The Data Protection Network is pleased to present our guide to the key data compliance challenges facing us in the year ahead. We asked leading practitioners in the field to pick their top issue for 2016. The multi-faceted ramifications of the GDPR are firmly on the agenda, but that’s not all.
Jenny Moseley – Co-founder of the DPN & Opt-4 Director
The key issue for me is consent and preparing for the number of fields that databases need now to store more detail about the type of consent under the current regulations, and the number of possible additional fields required after the GDPR. For instance, storing unambiguous consent by channel for first and third parties may need to be flagged separately from other types of consent. Systems should be designed to cope with this. On top of that if consent, albeit by opt-out, is confirmed for profiling and legitimate interests, as examples, then systems will need to recognise this to enable data selections. i.e. for a first party email campaign, consent will be required for that channel, particularly electronic channels. Then, if there is any profiling going into the mix, even on targeting, the second layer of selections will have to exclude anyone who has opted out of profiling. The third selection would then have to exclude anyone who has objected to legitimate interests, if they have been used in the context of the subject matter for that email. That’s only touching on the issue really, consent may be needed for each social media channel and several other channels may end up being included, such as behavioural personal data collection from website activity. That is unless a disproportionate effort exemption suddenly covers some of this.
Sara Howers – Global Data Protection Officer, Haymarket Media Group Ltd & DPN Governance Board Member
Getting companies (both our own & our suppliers) to sign off on sufficient budgets to get systems, processes & resources updated, adjusted & aligned in time for full implementation of the new GDPR rules. Unfortunately corporate budget years and implementation periods don’t always align, so in many cases we’ll be making best ‘guestimates’ of the level of investment required.
Chris D. Field – Corporate Privacy Director, Harte Hanks & US-based member of DPN Governance Board
Beyond GDPR and Safe Harbor, the biggest data protection issue permission-based marketers supporting European and U.S. markets will need to reconcile involves the practice of linking together different devices visiting their company’s website and mobile applications; or “cross-device” identification as it is referred to in the U.S. While cross-device solutions and service providers have been around for a number of years; the practice is taking off in the U.S. and regulators in the U.S. are taking notice. At the most basic level, cross-device solutions use computer algorithms to associate one device with another device across web and mobile environments; either through assessing the probability the devices relate to the same individual or through determining that an unknown device belongs to a previously-identified (known) individual. Uninitiated marketers assessing cross-device solutions for European and U.S. operations will quickly find themselves in a hot mess. Beyond reconciling just about every major data protection issue and development over the last 5-10 years for their European operations, marketers supporting U.S. markets need to know that cross-device is subject to the Digital Advertising Alliance’s self-regulatory principles.
Michael Bond – Data Protection & Privacy Advisor, News UK and DPN Governance Board Member
Apart from the obvious focus on the GDPR, list broking and lead generation have come into sharp focus in recent months. The ICO has fined over £1 million in the area of unsolicited calls and spam texts in the last four months alone, as well as publicly declaring war on rogue players. For organisations who buy or rent lists and those who provide them, 2016 is going to be a watershed.
Stef Elliott, Opt-4 Associate
In my opinion the key issue for companies is going to be not if but when they choose to adopt a proactive rather than a reactive approach to data stewardship. This requirement to change won’t be driven by the threat of legal compliance in two years’ time but will be based upon of greater consumer awareness and focus upon enhanced data importance. The direction of travel of the GDPR has been clear for a period of time and 2016 will provide a definitive deadline for change. However in the run up to that deadline the levels expected by consumers will rise or rather any current poor practices will not be accepted. They will expect companies to:
Know what they do and with whom
Say what they do
and do what they say
Social Media means that poor practices will be exposed to a wider audience and I personally believe that there is a potential “ambulance chasing” industry approaching companies who are unable to respond adequately to information subject access requests. Without proactively acknowledging that the scope of what constitutes personal information or data has and continues to significantly expand beyond name and address collected on a form, companies are exposed to the risk of reputational damage by not being able to match this expectation.
Simon Blanchard, Opt-4 Associate
2016 will be the year we all try to get to grips with GDPR. One of the key areas will be Privacy Impact Assessments (or PIAs): especially for organisations which have never before formalised a process for evaluating changes to data processing and how these will impact on data subjects. All too often key changes to data processing take place without due diligence on the effect this may have on customers. So if you’ve never conducted a PIA before, it would be wise to make a start early in 2016, so that you can establish a good process and embed it into your normal ways of working.
David Milnes – Director of KyteMark Solutions Ltd & DPN’s research partner
I believe the key issue isn’t what most people immediately think of when they hear the phrase ‘data compliance’. Having extensively researched this area with businesses, I usually find first responses centre around: ‘cyber-attacks; ‘protecting ones data from worldwide unscrupulous villains’; or most recently, mention of TalkTalk falling foul to an over-inquisitive, untechnical, 15 year-old student who’d happened to have bought some hacking kit! I recently met with a senior director of a large insurance firm who’d been passed the unwelcome ‘compliance baton’ to ensure appropriate steps and measures are in place to mitigate his company’s data risk. When I asked about their readiness for GDPR, he was proud to confirm they’d had an army of experts working to strengthen their IT fortress and staff were being suitably trained for battle. “It’s been a bit like the forecast Y2K bug all over again!” he said with a weary look. But when I asked him about the marketing implications of GDPR, and the potential huge loss of revenues they may suffer if, as has been suggested, explicit consent may be required for all promotional messaging – well, he said nothing and just looked rather blank. Should I have dared ask him about their readiness to maintain their revenues streams under the proposed tough landscape? … And of how in two years’ time they will and will not be allowed to collect, retain, process, and use personal data? So in summary, whilst I agree there are some tough, well publicised data security challenges coming onto company Risk Radars, it’s the stealth, restrictive marketing issue that’s really going to hit companies hard. Quite frankly, I’m fearful for many of them.
Rosemary Smith, Co-founder of the DPN & Opt-4 Director
Getting individuals to share their personal data with you requires persuasion and reassurance; increasingly they want control and if organisations don’t demonstrate the benefits that sharing data can bring consent rates will plummet. Reviewing data collection wording and re-writing Privacy Policies is a good starting point but work behind the scenes to ensure that promises are kept is vital. The data debacle in the fundraising sector – put on trial by the popular press in 2015 – shows how quickly trust can be lost and how a lack of oversight of suppliers can ruin reputations and bring unwelcome attention from the Regulator. Some brands are leading the way providing customers with granular control of how they are contacted through preference centres and channel level consent. Others are making the positive case for data use, explaining the benefit of sharing and finding new ways to communicate their privacy values. We will definitely see more of this as the GDPR starts to influence thinking, both of businesses and consumers, even ahead of implementation. Your privacy collateral is part of your brand, don’t neglect it!
And the final word goes to …
Robert Bond, Head of Data Protection and Cyber Security Group, Charles Russell Speechlys LLP & Chairman of the DPN Governance Board – His biggest challenge?
Persuading management to treat data protection and cyber security compliance as a “must have” rather than a “might have”. The likely increase in enforcements and fines will help!
We welcome your thoughts and your view of the key issue facing businesses in the year to come.
Please comment on this article or email us
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.