Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR Ready Presentation - Marc Michaels


Published on

14th February 2018

Published in: Business
  • Be the first to comment

  • Be the first to like this

GDPR Ready Presentation - Marc Michaels

  1. 1. GDPR 14th February 2018 Marc Michaels
  2. 2. So how do you get it right? Agenda today
  3. 3. Background on GDPR
  4. 4. Before we begin What you are about to hear is based on: • Current understanding of the GDPR regulations as published • Together with guidance that has been issued by appropriate bodies • Research I’ve been involved in through Paragon Customer Communications • Keeping abreast of general developments and news Note: Not all guidance has been issued on all topics There will be different interpretations of how legislation should be applied I’m based in the UK, but it’s pretty much the same for Ireland except the Information Commissioner’s Office (ICO) is called the Data Protection Commissioner
  5. 5. The context BUT AND Marketers want to be timely, relevant and motivating with marketing messages to prospects and customers Data is a key component of the fuel that can drive this successfully Consumers only want useful messages but many are suspicious about sharing their data in case it is misused/abused Others will quite happily part with their data if they see the value in doing so Governments/EU want to ensure that people’s right to privacy is respected And that businesses adhere to the new regulations designed for today’s modern communications landscape
  6. 6. ICO tracking study results/other research 36% Main concerns identified Research I/Paragon did with Data IQ showed: • 50% prefer not to share data • Trust and openness are key • It’s really hard to get third party consent • Shelf-life of consent is shortening – 50% of consumers want to update less than every six months. Some want it every time you contact them • There needs to be a value exchange • Trust flies out the window in the event of a breach ICO annual tracker 2016
  7. 7. An evolution of the Data Protection Act 1998 Imposed by Europe Comes into force May 2018 Affects all businesses Public authorities have special rules and exemptions GDPR – the 12 steps to compliance ‘heaven’
  8. 8. Guidance Available UK INFORMATION COMMISSIONER OFFICE Issued: • Preparing for the GDPR – 12 steps to take now • Overview of GDPR • Privacy Notices Code of Practice – updated with GDPR requirements • GDPR Consent Draft Guidance • Contracts and Liability • To follow: • Risk • Profiling WORKING PARTY 29 Issued: • Guidelines on Data Protection Officers • Guidelines on the right to data portability • Guidelines for identifying a lead supervisory authority • Guidance on issuing administrative fines • Automated decision making and profiling • Personal breach notification guidance • High risk processing and DP Impact Assessment
  9. 9. Guidance Available DATA PROTECTION COMMISSIONER Mostly appear to be relying on WP29 guidance but has info at and published their own version of the 12 steps and some Guidance on appropriate qualifications for a Data Protection Officer Set up public/organisation facing website
  10. 10. Profiling and GDPR New Working Party 29 Guidance • Need to understand whether the profiling is purely automated means - Will it have a significant impact to the individual? • What lawful basis are you processing/profiling - Profiling can be performed under legitimate interest - You must carry out a balancing exercise - You must inform the user - probably in the privacy statement - Detailing how you are going to use the data
  11. 11. Good and bad examples of profiling An insurance company uses an automated decision making process to set motor insurance premiums based on monitoring customers’ driving behaviours, To illustrate the significance and consequences, it explains that dangerous driving may result in higher insurance payments and provides an app comparing fictional drivers, including one with dangerous driving habits. It uses graphics to give tips on how to improve these habits and consequently lower insurance premiums. A data broker sells consumer profiles to financial companies without consumer permission or knowledge. The profiles define consumers into categories (carrying titles such as “rural and barely making it”, “Ethnic Second-City strugglers”, “Young Single Parents”) or “scores” them, focusing on consumers financial vulnerability, The financial companies offer these consumers payday loans and other ‘non-traditional’ financial services (high cost loans and other financially risky products)
  12. 12. So what do businesses need to do? Be fully aware • Where am I compared to the GDPR requirements? (A Gap Analysis) • What are the risks? • What strategy do I need to get there? • Are there specific issues in my sector? (e.g. Fundraising Preference Service, Know Your Customer) • Do I need any external help? Make it a strategic focus for senior management – now • Don’t put off for another day • Provide time and resource • Don’t just talk about it – start implementing solutions
  13. 13. Consent and Legitimate Interest
  14. 14. Record keeping is crucial The Accountability Principle • Under GDPR you are required to demonstrate that you comply with the various principles • Evidence and documentation are key - make sure all decisions are documented and kept for audit purposes • Key element are data journeys including locations, access, risks, controls. Consider as part of your design: • Data Minimisation • DPIA performed or documented evidence of why the business considered them unnecessary • Allowing individuals to monitor/be aware of their own processing
  15. 15. GDPR requires businesses to have a ‘lawful’ reason for processing and use: Only ONE of these needs to be true for lawful processing For Marketing Communications this will tend to be Consent or Legitimate Interest Organisations must identify which they are using 1. Consent of Data Subject 4. Necessary to protect the vital interests of Data Subject 5. Task carried out in the public interest 6. Necessary for the legitimate interest of data controller (not available for public authorities) 2. Necessary for completion of a contract 3. Necessary for legal obligation Six lawful reasons
  16. 16. The official definition of consent Consent means: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
  17. 17. Which the UK ICO says means in practice Offering individuals genuine choice and control Making it easy for people to withdraw consent and telling them how Positive opt-in. No pre-ticked boxes or other method of consent by default Clear and specific statement of consent, granular options naming any third parties who will rely on it Separate and no coercion, no imbalance in the relationship Keeping evidence of consent – who, when, how, and what you told people Keeping consent under review, and refresh as appropriate
  18. 18. Is your existing consent up to scratch? Existing consumer consent may not be sufficient for GDPR • If it was co-erced/bundled • If it was not an affirmative action – pre-ticked boxes or inferred from silence • If you haven’t got proper records that they how, and to what they gave consent • If it was gained a very long time ago If so you must: • Refresh that consent (re-permission) or • Find an alternative lawful basis (e.g. legitimate interest) if possible
  19. 19. RE – is REally important • Re-permissioning by email/SMS only allowed to those you already have permission to market to but it was gathered in such a way that it will no longer be valid under GDPR • If you have not got consent, or someone has opted out, or you are ‘unsure’ then you cannot communicate by email or SMS to try to re- permission. You will need to direct mail (unless of course, they have opted out of that too) If you are unsure then you may wish to seek advice from your DPC about your plans – Honda and Flybe were fined for getting it seriously wrong
  20. 20. For example…
  21. 21. For example…
  22. 22. Even though it is isn’t necessary some organisations have elected to go fully opt in and rely only on consent for marketing communications Others will rely on legitimate interest Note: Non marketing communications such as contractual, regulatory or real service messages will rely on other legal bases for processing and communication Direct Mail – the ‘white knight in shining armour’?
  23. 23. But it isn’t a get out of jail free card either “You won’t need consent for postal marketing” (UK ICO 2018)
  24. 24. Legitimate Interest • Processing must have a compelling purpose, real and not trivial or vague • Must be necessary, targeted and proportionate to the purpose • You need to balance interests of the business against those of the consumer = LEGITIMATE INTEREST ASSESSMENT • You need to document as part of your audit evidence • From guidance (largely the Data Protection Network), I’ve created an 8 point approach
  25. 25. It’s all about trust and belief Research shows that people more like to give permission if they feel in control and believe the organisation is going to: • Keep their data safe • Not share it • Not bombard them
  26. 26. So what are organisations doing/planning? Source: The six per cent solution, Royal Mail, 2017 (Source: Royal Mail) Nearly one in five companies in the UK have already started…half haven’t even started! It’s probably the same in Ireland
  27. 27. So what are organisations doing/planning? (Source: Royal Mail) Eight out of ten marketers in the UK use or will email…and nearly half also plan to use direct mail
  28. 28. Direct Mail ‘leading the charge’ • Being used for re-permissioning a lead media as the physical format itself lends credibility and builds trust and shows that customer is valued • Sit back media allows consideration and also can explain to the customer the reasons for the communication, the benefits of staying in touch and deal with granularity of choice • Less easy to ignore than a crowded email box (1.3 pieces of mail a day, 65% open rates, 17% leads to a commercial action – new JicMail 1/1/18) • For some companies where there e-mail base isn’t fully complaint, it may be the only option available • DM for acquisition will grow as email data availability shrinks • Less likely to opt out than digital channels (even though DM will need to be more up front about offering it) so will become a growing part of CRM communications • No-one has yet been fined for using mail (as opposed to other channels)
  29. 29. Investing in testing Digital marketing will generally become a bit harder. GDPR is all about catching up with Digital and putting it back in its box. However, lots of marketers consider print old fashioned. But we know it works because it’s: • TANGIBLE and DISRUPTIVE - physical, stand out and retention • EXPLANATORY - allow us to convey detailed/complex information simply • TARGETED - specific groups of people geographically and demographically and previous history => personalisation and individualisation • INCLUSIVE - working well against the digitally disadvantaged/disinterested • ACTION FOCUSSED - generating high quality leads and sales/behaviour change also YOUNGER PEOPLE don’t receive much so it has stand out BUT ONLY IF WE DO IT RIGHT so worth INVESTING IN TESTING
  30. 30. So how do you get it right?
  31. 31. Get your short form Data Collection Statement right • 63% of people read or skim statements - so good copywriting counts • Organisations reluctant to test variants in the live environment as it affects future communications possibilities - so research is a viable alternative
  32. 32. 1. Identity and contact details of Data Controller (you) and your DPO (if you have one) 2. Purpose of the processing and the legal basis of the processing 3. Legitimate Interest if you are using it 4. Categories of recipients of the data 5. Any transfers to third countries and safeguards 6. Retention period or criteria used of the same 7. Existence of data subjects rights 8. The right to withdraw consent at any time 9. Right to lodge a complaint with supervisory authority 10. Any data required by statutory requirement 11. Existence of automated decision making and profiling The Data Subject (your customer) must have the following information: Get your Privacy Statement right (Fair Processing Notice)
  33. 33. Tell your customers their rights There are 7 individual rights 1. The right to be informed 2. The right to access 3. The right to rectification 4. The right to restrict processing 5. The right to data portability 6. The right to object 7. Rights in relation to automated decision making and profiling What they mean 1. What are you collecting, why and who can see it? 2. How can I get to see my own stuff? 3. I want to change something 4. I don’t want you to do that anymore 5. Give me my stuff, I want to take it to someone else 6. Stop doing that 7. What decisions have you made which stop me doing/getting something?
  34. 34. Right permissions
  35. 35. Repermissioning messaging options – urgency/clarion call Probably most sophisticated programme in the charity space • Decided on full opt in model • Focussed on urgency • Linked the opt in permission to saving lives • Simple and easy • Upbeat and positive • Thanking people up front
  36. 36. Doing the numbers, modelling/testing • Estimated they potentially lose touch with over 500,000 people • Needed 255,000 supporters to opt-in (25%) to ensure a sustainable fundraising model • Built model and tested and contacted individuals three times to ‘re-permission’ • Now have 450,000 (40%) opted-in supporters • First campaign to new opted-in base 3x more effective than previous campaigns Also benefitted from £350,000 in donations – despite not asking for donations in the copy!
  37. 37. Loss aversion Honesty • Loss aversion – don’t miss out • Honesty – why we need to do this to comply with Govt/EU and protect you
  38. 38. Benefits and more personalised experience • Link to outcomes – remind them of the benefits and why they signed up previously • Get a more personalised experience (mini surveys as well as preference to show you are interested in them) and putting you (the customer) in control
  39. 39. Spring Cleaning Security • We’re ‘spring cleaning’ and want to check in on you • Focus on security
  40. 40. Incentives Auto unsubscribe • Incentives (added bonus and as long as the incentive is not co-ercing permission) • Urgency – last chance to (dangerous if you want to have a few goes before May 2018) • Auto opt out anyone with no discernible contact over a period (24 months?) but offer them chance to opt back in
  41. 41. • Changes to: - Consent - Privacy notices - Legal basis for processing - Security - and more… • Addition of accountability principle • Potential for massive fines With a Preference Centre at the centre
  42. 42. Preference Centre Secure Online Preference “Hub” • Easy to use, easy to digest why data is being collected/used – frictionless UX • Manage consent and channel preferences, including child consent • Inform/manage individuals rights • Manage complexity across brands, interest areas • Evidence for consent and data stamp for re-fresh • Verify additional key data variables • Encourage preference breaks rather than full unsubscribe
  43. 43. More than just a landing page – data in and out PREFERENCE CENTRE = THE HUB Consumer Web Branch Capture Call Centre Social MediaEmail Mobile Web Chat Manual Data Capture External Data Informed MI about preferences across the organisation Communications that are wanted Enhanced customer experience Improve ROI Keep data up to date, and rules for refresh Reduce wastage Fuels CRM communication rules, processing and targeting optimisation
  44. 44. No single view / clarity for consumer beyond individual unsubscribe => • New Preference Centre built - give customers access to their data, manage their details and consent at overall, campaign, sub-brand and channel levels • Put PHE ahead of the game in terms of being GDPR- ready, recognising the importance of consent • Good reset point for PHE - review historic opt-ins and have complete confidence moving forward Example: PHE
  45. 45. Example: Pension & Life Assurance Multichannel Repermission campaign • DM: Friendly URL • Personalised Reference Number • On-page authentication • Paper Response Option • EM: Deep link • “Cross-sell” additional channels • Captures contact details • Integration into client data ecosystem
  46. 46. Data breaches and breach notification • Need to notify the DPC (and possibly other bodies) within 72 hours if the breach is likely to result in a high risk to the individual • Need to have the right procedures in place to detect, report and investigate a personal data breach • Whilst there is no set timeframe, clients need to inform the public ‘without undue delay’ in the event of a serious breach where it might leave them open to financial loss or high risk to the ‘rights and freedoms’ of the individual • Failure to report a breach could result in a fine, as well as a fine for the breach itself • Worth having a ‘pre-planned and pre-canned’ set of templates, and a tested direct mail and email mechanism on standby ‘A Sincere & Personal Apology’ The #1 proactive action a company can take to help prevent the end of a customer relationship Source: Ponemon Consumer Study on Aftermath of a Breach
  47. 47. Summary
  48. 48. What we are all trying to avoid
  49. 49. Embracing GDPR in a positive way • The new regulation is not unreasonable • We all have a duty to do the right thing • Good reset point and we shouldn’t be afraid of the potential impact on our database size – those left will be truly engaged • Opportunity to focus on the wider data landscape and how to use data well • It’s about having confidence in the brands and our skills as marketers to motivate consumers to take an action and engage with us on their terms
  50. 50. Q&A’S