Time to prepare for greater consumer data privacy

The introduction of the draft EU Data Protection Regulation into EU law is likely to be delayed for at least a year from 2014 to 2015, after Prime Minister David Cameron secured an extended deadline at the weekend at a meeting for heads of government of EU states.

Cameron persuaded fellow heads of government that it would be “better to have no deadline at all than to rush through legislation”. If the decision to extend the deadline is not overturned by justice and home affairs ministers at their meeting in December, under pressure from the European Commission, then it’s likely the new Regulation will not be implemented into UK law until 2017.

This has given our industry great cause for optimism. Only last Monday (21 October) the European Parliament’s Civil Liberties Justice and Home Affairs (LIBE) Committee voted on amendments to the draft legislation, which would make things a lot worse, not better for our industry

The delay gives some breathing space for justice and home affairs ministers of member states to examine the proposals at length and for industry and others to make their case.

However, the battle is not yet won. There are those who thankfully take the view that privacy is a fundamental human right, but are seemingly looking to stop data-driven marketing in its tracks. There are also those who take the view that privacy rights must be better balanced against the interests of the marketing industry and the growth of the economy.

Building consumer trust, encouraging data exchange
A healthy digital economy is of course dependent on a compelling data / value exchange to help inspire consumers to engage and buy. Consumers want to be empowered to control the use of their data but they also want relevant marketing. Analytics and segmentation are simply a necessity.

Everyone agrees that control over personal information needs modernising for the digital world so the new EU Data Protection Regulation, if done well, is welcome.

However, it could well be that the final version will contain some significant challenges for data-driven marketing, such as:

• Explicit consent to contact and profile data will be required
• A new wider definition of personal data, for example ‘passive data’ such as IP address
• Right to be forgotten – users can request permanent deletion from systems
• Greater accountability both for data controllers and processors
• Higher penalties for breaches of up to 2% of global turnover or €1m

My advice is to set yourself some time to think about how the new rules will impact your customer base and set aside some budget for next year to review, test and make changes in preparation.

Here’s what you can be doing now:

Carry out a privacy and consent statement audit

1) Is your privacy statement future-proof? Does it describe, in plain English, all the data you are collecting, including data that is passively generated like click-stream data?
2) Are you obtaining the required consents? Is implicit consent informed and transparent enough? Could you make greater use of explicit consent? Does your channel and brand level consent allow you to reach consumers and cross-sell?
3) Are your privacy and cookie statements clearly sign-posted? If not, are you actually gaining informed consent at all?

Carry out a database consent audit

1) Do the values in your data properly reflect the actions and wishes of your consumers? Can you distinguish different cells accurately?
2) Can you identify from the data when your consent statements changed? Do you keep adequate history of consent changes?
3) Can you adequately prove where and when you obtained consent?

Challenge your data / value exchange

1) How compelling is it for your customers to give you their data with explicit consent to use it?
2) How well linked is the value of your products and services to the necessity to collect data?
3) Do you need to collect certain data at all?

Test before it’s too late

1) How many customers on your database have not provided explicit consent? When the new regulation kicks in, you’ll no longer be able to market to them.
2) What impact does changing to explicit consent have on your opt-in rates? Find out now while you still have time to test and learn.
3) Test how to collect the data you need. Try reducing the amount of data collected upfront and link further collection to moments of value exchange.

Most importantly, start preparing for the new legislation now, before it starts impacting your customer communications.

By DMA guest blogger, Nick Tusler, Data Operations Director, TMW