to have to see this documentation. And if you don't have that documentation, then you cannot prove that you're compliant. And that's going to be the big, big, big, big challenge here for businesses, is that they need to be prepared for the technical aspects of what the GDPR requires them to do to maintain evidence. And that's obviously. That's obviously one of the big challenges most businesses. Businesses have because there's a lot of work in doing that.

A

So people that have pre ticked subscribe boxes on their forms, that's kind of going to be a big no, no. Is that right?

B

That's a no no right now. That's a no no right now. Yeah. And it's so complicated. It is.

A

Do you know, I've had that argument with people within businesses like, you just can't do that. No. Well, yeah, we're going to do it anyway.

B

Yeah, I know. Well, let's go back to my earlier point as well, because that's definitely the case. The problem with a pre tick box is the legal definition of it is you're assuming consent and you can't assume anything, whether it's implied or explicit. Where a person ticks an empty box to opt in or ticks an empty box to opt out, there has to be an action involved. They have to clearly demonstrate their intention. And if they've not demonstrated their intention to opt in or opt out, then you can't say you've got consent. You just can't. They missed it, they didn't see it. So whether you're assuming that they're not opted in until they take a boss or you're given the ability to opt out based off the wording, and obviously the wording is very important in the consent as well. The fair notice. And this is again, you know, what we were talking about earlier is no surprises. You want to avoid surprises at all times because if you're explaining, you're losing. And that's the big, big, big issue with the regulators is that if you admit that you've done something and if it's very Clear you've done something, then you've got a problem. And that problem could become very significant based off the scale of the size of it. One other point here, before I forget, Elizabeth Denham, to be fair to her, the commissioner, she has publicly stated that their preference is not to issue the fines. The fines are very significant. They're up to. Not that anybody who's listening really is likely going to face these in practice, but they're up to £17 million, or 4% of annual turnover. Yeah, not a huge. But nobody's going to get that level. But the average fine from the ICO goes up to £500,000 currently, but it's often somewhere in the region of 50 to £250,000, depending on the scale of the problem. I think it's fair to say that the size of the fines will be a little bit more than that now, because the remit is going to be there. But Elizabeth Denham, to be fair to her, has stated their preference is not fines, it's enforcement notices. And the enforcement notice is if the ICO is in your office and they're going, you can't do this anymore, you're going to have to change things. They will put a contract across the table that you will have to sign and you'll agree to make those changes. A very good example of this, and I don't have personal information on this, but it's my suspicion. Flybe were found guilty of marketing to 4 million people. Basically what they were trying. And in Ferris, they were trying to do the right thing. What they were trying to do was contact 4 million people, people whom they didn't have consent on to market and they were asking to get consent. And what they're saying is, if you give us consent, we'll enter you into a draw. But the problem was somebody complained. What's the chances? 1 in 4 million. Very high. Turned out to be 100% right. But what was interesting is the ICU said the fact that you contacted those people to get consent, you were marketing them without consent, and they got fined 70,000. But I don't know if this happened or not, but I would be extremely surprised if it was not the case that the ICU compelled them to delete all 4 million email addresses genuine. And that's the bigger impact here. It's not the fines, it's the commercial impact of not being able to use data anymore because you're not able to justify the legal basis for having it.

A

And you've got to have a lot more detail now on exactly what people signed up for, haven't you? You can't just say, well, I got permission. Well, permission for what?

B

Yeah, and we have that currently we've had this situation, we've seen it here, for example, in Ireland. We've worked a lot with direct marketing companies in Ireland who do a lot of work in the UK as well. And we had one direct marketing company who have a website that does special deals. So you sign up for special deals and you'll receive emails and offers. What happened was somebody signed up to the deals website and maybe say six months later they received a marketing email direct from a brand and they didn't recognize who the brand was in the sense that I don't have a relationship with these people, I never shop with them. How do they get my information? And they then complained to the regulator in Ireland. And when push came to shove and an investigation took place, it turned out that this was coming through from the deals company. Now it was being sent directly by the brand themselves, but that it was part of the arrangement that the deals company would share your information with other brands who would then market you with special offers. The position the regulator took in this, which I don't know if it was practical and I can see issues with this, and anybody who's listening, who's in the direct market space will roll their eyes on this. And I can understand that was the position the regulator said is you can only market to that individual at the time when they signed up and they gave you consent if you've identified the brands who will be marketing to that person at that point in time. So in other words, you need to have a list and when the person is signing up, they need to see who the list of the brands are. So that means that if you're introducing anybody new later, you're going to have to get consent for them separately or in batches, however you do it, right. Which is practically very difficult to do when you're in that space. So that's the kind of challenges we see around consent. It's a really good case study actually, of pragmatic challenges. Sometimes it's very difficult to get around them. You know, the reality is you just, you're facing a problem here and the regulator will not move or not shift, you know.

A

And is a double opt in process preferable?

B

Well, like we have, we often see and we've advised companies like, let's say you're in a group, right? Just to give you an example of a double opt in scenario where you're in a group and there are multiple brands within the group and there might be an opt in or an opt out for example, depending on the circumstance for brand A, okay, for them to market to you themselves. And then there will be a separate opt in then if the other brands of the group want to market to you, okay, so that you actually have a separate section of opt in for A another. Right. So long as you know who they are and you're able to define who they are. Because obviously one of the big challenges is getting to data sharing, getting to the notional idea of single view of the customer. If you're a group, if you're going through any kind of digital transformation as a business from a marketing perspective. And like, you know, I'm sure there's plenty of people who listen to your podcast who work in larger organizations and that's a constant quest. How do we, we want to understand our customer implicitly and if they're coming at us from different angles, how do we, you know, from our perspective get to that one point? So the way in which you manage consent there, the double opt in in the sense of a separate opt in for the different parts, different brands, the different third whom you might share data with is going to be essential to allow you and also the fair notice you give and the privacy policy you have. So if you want to do analytics, if you want to do additional stuff on that data, it's all about being upfront, being very clear, not hiding stuff in terms of conditions. Don't be afraid of it, tell people what you're going to do. Most people actually will go a long way with you if you're frank with them. I'll give you an example. There is one major retailer in the uk, a well known retail house, not whole name, who we work with, who started the journey on GDPR two years ago because they recognized from the get go that if they approach GDPR in the right way, it would significantly increase brand recognition and loyalty amongst consumers. They will push a very strong message out into the market which everybody's going to see about how they're embracing privacy and how they see it as being important. Apple have made a big noise about this with their announcement recently of features are adding into iOS 11 to restrict tracking of cookies so to enhance privacy. So there are certain organizations who see a benefit in really pushing the privacy message and I think that's an evolution you will see over time. Now don't get me wrong, there's gonna be a lot of people won't care. The younger generations don't really care about privacy. Right. And I don't know how that's going to affect privacy in the long run. But for the moment, this GDPR is certainly going to put a lot of pressure on a lot of organizations to do the right thing.

A

I think that's a really good spin on it, though. You know, why wouldn't you do stuff that your customers are going to love? Do you know what we all do as businesses? We all do things that are hard work but that customers love. And we don't shy away from them because they're hard work, because that's, you know, that's part of the Exchange. Right.

B

You're 100% right. Like, I'm a businessman at heart myself, and as a chief commercial officer, I fundamentally understand that you need to have happy customers. You've got to work very closely with them, they've got to know you, they've got to trust you, and you trust them. It's very difficult in a world that is becoming, I actually think, funny enough, maybe a little bit less transactional than people think it is. But at the same time, the technology is allowing for more transactional behavior. So in other words, we're living in a socially connected world where everybody's interacting and communicating with each other and there's so far so much more ways in which people can communicate. Yet at the same time, we're building technology, analytics and machine learning technology that's making cold, hard decisions about people within split seconds and doing that at scale. So there's a fundamental mismatch now between the technology we're developing, the capability, for example, that a market department can leverage, and yet that fundamental communication element that's broadened so much more now over the years that direct one on one relationship you can have. So I think companies are going to have to make some very hard decisions over the next 10 years as to how they want to build that relationship with consumers. Right. And in addition, as well with employees. Less so that I think at the consumer side, definitely. And you know, I think where the GDPR will help is it helps focus the mind a little bit around technical legal aspects, admittedly. But secondly, best practice that is definitely going to evolve over time as to what is the best way to proactively engage with people to make sure that we're. Let me give you an example. And this is a question I put to every marketing person. I'm going to put this out here in the podcast. What would you prefer? Would you prefer a database of a million people of which, you know, next to none of them are really necessarily directly interested in who you are and what you have to say? Or would you rather a database of 100,000 people who have actively demonstrated that they really are interested and prepared to spend money? And I think that there's an interesting opportunity there with the technology coming down the line, the communication capability that's available now to focus more energies as a market environment on those people who really want to engage with you and really develop that relationship more and get value out of it. And I think the GPR enhances that. It doesn't in any way prevent that. It actually supports that model, the older model. I'm not so sure it's the way to go in the future anyway.

A

Absolutely. It's cutting out all the dead wood. And from a marketing perspective, that's always a good thing. I think all too often we're all hooked on big numbers and it's just vanity. You know, you've got to look at the actual bottom line and the relationship and the long term value of those relationships. And everything you've said kind of reinforces my thoughts that actually this isn't trying to undermine it, it's trying to support that, hey, it could make the world a better place.

B

You never know. There's enough other things going on in the work here.

A

We've got to be optimistic.

B

The one point I would make, I fundamentally understand, I do understand this is a difficult area for marketing. Right. There's hard decisions do need to be met and it's not the easiest thing in the world to go burn a database when you go, look, I gotta let all these people go because I don't have consent to contact them. And there's gonna be a lot of companies aren't going to be prepared to do that. There's a lot more companies out there who don't know anything about the GDPR yet. The suspicion in the industry amongst all of us who operate in this space and talking to customers who are actively involved in the space as well, working hard on it, is come January there's going to be a very significant realization in the private sector in particular, that this is something they need to do. The public sector have been quietly going about their business because they have to like public sector. They'll do their job, you know, and they'll do it quietly and it'll happen gradually. But most businesses in the private sector haven't broken up to the GDPR yet. And that still has to happen. And it will. And maybe in some instance, unfortunately it might take some case studies from the regulator and there will be a hit list. Like I'm convinced of this. This is my opinion on it. But you know, again, a lot of people agree with me on that this. All of the regulators throughout Europe have a hit list. I suspect they know where they're going to go come May 25 or May 26 or whatever in May 2018, whatever they want to do it, they're going to start knocking on doors and it'll be very interesting to see whether there's a marketing company. We're going to be one of those organizations who get a knock.

A

So I mean, I think we've touched on some really interesting points in today's discussion. We're going to need to wrap it up. But. But I think it is quite a big and far reaching subject. Right. And every business is slightly different. I'm imagining there might be a few worried faces out there thinking, well, what do I do next? Is there anybody that can help me with this? Have you got any kind of good tips on finding people to help navigate these potentially shark infested waters that are coming up?

B

Yeah, I mean look, there's a lot of organizations out there that are getting into the this space. A couple of things I'll advise. There are two aspects to this that you need to get right and the narrative in the market is a bit confused in this. One is the privacy aspects which we've talked a lot about today. And the other one is the security assets which we maybe not talked as much about that we should have to be fair. But they're very different. And my experience is in the market it's very hard to get anybody who's good at both. Right. Traditionally privacy has lain in the legal sphere. The reality is under the gdpr, privacy is now a practitioner space. Some of the regulators have public come out and stated that this is now a practitioner space. So if you're going to look for help and you're looking for help with the privacy space, do look to speak to people who understand the practitioner aspect of privacy and have been doing it a while and separately, get the best you can get on information security. There's some real information security as a market industry is around a little bit longer and it's a bit more mature and there's some great companies out there in the information security space who can really help you here. So, you know, but my advice is look for best of breed in both areas and you'll get the best benefit out of it. Ultimately. The warning I would give you is there's limited resources on Both sides, and everybody's getting super busy. So don't wait too long. If you're looking for external help, it's going to become difficult. But anybody who's declaring themselves to be a GDPR expert, challenge them because there's a lot of people out there. Genuinely, I'm not convinced our. We've been around a while and I'm not, I don't want to be advocating us. There are plenty of others out there. But, you know, we knew all the privacy people out there up until about six months ago, and there's a lot more have shown up now who we've not been familiar with, ourselves and others we know.

A

That's brilliant. You see them all crop up and it's like, hey, who'd have known? Where did all these people come from?

B

It's a problem. And I'm being very honest with you, it's absolutely. It's a problem. And so be very selective about who in the privacy space, in particular, who you select. I think it's much easier to pick the right people. Information security, but privacy is going to be a little bit more tricky. But look, they're there and they're out there and there's some really good people in this space if you can find them. But even if you can't, look, at the end of the day, it's fundamentally based upon your own business anyway. And you know, there are, there are cheat sheets. The ICO's website. The ICO has some great stuff to advise you on what to do as well. So, I mean, if you don't want to, you know, bring in external resources, there's plenty of information online you can use, particularly from the Information Commissioner's office, that will help you greatly anyway. So either way, you're not going to lose out.

A

Okay, fantastic. Well, we'll make sure there are links in the show notes to those resources. Now, I know you at Sator tourists do a lot of stuff, but just kind of give us just an overview of what kind of help and resources you've got that might be able to help people with this.

B

Yeah. So basically what we do is we've two aspects to our business. We have a consultancy arm and then we have a technology business. Okay. So we have a life cycle effectively. And what we do is we have the ability to do assessments where we can actually identify the risks that you're running within your business processes. So the specific challenges that exist within the privacy of aspect of your business models and what you need to do to fix them, and they're very Practical, they're not high level, they're not hypothetical. Because we do direct interviews with people on the ground, within your business who deal with the data day to day. So they're the team leaders, people you trust who've been around a while, the person who's been the HR administrator for the last 25 million years. They're the people we talk to. Right, because they know how everything operates and how things are meant to operate. And we advise then on the basis of the risk assessment, where the risks are in practice and what you need to do now. Inevitably then, people need help. Some companies are going to have to appoint a dpo, a Data Protection officer. We didn't mention this. It's mandatory for certain industries, for example charities, for example technology, financial services, public sector medical, utilities and telecoms and social media, or anybody who's processing large, large volumes of personal data. We help you train up an internal dpo. If not, you're definitely going to need somebody to be your go to GDPR guy or girl in the business. We will train them up as well. We give them all the support during the implementation phase when you're making the changes, and then we supplement that with our product called Privacy Engine, which is a privacy management system we built, which contains everything you need to provide evidence to the ICO that you're compliant. And there's a lot of capability within the system to do that, including real time support through the portal with our consultants, who are available in real time through video chat, desktop screen sharing or simple text chatting where we can review documentation, chat to you about a problem, maybe something's coming up in a meeting, etc. And lastly then we do training as well. So we get you trained up to the appropriate level as the dpo, as the go to GDPR person. And if you have a support team that you've picked around you to help you implement the changes that need to happen in the business. So look, with the full life cycle of support, it's all practical. It's based specifically on the privacy aspect. I will say 93% of the GDPR is privacy related. 7% of the GDPR is actually security related. If you do a breakdown of the 99 articles so we can help you with the vast majority of the issues that pertain to gdpr.

A

Fantastic. Well, thank you so much for your time. It's been a really great, really great chat and it's been really useful just to get some practical angles on this beast and what it is and what it means and, and how it may impact on us all over the forthcoming months. I think you're going to be very busy.

B

Yeah, we are. We are right now, to be honest with you. Yeah, no, absolutely. I know. It's. It's. Yeah, it's only going to get busier right there. Kieran, Anybody. Anybody who wants to get into this space and be a practitioner, let me know.

A

Great stuff.

B

Good stuff. All right, Kieran, great.

A

Well, thank you so much, and best of luck.

B

Yeah, no problem. Thank you very much for your time as well. Thank you, everybody.

A

Thanks for listening to another episode of the digital marketing podcast brought to you by Target Internet. If you'd like to get more information on the show, get hold of back issues of this podcast, or get details on any of the links we mentioned, please visit our website at www.targetinternet.com. if you've enjoyed the show, we would love to read your feedback. Please rate us in itunes or even better, write us a review. Or if you have any questions, please get in touch. We'd love to help.