In one year precisely the General Data Protection Act comes into force. From 25 May 2018 companies will not be able to use personal data to target marketing messages at consumers without their explicit consent.
This may hit print but it will be a huge kick in the goolies for unsolicited email marketing. The penalties for non compliance are potentially life changing: 4% of global turnover or €20 million.
The GDPR is an EU initiative, designed to create harmony across the single market in the way that personal data is used and protected. However, despite hurtling towards Brexit, the UK government has indicated that it will abide by the terms of the GDPR. There will be no escape.
The problem is that, a year away from its implementation, there is no strict definition of those terms, nor how the provisions of GDPR will be applied. The Office of the Information Commissioner, the government body in charge of all things data related, has produced guidelines and core instructions but huge grey areas remain. The ICO plans to issue further guidance, but time is pressing and companies need to start preparations now.
Unsurprisingly even marketing agencies who will be on the front line as the GDPR hits, are not always confident that they are on top of all the issues. In a survey at the end of last year the Direct Marketing Assocation found only 26% of marketers felt they were prepared. In another, IQ Data asked a wider range of businesses and found only 50% felt confident that they were on top of the subject. They probably were not.
The DMA is taking action, holding seminars to alert its members to the likely impact on their businesses and what may or may not be allowed. There are clear criteria for companies to hold or use personal data. First, there has to be a legitimate purpose to this. This is unlikely to green-light the use of personal email for marketing purposes, but it will allow direct mail.
Any emailing needs to have firm opt ins for it to be allowed. Last year, Honda was fined after failing to prove that it had permission from those it had sent a blanket email to asking them how they wanted to receive information from the company.
A direct mail piece would not have incurred as many complaints. And direct mail will be covered by the legitimate purpose clause simply because companies need to market their goods and services.
Companies may hold personal data to enable product recalls to take place if necessary; personal data can be accessed under a clause of legitimate access, for example opening a wallet of someone struck down in a car accident. And if there is a clear public interest.
Finally legal necessity may dictate that data is held as part of a contract: a consumer buying something online would naturally provide a name and address to deliver the purchase. But this does not amount to permission to continue to market to that consumer via email. A printed and mailed catalogue is, however, permitted.
The key definitions are around consent and preferences. It means that those handling data will need to maintain up to date records of how customers wish to be communicated with. Legacy data will be outlawed, but there is no specific definition of what constitutes legacy data.
Printers will need to comply. They will need to secure the personal data of their own staff let alone the data supplied by customers. Any business handling such data will need to appoint a Data Protection Officer as the visible representation of compliance and the person responsible for compliance, though perhaps only larger companies will be affected.
Data will need to be in a single database, perhaps putting an end to sales staff compiling their own client lists and notes and putting a further nail in attempts to create a mirror business by staff who then leave to set up their own company a few months later complete with customer files, an already illegal practice.
It begins, he explains, with a Gap analysis to understand the current situation and to define paths towards compliance. Many will have appropriate procedures in place as a result of the existing Data Protection Act. This will polish those procedures and ensure that they are properly documented and that actions in the case of a data breach are clearly defined and understood.
“The printers that have more than 250 employees and that are part of a larger group will be taking this very seriously indeed,” he explains. Smaller companies he believes may be less affected, though those working for businesses that fall within the full scope of the GDPR, may also be encouraged to comply to guarantee the compliance of their customer.
It will be simpler for printers that already have ISO 27001 in terms of data handling and risk assessment. They are already fulfilling the terms of ensuring that data is held securely, that it cannot be moved easily and that only approved people have access to it. “For companies that already have ISO 27001, this is about refining their procedures,” Springford says.
This will include the nomination of the Data Protection Officer, only relevant in those larger companies he says. “A key task is to uphold the right of an individual to know that their data is properly protected,” he explains.
So far, so straightforward. There are changes around the definitions of Data Controller and Data Processor, the latter being the position that most printers will be in. Data Processors are going to have to tighten up procedures, though exactly how is another area that is currently as clear as mud. For printers this will mean looking closely at procedures because the Data Controllers will want to work only with businesses that are compliant.
The Data Controllers are the marketing agencies, the publishers and retailers that compile the lists that are used to market to us. And with the internet the amount and scope of this data has increased exponentially and its use has exploded indiscriminately.
The GDPR is attempting to put this genie back in the bottle. At its heart you cannot communicate with someone by email or SMS unless there is explicit permission to do so. This is where the fuzziness comes in.
In its purest form this means that the avalanche of shotgun emails will be illegal unless this permission exists and the sender can prove that it exists. It could mean that bots will not be able to scrape personal details from websites or use browsing history to chase you around all kinds of websites for the next month.
It will mean an end to list brokers who have compiled email lists without the permission of those included. Websites will not be able to hide behind the reams of T&Cs that nobody, apart from the lawyers writing them, has ever read.
Those for Paypal run to more than 36,272 words (at the last count) which is more than in Hamlet. By comparison iTunes weighs in at the length of Shakespeare’s shortest tragedy Macbeth, but still amounts to more than 19,000 words. T&Cs will need to be briefer and clearer and will have to stress the rights of the individual as spelled out in legislation.
This is in line with research into consumer attitudes. People are increasingly reluctant to part with personal data because the consequences can be so annoying. If they are to give their consent to use of personal data they will need something in return, and are fickle enough to withdraw that consent if they feel that permission has been compromised.
And in government terms, in Europe at least, the right to privacy of the individual trumps the rights of companies to stalk them. The US seems to be taking the opposite view which will lead to clashes.
Under the terms of the GDPR, individuals have to opt in to receive emails or to allow their data to be used by third parties. Implied consent because a box has not been ticked is not enough. Profiles of the spending habits of individuals cannot be shared for email marketing purposes unless explicit consent has been obtained.
Profiling in itself is not outlawed and by encrypting personal details that could be used to identify individuals, demographic data can be massaged and interrogated and then used to market to individuals.
This should put an end to sharing data around cold calling telephone marketing agencies using data about donors to one charity being used to pester the same people from another charity, activity that has been highlighted in the media and has resulted in some high profile actions under existing legislation.
Wealth profiling, as this is known, is already under threat as the Information Commissioner’s Office. Where part of a data processing business has always been to track the movements of those moving house and thus updating databases that relate to these people, the ability to do this legitimately is now in doubt.
It will hit marketing in the charity sector, but the rules will apply in other sectors too. Informing a charity that you have moved comes well down the list. It is reckoned that a householder has 39 essential bodies to tell when changing address, when adding various subscriptions, loyalty schemes, other memberships and so on, days can be tied up. But if the relationship continues unbroken albeit at a new address, the legitimate reasons should travel with the Pickfords van.
Individuals have the right to know what data is being held on them and to have that erased. This is the right to be forgotten that has already been imposed on Google.
So far, so interesting, but perhaps with little direct impact on printers. On the contrary. Without recourse to blanket emails, marketers must find another way to reach customers and prospects. And this will favour traditional forms of advertising: television, cinema and radio and crucially for any kind of targeted marketing: print.
Direct mail is not outlawed by the GDPR. The use of magazine advertising to reach target groups is not outlawed even where
permission does not exist.
Nor are door drops banned. Interestingly door drops from supermarkets, garden centres and DIY stores are big business in Germany and the Netherlands, key EU member states involved in drawing up the provisions of GDPR.
The scenario where a door drop leaflet drives a customer to a website recording his or her interest in redeeming a coupon and providing permission for subsequent communications is one that has piqued the interest of many in the printed marketing sector.
Fraser Church, development director at Paragon Customer Communications UK (formerly DST Output), says that such printed communications can be the start of a relationship. “You can then continue to communicate, using email of permissions have been given, or using print. The GDPR can be the biggest positive for the print and marketing sector for years,” he says. Paragon is beginning to organise seminars for its customers to explain how it believes GDPR should be interpreted. Like the DMA, the printer has found a level of confusion and unpreparedness among its customers.
It will be an opportunity, if not to provide advice as this is fraught with problems, but to explain how it interprets the provisions. “We can say that this is our understanding,” he says.
Paragon is not alone. GI Solutions is talking to its customers and many of them are not ready, says Darren Crawford. It is working with other customers to ensure that both sides are compliant well ahead of time. “I don’t think this will change the day to day work we do. The big area of change will be in the initial take on of a contract. Making sure the due diligence for both parties has been undertaken to a high enough level,” he says.
The company’s own research has involved copious reading, attending seminars and seeking outside legal advice. It has also been a board level matter. Failure to comply for a data driven business is simply unthinkable. As to the outcome, Crawford is cautious. “I think all forms of direct marketing will be affected. As to who will win and who will lose, we will have to wait and see.”
Jon Bailey, CEO of ProCo, is also adopting a neutral position. “We are getting our thoughts around GDPR and working with our partners. This has involved internal training and customer sessions,” he says. “We think it will strengthen the positive aspects of DM such as its strong response rates, but it may not be beneficial straightaway.”
The printer is not a volume producer of direct mail or marketing literature, instead focusing on shorter runs with greater impact thanks to customisation and profiling. “We are involved with customer engagement programmes which help create customer loyalty and a commitment to the brand owners. It is about adding value to the customer experience,” he says.
In most instances the marketing teams will have permissions to use personal data as part of the loyalty programme that the communication is part of. It is clearly an approach that is becoming stronger, holding on to and building a relationship with existing clients is more fruitful than sweeping for new customers.
Customer have clearly discovered that the experience of being stalked around the internet, spammed by unwanted email messages or plagued by SMS is not good. The world is not going back to junk mail, but the opportunity from carefully crafted messages in print is the door that GDPR will unlock for the industry.
Failure to do so will expose a business to fines of up to 4% of global turnover or €20 million.
Printed direct mail will not face the same restrictions, making print on paper more appealing than bits on an email.
Story 1 of 2
Printers have started warning customers about the implications of GDPR while at the same time getting ready themselves. Those that have not prepared will be at risk of losing customers as clients seek to work with suppliers that can show they have the correct procedures in place.
Story 2 of 2
No comments to display, be the first! Leave a comment in the box above.