GDPR: Obstacle or opportunity?
By Teamspirit on Wednesday, 29 November 2017
Turning GDPR into a competitive advantage
The new General Data Protection Regulation (GDPR) presents a huge opportunity for businesses, if they recognise its power to transform.
The reason why there is so much discussion about GDPR, other than the fines for getting it wrong, is that GDPR underpins growth and a thriving digital economy – where data is a key business asset. Supercharged by the exponential growth in connected devices, currently forecast to see 20 billion connected devices by 2020, data is going to become the currency for innovation.
This is why we hosted a breakfast event to discuss the impact of GDPR, the new connected ecosystem and the broader view that we will have on individuals. Bringing together the legal, big data and economic perspectives, we explored how a virtuous data circle can create a competitive advantage for financial service brands.
This paper captures the debate and insight from the event. Our huge thanks to the panellists:
- Alan Baker Associate, Farrer & Co
- James Monkman Head of Partnerships, Omnis Data
- Moritz Godel Associate Director, London Economics
- David McCann Head of Planning, Teamspirit
Brave new world
By 2020, there will be over 20 billion connected devices – laptops, phones, cars, TVs, domestic appliances, personal health trackers… the list is endless. And the global trade in data is already growing fast – by 700% between 2008 and 2013, compared to about 30% in merchant trade over the same period.
In this new world, data will be the currency for innovation and competitive advantage. Brands that embrace GDPR and the opportunities it brings, will win greater customer trust and build stronger relationships. Those wishing to ignore the new legislation, or who see it as an unwelcome and unnecessary burden, will fall behind.
On 25 May 2018, the new General Data Protection Regulation (GDPR) takes effect, with new Europeanwide legislation that tightens existing rules and significantly increases the potential fines for breaches. Some see the new rules as a compliance challenge and an unnecessary burden, but financial services should look at GDPR as an opportunity to boost consumer confidence, increase trust and move towards a better relationship with the public.
For anyone still thinking GDPR won’t happen, or that it will be phased in gradually, it is worth reiterating that the government has been clear: the implementation date is fixed, it will happen regardless of Brexit and companies have been given two years’ notice of the legislation’s final wording, giving them ample time to prepare. There will be no grace period. The 25 May 2018 deadline is the absolute deadline. With just over 200 days to go until implementation date, there is still time to prepare for GDPR. We have seen a lot of organisations grappling with GDPR’s impact and what it might mean for them. And as most commentators and articles seem to be focused on the mechanics and pitfalls of GDPR, we decided to look at GDPR through a different lens: how to make the most of the opportunity we believe GDPR brings, to help transform financial services for the better.
The heart of the matter
At its heart, data protection is about the rights of individuals, and the new rules are no different. GDPR grants more rights to consumers, while strengthening those that already exist. For example, consumers who write to a data controller to request a copy of their data, can now expect a response within one month rather than 40 days, and will no longer be charged admin fees.
- Governance Data controllers (DCs) and data processors (DPs) are now obligated to keep a record of all processing activities, including marketing. Some companies may need to introduce a data protection officer – even if you don’t, it’s important to ensure you have a compliance lead. </br></br>
- Privacy impact assessment In high-risk cases, companies will now be required to complete a privacy impact statement, detailing privacy risks and how they’ve been managed. An example could be when choosing a CRM systems provider, to show that data security has been a consideration in the selection criteria. It is best to look at the ICO guidance in this area. </br></br>
- Consent The standard of consent is going up. Currently, consent must be informed, specific and freely given. From May 2018, it’s also required to be unambiguously given and by a clear statement – which means no more pre-tick boxes, and clear explanations of how your data will be used. </br></br>
- Erasure Commonly known as ‘the right to be forgotten’, erasure has received a lot of press attention, but it’s perhaps been poorly explained. Consumers can request to have their data erased, but it is not an unqualified right. For example, if they request to be forgotten, they are likely to lose the right to use the service. </br></br>
- International data transfer Whenever data is transferred outside the European Economic Area, companies are required to ensure adequate protection for the data being transferred. </br></br>
- Sanctions After implementation date, companies can be fined up to €20 million or 4% of annual turnover, whichever is more. Things the ICO really dislikes and likely to attract heavy fines, include large scale data breaches and unsolicited, pestering mass marketing.
The impact on the digital economy
GDPR is core to, and likely to boost, the digital economy. To understand why, we need to look at the conditions that lead to online consumer engagement.
Broadly speaking, users will interact online only if their confidence level sits above an invisible point, known as the ‘confidence boundary’. Several factors can affect this, including their own experience, the reputation of the brand and the strength of regulations. Consumers’ biggest concerns about internet use are privacy and the safety of their personal details.
Most consumers sit above this confidence boundary (see chart A). In fact, digital engagement is already very high, with over 80% of adults using the internet daily. Non-users tend to be older or from disadvantaged backgrounds, and the increased regulation of GDPR is unlikely to encourage engagement from these groups.
However, by addressing two major concerns of the general public (privacy and use of data), the average user becomes less likely to be pushed below the confidence boundary by a single negative experience (see chart B). GDPR, therefore, is likely to keep more consumers above the confidence boundary and actively engaging online, providing a boost to the digital economy.
GDPR and the collection, curation an sharing of data
__Omnis, as a specialist data collection and curating service, offers clients access to a fully compliant source of prospects for marketing. Data on consumers is sourced from a number of data partners and aggregated together. This is a common enough approach in the current regulatory environment, but – unlike some in the industry – Omnis has been at the forefront of ensuring its data is GDPR-compliant.
It has rigorous security standards, including checks for compliance and consent during the on-boarding process. So the data that clients are able to source is fully permission-based.
Post-GDPR implementation date, Omnis believes that companies will be less willing to share their data because of the potential reputational and financial risk if things go wrong.
As Omnis has looked to ensure the data it compiles is compliant, it has also turned some datasets down as not being sufficiently robust in how consent has been captured – and for what purposes.
Therefore, post-implementation date, aggregators are likely to hold less, but more relevant, information on consumers (ie holding only valuable customer data that is likely to be used, rather than trying to go for masses of volume). This is no bad thing. It is better to be targeting the right type of prospects who have given express permission to be contacted, than having larger volumes of less responsive customers.
Post-implementation date, it is vital you check that your data provider has the right rigour and processes in place, to satisfy you that explicit, informed consent has been obtained for the specific purpose that the data will be used for. Ask to see how consent is captured and maintained. If your provider can’t show you – walk away.
Innovation and creating value propositions from data
Financial services have a problem with data. To us, it can feel like an intangible asset. But to our consumers, their data is personal, tangible and valuable. GDPR gives us an opportunity to rebuild trust and show customers the value of their data in innovative ways. There is so much more to do here. We are only at the beginning of aggregating datasets to create innovative and new uses for data that improves customers’ experience of the brand.
- Secure our data – for consumers, not for ourselves Reputational risk and the threat of fines are one thing, but if we care about our consumers, we should be protecting their data. Ensuring rigorous data security policies and procedures are in place is fundamental. Data breaches are hugely costly from a reputational risk perspective and place the brand at a large competitive disadvantage. The ICO also, rightly, takes a dim view of these and is likely to use its increased powers for heavy fines in this area, based on where it has fined heavily previously. </br></br>
- Maintain its value The ICO suggests that data is valuable for two years. Although this is not set down as a given, it is a time period that is becoming a ‘norm’. However, in a regulated environment there is always a strong case to follow the regulator’s guidance on keeping data (e.g. the FCA requires data to be kept for six years). To retain data’s value for as long as possible, keep it relevant. Just because it hasn’t been used for a while doesn’t make it irrelevant, but it is important to maintain data quality. And if you’re not using data, it is important to question whether you should be collecting it: don’t ask for too much. </br></br>
- Add extra value With new data managing abilities comes new potential for adding value to datasets. Consider new and better ways to use that data, that will benefit the consumer. Look at EasyJet, which used previously collected data to inform passengers of a broken oven on a plane and encouraged them to buy food in advance. </br>
GDPR offers a chance for financial services to regain some of the trust that has been lost in recent years. By ensuring data is gathered in an open manner, treated with respect and used appropriately, we can create a better experience for consumers and a brighter future for financial services. If you’d like to find out how you could capitalise on the opportunities GDPR presents, get in touch at email@example.com