The resounding conclusion from our event on GDPR, is that the new legislation will ultimately be a good thing for businesses in the financial services sector. A surprising conclusion given the impact it is having on all companies within the industry. But as our speakers so eloquently explained – with every change comes an opportunity. Lynsay Haque provides a summary of the event discussion.
What is General Data Protection Regulation (GDPR)?
In short, GDPR is a new EU wide Regulation on data protection, due to come into force on 25th May 2018. It replaces the current Data Protection Act (DPA), and is aimed at protecting customers in a new and fast-moving digital and social media era.
Is GDPR good or bad?
Paul Malyon of Experian accepts that GDPR demands big change for many organisations, but believes this will mainly be an evolution within financial services, rather than an evolution. Anything that empowers the customer and improves trust and transparency is a good thing, and organisations that get it right will reap the rewards. If GDPR is used as an agent for change, it can yield benefits such as accurate targeting, a better customer experience, business efficiency, consumer trust, and innovation.
Paul Winters, CACI, agrees, but points out that the role of the Information Commissioners Office (ICO) is critical. There needs to be a balance between individual rights, and allowing businesses to use personal data as an engine for economic growth.
Jonathan Harman, Royal Mail, believes marketing is something we do for customers, not to them. GDPR is an opportunity to re-set our relationship with customers. It represents an opportunity for a resurgence in postal marketing as the ICO has stated that many of the new rules only apply to email, texts and telephone.
Attitudes to data privacy are very personal
The impact of GDPR will ultimately come down to the individual, and marketers should be aware of these attitudes when designing customer journeys and campaigns. Experian believe that everyone can be categorised into one of four profiles when it comes to their attitude to data:
- Unaware – 22% of people are unaware of the implications of giving their data, and can react very negatively when they find out. Be very clear and transparent about what you’re doing with a customer’s data to avoid any distrust in the longer-term.
- Accepting – 41% of people accept that their data will be used for marketing purposes.
- Cautious – 28% of people will only share their data if they believe it is worth it. Again – be transparent.
- Incognito – 9% of people will do everything they can not to share their data.
How will GDPR affect marketers within Financial Services?
According to Paul Winters, CACI, the key changes that will impact marketers in our sector are:
Consent
Changes to consent will mean large amounts of data will not be compliant when the rules come into force in May. Consent will be almost impossible to achieve for acquisition purposes, and this could ultimately lead to less choice for consumers. Organisations such as CACI and the Direct Marketing Association are lobbying the ICO, as they believe they are taking a ‘restrictive view’ of some of the GDPR clauses, making them more restrictive than they need to be. Final guidance can be expected by the end of March, so watch this space.
Legitimate interest
The guidance given by the ICO for legitimate interest states “You can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.”
Interestingly, legitimate interest doesn’t apply to postal marketing, presenting something of an opportunity to marketers.
If you’re interested, the Third Party Data Hub is producing guidance on when legitimate interest can be used for marketing involving third party data.
Profiling
GDPR states that individuals have a right not to be subject to a decision based on automated processing that ‘has a legal or significant effect’. Profiling is considered to be a form of “automated processing” that is intended to evaluate certain personal aspects of an individual.
It’s not clear whether targeted advertising is considered to have a significant effect on individuals, and the ICO is still to issue guidelines on this. Either way, there will be an obligation to tell the customer you are carrying our profiling, and the challenge will be how you do this without alarming them, and in such a way as they will understand.
E-privacy regulation
A new ePrivacy Directive is being drafted in Brussels to sit alongside GDPR. It will update the current ePrivacy Directive/PECR, and is expected to be implemented in 2019. The big issue is consent on web sites and how to replace the cookie pop-up. Currently the favoured route is via web browser settings, but is it realistic to expect browser manufacturers to solve the problem?
Individual consent for cookies could dramatically affect online advertising revenues, which will reduce free content on the web and could ultimately be bad for consumers.
How prepared are we?
Many of the practises outlined in the GDPR are already integrated into business process in this country. That said, according to research carried out by Experian, while 99% of businesses in the UK are aware of GDPR, only 15% feel very prepared.
