The WP29 Working group has asked the European Commission to improve the first draft of Privacy Shield. What next? The Commission is going to upset somebody, whatever it does.
We’re half-way to the deadline of GDPR compliance … And yet I don’t hear Privacy Groups discussing the risks of non-compliance in 1-to-1 marketing. I don’t see Digital Marketing Groups questioning the impact of GDPR compliance on their favourite 1-to-1 practices, either. Which is curious, because the EU definition of PII (Personally Identifiable Information) covers pretty much all uses of Customer Data for 1-to-1 marketing. So, is GDPR already done and dusted? Or are they ignoring each other? Here are two reasons why Governance Frameworks that don’t deal direct with Marketing are flawed. 1: Marketing Communication isn’t what it used to be. Marketing communication has changed a lot in the last few decades. And in a very positive way: better targeting has made it more effective. We’ve gone from Mass Marketing through Versioning, to ABC marketing, onwards to Segmentation, beyond that to Marketing Automation to realise the vision of true, 1-to-1 Marketing. We’ve learned that more target groups means more work and that beyond a certain point, returns diminish. Yes, it’s a tricky balance. We’re still a way from perfection. But: marketing communications has also learned two things that work really well. One is personalisation; the other is customisation of content. When combined they deliver significantly increased results. There is simply no way that marketing communications will give these techniques up and go back to anonymous, one-size-fits-all messaging. In practice, both personalisation and customisation rely on detailed and accurate information about the interests and needs of individual prospects and customers. In short, 1-to-1 Marketing relies on the sort of customer data that the new EU-GDPR classifies as PII (Personally Identifiable Information). So compliance is a top priority ‘must-do’. Marketing Technology: acquisition and use. Last century Now Software Product SaaS Delivered physically, on Disk virtually, via Internet Installed on PC in the Cloud Data Storage in-House at Vendor Selection approved by IT chosen by Marketing Contract by Purchasing online, Standard T&Cs Payment by Finance direct from Marketing budget User Support via IT via Vendor Processes checked by Privacy Officer unknown to Privacy Officer? 2: Marketing isn’t what it was, either. Thank goodness for that, too. Right up to the end of the last century, marketing had to go cap-in-hand to IT and almost beg for resources. Only to be told that Finance, HR and Sales all had higher priority. After the arrival of the internet, customers went online. This triggered three big changes. The first change was RoI. When online clicks and orders became measurable, CMOs could at last demonstrate a Return on Marketing Investment to the Board. And RoI translates into a convincing reason to have even more budget. The second change is that marketing software went online, too. The extra budget was used to buy Cloud-based SaaS software to do even more online marketing. Specialised solutions that only marketing experts would get excited about*. Systems that promote, track and measure the customer’s preferences, behaviour and sales by processing data that EU law classifies as PII. The third change is how Marketing buys that software. Signing up for a new SaaS system is often an online transaction that need not involve IT, purchasing or contracts. Or even finance, if the monthly fee can be paid via Chargecard. The reality is that – internal rules aside – marketing budget can be spent without reference to other departments. And quite often is. Just to make it plain: the Marketing technology budget is now huge. According to Gartner Group, 2017 is the year when Marketing spend on technology is likely to exceed the IT department’s own budget.* “Yes, CMOs Will Likely Spend More on Technology than CIOs by 2017” Jake Sorofman, Gartner Group Privacy and Governance: theory and practice What’s privacy about? A marketer will probably say ‘customer behaviour’; a lawyer will probably answer ‘compliance’; an IT expert will probably mention ‘data protection and security’. The privacy officer will agree that each are right in their own way, and get them to work together at the governance table. But if governance is about managing risk, then here’s a very real risk scenario: the marketing department is probably using Cloud-based SaaS software that is probably supplied by non-EU vendors which handles data about EU customers and exports it outside the EU for processing using innovative techniques that do not necessarily conform to EU laws … and other departments – including IT, Legal and the Privacy team – might not even know about it. Scary. That risk needs to be evaluated and possibly plugged, by 25. May 2018. Reality-check So my questions are these: is Marketing aware just how much of its EU customer data counts as PII and must comply with GDPR? (Pretty much all of it.) does Governance rely on IT for a complete view of the systems that handle customer data? (Or does it also talk directly with digital marketing?) is Marketing taking a pro-active role in the compliance and governance discussions? (Or is it waiting for the Privacy team to send an invitation?) Notes * Now, US-based software developers have some very, very innovative marketing ideas. But I’d argue that they can implement many of those novel techniques precisely because they have not – to date – been obliged to follow EU data privacy laws. ** Reccomended: “Yes, CMOs Will Likely Spend More on Technology than CIOs by 2017” (Gartner Blog Article)
„Corporate Surveillance in Everyday Life“ by Wolfie Christl at Cracked Labs shows first, how online businesses, advertisers, risk managers and marketers (among others) get hold of consumer’s personal data; and then, what they do with it. Published June 2017, this report is bang up-to-date. It’s available for direct access at http://crackedlabs.org/en/corporate-surveillance and (via the same page) as a free PDF Download (93 pages, A4).
For many companies, this obligation to document the processing of customers’ personal data will generate an additional workload. If the scope of the extra work has not yet been defined, late starters may face a problem because the GDPR is wider in geographic scope and deeper in technical reach than the earlier law.
Using Cookies with unique IDs to create visitor profiles and customise delivery of website content ‘Out-of-the Box’ and without professional guidance is about as safe as tap-dancing in a minefield.
GDPR introduces a ton of new bureaucracy for Marketers that may require a lot of effort; however, with a bit of forethought, you can make this situation work for you.
Under EU Privacy Law 1) practically all customer data has to be handled as Personal Information and 2) the law applies globally. Most non-EU Software vendors have not yet realised that means significant effects for their business.
International business needs a self-certification method for handling data exports. It would be a good idea for the EU Commision and the US government to give us an update on what’s going on …
… because you’ve simply got to have the Customer’s permission to analyse Who bought What based on Personally Identifiable Information (PII).