DP2018: Beyond the GDPR - A review
02 Oct 2018
A day to reflect on the GDPR that came into force in May, including experiences and challenges across the industry - but Data Protection 2018 was also designed to look ahead and beyond the new laws as well.
Here we have collated some of the highlights from the DMA event, which took place at London’s Euston Square - featuring key insight and takeaways from leading industry figures.
Where we are, and where we're going
Things began with an introduction from DMA group CEO, Chris Combemale, and an overview of where we’ve come, are and may be heading. Also mentioning concerns about the future relationship between the UK and Europe, “We cannot retain the UK’s leadership in the data and marketing industries without an adequacy agreement with Europe.”
Then this year's keynote speaker took the stage and the ICO’s deputy commissioner, Steve Wood, discussed the last year and also looked forward to what’s next for the regulator.
“There are already green shoots when it comes to trust and confidence in how companies are storing and using personal data,” Woods explained, as the regulator’s latest consumer research highlights understanding and trust in businesses on the increase since May.
He also added that, “We didn’t plan, in the run-up to GDPR, to also undertake the largest investigation in the ICO’s history. But that’s what happened.”
The deputy commissioner then went on to discuss the priorities for the ICO in the coming year, with a key priority being the development of new or updated codes of practice across industries.
Most pertinent for those in the room will be codes for direct marketing and data sharing, but Woods explained they cannot do this all alone: “Partnerships and working with key trade bodies like the DMA is key to providing organisations with the co-regulatory mechanisms they need to comply with GDPR.”
Looking ahead, Woods emphasised that GDPR must still remain an opportunity and not a threat. The key will be building sustainable relationships with customers. Closing by explaining that the ICO remains open, helpful and practical regulator willing to listen.
A data panel speaks...
Steve Woods was followed by a panel made up of speakers that have spoken at previous DMA Data Protection events, to share their latest experiences and answer questions from the audience.
The group included Sanjeevan Bala from Channel 4, Rebecca Turner from Trainline, Richard Merrygold from Homeserve, Simon Hall from Lowell Group and Commvault’s Jo Blazey.
Hall opened by commenting that, “The biggest impact on us has been a ten-fold increase in subject access requests. To around 400 a month post May.”
This is something Bala said Channel 4 had seen too, but only in the short term: “Around 25 May we had a spike in subject access requests, but post we’ve seen it return to pre-GDPR levels. We’re also looking into whether technological solutions to deal with these will be effective too.”
The discussion also covered the use of consent, legitimate interests or a mixed approach. Homeserve’s Merrygold explained the benefits of their mixed approach: “We really rely on legitimate interests to contact the customers of our key partnership, but once customers sign-up we use consent. That’s meant more engagement, less unsubscribes, less complaints.”
An approach that the Turner agreed the Trainline has also taken, “If you are in constant communication with a customer and they keep coming back to buy from you, then the consent window can slide, rather than being a fixed window.”
The panel also agreed with Blazey’s point that, “The general public’s awareness is growing. People are looking at what businesses say and becoming their own data protection expert. So businesses not taking GDPR and their compliance seriously could well get themselves into trouble.”
Highlighting the importance of businesses being transparent and talking to their customers about their data in a clear way too.
A news bulletin from the BBC
Following the break, the audience heard from the BBC’s head of marketing, Ian Wolfe, and senior digital lawyer, Kate Reid, on how the brand developed a new privacy and cookies policy that put its audience at its heart.
Wolfe started by explaining that everything in the organisations approach, including GDPR, always starts with the audience. Personalisation being at the heart of the broadcaster also means ensuring a balance between the benefit to the audience and the business is key too.
That's why, when reviewing their policies for GDPR they used insight from their audience to understand what they wanted, how they wanted to be spoken to and the key issues they’re concerned with when it comes to their data.
For the BBC tone of voice was also key, making sure the new policy was engaging and informative, whether the consumer had little or a great deal of interest in data issues.
The result of the new policies - BBC Hub - was to provide its audience with all the information they wanted in one place. This area of the organisation's site has become the most popular, receiving over 300,000 unique browsers per month.
Finally, the duo explained how there were challenges, but that the opportunities made the work more than worthwhile.
Has GDPR only just begun?
Next, Chris Whitewood, privacy and data protection officer at Direct Line Group, started by reminding the auditorium that “We’re not beyond GDPR, really GDPR has only just begun.”
He went on to discuss how Brexit may (or may not) change the laws by which companies must abide. No matter what happens, the key word for everyone should be accountability and just because there is not a clear set of rules for what compliance is doesn’t excuse businesses from attaining it.
The important thing is to develop an organisational approach to GDPR that aligns with the values of the business.
Whitewood closed by explaining that there are clear opportunities around making data more useful, updating systems, enhanced transparency with customers, greater oversight across supply chains, new applications and how this all can give key stakeholders renewed confidence in what businesses are doing with data.
But there are challenges around data subject rights, complaints, incidents and accountability.
An academic look at AI
Lastly, Luciana Floridi, Professor of Philosophy and Ethics of Information and director of the Digital Ethics Lab, looked forward to how AI can be a force for good and the future for the sector.
He opened by explaining that, as a philosopher, he is normally called upon when industry has tried speaking to everyone else about complex issues like AI, marching learning and future technologies.
Floridi then took the audience on a journey through his background and that of AI more broadly, the terms that are converging as technologies do and the key challenges we must resolve as a society. He explained that the big bad robots coming to take of over the world is not one of the challenges we should really concern ourselves with.
The real risk and opportunity of AI technologies is actually, Floridi believes, in the over or under use of it, with both leading to significant risks and wastes of this powerful new tech.
Finally, Floridi highlighted the noise that’s growing around ethics in the field of AI, with an analysis of all the ‘principles’ that various organisations are claiming to be important revealing there are around 47 distinct things for businesses to worry about. However, further analysis by his team boiled these down to five key things to note.
With that the session wrapped up, with guests dispersing to round tables and to further discussion and networking.