Drum GDPR breakfast

The DMA's public affairs manager Zach Thornton joined members of Turn and CitizenMe for a breakfast debate on the impact of the GDPR at The Drum's HQ in Shoreditch, east London

Zach was joined by Turn's EMEA managing director Richard Robinson and CitizenMe's insights direct Ryan Garner, ably hosted by The Drum's digital editor Ronan Shields.

Public awareness

First turning to whether the GDPR is the concern of marketer, ordinary people or both, Robinson said, "Joe public is not aware or concerned. Brands are becoming increasingly concerned."

Thornton agreed, "The GDPR will change the way businesses use data and the scale of change is massive," he said.

Garner said one part of the GDPR would have an impact on consumers, "Data portability, taking from one context to another, making data fluid. This puts users in control," he said.

What will the GDPR change?

Thornton said that those who stick to, "Current regulations, plus best practice," would be in a commanding position once the GDPR becomes law in 2018. "No more pre-ticked boxes – they will be illegal," he said. Fines for those breaching the GDPR will be significant - up to €20 million or 4% of global turnover.

Robinson said some confusion remained, giving the example of Personally Identifiable Information (PII), or data that could be used to identify specific individuals. "We don’t know what [the definition] of PII is. We don’t know how the Privacy Shield will work. Yesterday, an EU body said it didn’t go far enough.

"90% of CIOs are panicking about this – they have concerns about data held on their businesses. Ratification will mean more awareness, but what this means, we are not anywhere near it," he said.

Garner said that the regulations would have a significant impact on the way businesses obtain data. "For us, our interpretation, consent will have to be given for each specific use of that data. Given the fines, this is a mindset shift – how to adapt businesses to this permission-based flow of data? This is one of the red lights for the GDPR," he said.

PII

Robinson said the definition of PII could be confusing. "What is it? Passport number? Social security number? But my first name is not, until it’s associated with something else. Lots of digital marketing is not based on what I would call PII, but behaviours," he said.

Thornton said, "PII definitions are broad. Location or IP could be considered personal. It depends where it sits in the ecosystem and how it might be used to identify someone," he said.

Garner disagreed. "The legislation says IP is PII. It's about what would we not like to escape into the wrong hands. But there are so many wooly terms in the GDPR. We need to define them," he said.

"People’s privacy should be a starting point, not something for the legal department afterwards," said Thornton.

What to do now

Robinson said, "We are watching very closely the wonderful site the DMA has set up. We have our lawyers looking at our data and our customers, but there is so much ambiguity at the moment.

"Look at what the implications are to you, and the implications are for your customer – the consumer. Look at what’s right for your business and the consumer," he said.

For data that may have been collected legally but may subsequently fall foul of newer legislation, Thornton said, "In the past, the ICO has allowed grandfathering period in the past to re-ask and get the right permissions in place."

Privacy Shield

The Privacy Shield is designed to ensure that European citizens' rights are respected when their data are used by large, mainly US-based, tech firms. "US companies operating in the UK will have to bring same regulations. Because of Privacy Shield then US is considered to have a system similar to the EU. GDPR will be gold standard, so if you follow this you will not fall foul anywhere else," said Thornton.

Trust

According to Garner, "I think people are not going to become aware of this until it has meaning to them. Safe and secure way is a hygiene factor – they want to buy something, but want to do it in a fair and transparent way. A better one to watch is how trust changes over time. 75% of consumers do not trust brands with their data.

Robinason pointed out that there is a common confusion between privacy and security of data. "Look at the Talk Talk data hack - this is a security issue not privacy issue – we need to talk the right language to consumers and explain what privacy and not security means."

He says marketers can also cross a privacy line when retargeting. "Marketers are using a blunt data tool to get a sale – remarketing when I have already bought is a bad service," he said.

Thornton said the main issue is transparency. "Businesses are not transparent with their customers. This gives rise to these bad stats. If you show them the value exchange, and people are more often than not happy to share."

Garner agreed. "People do not want to stop using great tools like Facebook. Businesses need to use these in a responsible way, but this is not happening. Data brokers, aggregators, etc where people add insight into the whole process – this is where people need more transparency and it becomes creepy. People love personalisation up to a certain point until a certain point then they drop off, it becomes too creepy.

"The tools are not fully formed," he said.