Under new data protection regulation, consumers will have increased rights to object to processing of their personal information. Mark Fairbairn, Head of Retail at Equifax, explains what this could mean for retailers and both their online and offline marketing strategies.
The EU’s new General Data Protection Regulation (GDPR), designed to protect consumer privacy and data usage, is due to come into force in 2018. While Brexit brings uncertainty over the UK’s implementation of this regulation, companies should press ahead with preparation for change. The UK government will have to decide whether it implements the new EU rules as planned, or develops alternative regulation. For UK businesses to continue to operate in the EU any alternative regulation must be palatable to European regulators. This means that whichever route the UK government takes the direction of travel will not change, although the end regulation may not look identical to the GDPR.
So what does this mean for retailers? The UK’s retail sector leads the way in the development of digital commerce through personalised customer strategies. The key to this sophistication is found in mobilising customer data, and retailers are concerned about how changes to data protection could affect growth in this area.
The new regulations refer to ‘unambiguous’ consent, a stricter definition than used today. Companies must ensure that they employ clear and transparent language in gaining consent from consumers to use their data in order to satisfy the new tighter definition.
Exactly what this means in a digital context, for example when it comes to cookies, remains unclear. The Direct Marketing Association (DMA) has drawn attention to what is and is not considered ‘personal data’ in this instance. A cookie placed by a service provider who knows the individual, will generate ‘personal’ data about that individual’s behaviour, whereas an online advertiser cannot link such behaviour to a particular person – so that data would probably not be considered personal.
When it comes to non-digital marketing, data protection rules still require that anyone processing personal data must have a ‘legitimate interest’ for doing so. While under the EU regulation data processing for direct marketing continues to be considered a legitimate interest, to ensure lawful processing, marketers need to carefully assess the relationship between their company and the consumer. Under the new law, consumers will have increased rights to object to any processing of their personal information, including profiling, at any time, free of charge. While unsubscribe/opt-out methods may continue to satisfy non-digital marketing performed under legitimate business interests, the right to unsubscribe/opt-out must also be highlighted during the first communication with the consumer, and should be clearly and separately stated.
Much of the detail needs to be worked through over the coming months and years. The Information Commissioners Office (ICO) pledged in its 2016-2019 plan to work closely with the Department for Media, Culture and Sport to balance the interest of protecting the public and supporting economic growth. Co-operation across policy makers and industry players will become all the more important as Brexit negotiations commence and the UK shapes its future data protection laws.
Share