bitten on the bum
January 19, 2017

How to avoid getting bitten on the bum by GDPR (part 1)

By Paul Laughlin

Most of our content this month has been focussed on helping insight leaders prepare for the year ahead. With the EU approved General Data Protection Regulation (GDPR) due to be implemented in UK on 25th May 2018, this must be a consideration for all insight leaders.

In my own work with clients & conversations with others, I do find GDPR is cropping up more often. However, I’ve become a little alarmed at a general sense of complacency, or putting off looking into this for now. Given the scale of impact & time taken to deliver any significant data projects, I suggest leaders focus on this now.

Do you know if you already comply with the likely requirements of GDPR? Have you at least identified any significant data model or systems changes needed, so that project planning can begin ASAP?

Getting clearer on GDPR

Two reasons appear to dominate why people may not have done so yet. The first is awaiting interpretation of elements of GDPR for UK businesses from the Information Commissioner (ICO). The second is a sense that GDPR was not ‘as bad as expected’ or not ‘as draconian as feared’; even if that leader still isn’t crystal clear on scope & impact. It’s true that the ICO did appear a little ’slow off the mark’ (or perhaps waiting for greater clarity on Brexit), but their guidance is beginning to appear.

Now this blog post is too short to answer all the questions you may have about GDPR. But, given 2017 will also see data leaders needing to engage with changes in ePrivacy regulation, GDPR is too timely to be ignored on this site. So, I will use this blog post to simply point out some aspects of GDPR that data insight leaders should be considering. Where you need to look further, if you like.

In no particular order, here are some potential impacts to check…

Change in definition of consent

The GDPR expands on & clarifies the looser definition of consent currently in force. That new definition is:

“…’consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Two key phrases in that text are ‘unambiguous’ and ‘clear affirmative action’. With the caveat that I am not able to offer any actual or implied legal advice, it’s worth also pointing out that the supporting notes (given the strange name ‘recitals’) clarify that:

“Silence, pre-ticked boxes or inactivity should not therefore constitute consent”.

So, the first impact that I would encourage leaders to check is all your data capture touch-points & comms. Are you sure all operate on positive opt-in and none are still getting away with the passive opt-out requirement?

I won’t bore you with the detailed text here, but GDPR also makes clear that this consent should not be a condition of accessing elements of product or service that do not require the data to operate. It must be ‘freely given’. Are you sure you don’t have requirements for marketing consent hiding behind special offers, competitions or newsletters?

Is Legitimate Interests your ‘get out of jail free’ card?

One of the collective ’sighs of relief’ heard from the direct marketing industry, when final text of GDPR was confirmed, was that direct marketing was still identified as a ‘legitimate interest’. To some, that held out the potential for businesses to define their use of data as this, rather than require explicit consent before marketing.

A few provisos are worth clarifying, before you get too relieved. Recital 47 makes clear that there might be a legitimate interest in direct marketing existing customers, but also states that context would be that data subject could ‘reasonably expect’ this to happen. Other caveats also make clear that any objection by the data subject would override this ‘right’.

So, although it might seem tempting to have a way around unambiguous positive opt-in, this might be fools gold. I say that because when marketing on such a basis, the onus will be on the data processor to make clear to the data subject that they are using this permission & to provide a suitably clear means of opting out. Are you sure you can explain to your customers in ‘plain english’ what your use of their data under ‘legitimate business interests’ means?

Your profiling has been spotted

Another popular topic amongst those who like to discuss GDPR (you know who you are), is that of ‘profiling’. By this term the EU means use of personal data to analyse or predict people’s performance, behaviour, situation, interests, location or movements. Not only is this new, compared to UK’s Data Protection Act, but it includes the right of people to opt-out of their data being used for this purpose.

Anyone who leads analytics or modelling teams will know this ‘opens a Pandora’s Box’. Nowadays, most direct marketing & sometimes all customer interactions are targeted by use of predictive models. Many are also personalised or timed through us of segmentations, scores, flags or as a result of behavioural profiling.

Now, it’s bad enough that an individual might want to opt out of you being able to target your interactions using your standard processes. It is still unclear whether their data should also then be removed from datasets on which any existing models/rules were built and the analytics repeated. What is clear is data subjects will have a right to object and ‘profiling’ is only legal with their permission.

So, consider this: Do you have data models/structures that capture an individuals permission at this level of granularity (i.e. not just marketing permission, probably by channel, but also profiling permission)? Plus, do you have analytics & modelling processes that enable rebuilds on the basis of customers withdrawing permission for data previously in modelling datasets? Not easy, but a pragmatic solution will need to be found. Plus, it will be your responsibility to ‘inform’ the data subject of their right to object to such profiling (how will you explain it?)

Will people want to go incognito?

Legal cases against Google & Facebook have raised the public awareness of the ‘right to be forgotten’. This is another addition, via GDPR. Not only will data processors need to make clear this right, but should then erase their data ‘without undue delay’. So, data controllers are required to inform data processors of any erasure requests and take all ‘reasonable steps’ to tell other data controllers where data has been shared.

Think for a moment about the interconnectivity of your current IT systems. If you are a large UK corporation, chances are you not only have a myriad of legacy systems internally but also share data with external systems for operations, marketing & other functions. Do your data models & current processes enable all the data about an individual to be found & erased? Does your answer to that include confidence in ability of your suppliers & partners to action such an erasure request at the same time?

There are a myriad of details to be worked out on this one. If an individual has also asked to be suppressed from marketing, is it reasonable to keep sufficient data to still enforce that request? But, for now, realise that the bar will be higher than just having a data retention policy and answering Subject Access Requests. You need to test run how you would execute an individual erasure request across your data landscape.

Building on that capability will be the right to data portability. Individuals should have the right to leave & take their data with them. We have all seen the changes in Utilities to enable this & Banks are currently preparing for Open Banking protocols. What about your business? How could you provide customers with all the data they need to easily change provider? That may well be coming – so plan ahead.

There is more to GDPR!

That’s sufficient to chew on for this blog post. But there are more topics for data leaders to worry about.

In part 2 of this mini-series, I’ll share my thoughts on these aspects of GDPR:

  • Data Model impacts (inc. can you prove consent & when is its use by date?)
  • Data Protection Impact Assessments (inc. are you designing for compliance?)
  • Record keeping & Contracts (what should these cover?)
  • Data Protection Officers (do you need one & what should they do?)

Hope that sounds useful & this post was helpful. Do share your perspective & lessons learnt, as we are all still learning what will work best.