Speech by Stefan Fafinski, Master of the Worshipful Company of Information Technologists on the Occasion of the Marketors' Spring Lunch of 19th April 2018
“Oh, good” you must be thinking. Another talk on the General Data Protection Regulation. From an Information Technologist. And a lawyer. Who owns a bound copy, courtesy of the Worshipful Company of World Traders. “Brilliant”.
The GDPR was originally 261 pages long, but it’s grown a bit since then. It has over 20,000 more words than Shakespeare's Hamlet – his longest play – and has probably resulted in more primers and updates in your inbox than emails informing you of the sad death of a Nigerian prince who just happened to leave you $20 million.
Headlines like: ‘Companies who've not started GDPR compliance yet will not be ready on time’ and "GDPR fines up to 4% of worldwide turnover" which were intended to scare, actually do scare you.
In many ways, GDPR is like Y2K.
In the run up to Y2K, scaremongering authors sold over 45 million books, citing every conceivable catastrophe from civil war and planes dropping from the sky to the end of the civilised world as we know it. Reputable preachers were advocating food storage and literally ‘running for the hills’. But, in actual fact, very few problems were reported. Some HSBC card machines stopped working for a couple of days. A Japanese clock went a bit wrong. In Australia, bus ticket validation machines in two states failed to operate. And in the United States, 150 Delaware Lottery slot machines stopped working.
So, the world didn’t come to a grinding catastrophic halt after Y2K and neither will it after GDPR. The Information Commissioner will not be on your doorstep, or mine, when GDPR comes enforceable on 25 May.
The Y2K bug was, at its core, a very well-understood technology problem. GDPR, on the other hand, isn’t just a technology problem – although technology certainly plays a key role. It is also an often poorly-understood legislative framework that has the potential to affect nearly every department within businesses.
But, like Y2K, GDPR could – and should – serve as an incentive – a catalyst – to bring data practices into alignment with the realities of the modern world of business. GDPR should force organisations to evaluate and improve the handling, security and control of the information with which they are entrusted. This will, in turn, expose significant opportunities to update and enhance business processes and technologies while improving the integrity and overall quality of data. It will also bring opportunities for businesses to build relevant, valuable and trusted relationships.
At the start of his Mayoralty, the Lord Mayor launched the ‘Business of Trust’ programme. My word is my bond. Public trust in business, and financial and professional services in particular, remains low. As the Lord Mayor said, given the increase in global instability of which Brexit is only one manifestation, it’s absolutely vital that we must do more to meet the growing expectations of customers, stakeholders, and wider society – and preserve the sustainability of our services long into the future.
Businesses must: do what they do well, do the right thing, focus on customers, and communicate clearly.
So how can GDPR help with this?
In May 2017, The Economist called personal data ‘the world’s most valuable resource’ ahead of oil. In handling this resource, businesses need to consider permission, access and focus.
With GDPR, businesses need explicit permission – consent – to process an individual’s data. Customers must express their consent in a ‘freely given, specific, informed, and unambiguous’ way, which is reinforced by a ‘clear affirmative action’. In practice, this means that leads, customers, partners, etc. need physically to confirm that they want to be contacted.
With regard to access, the ‘right to be forgotten’ gives individuals the right to have outdated or inaccurate personal data removed. GDPR gives customers a method to gain more control over how their data is collected and used. It is the responsibility of the business to ensure its users can easily access their data and remove consent for its use. Practically speaking, this can be as straightforward as including an unsubscribe link within an email marketing template and linking to a user profile that allows users to manage their marketing preferences.
But this allows easier segmentation. Through the exercise of gaining consent and tracking customer’s preferences over time, businesses can segment and gain insight into each individual customer’s interests to provide them with the information that they want to receive. Communication can be based on specific and personalised interests, rather than via generic impersonal digital campaigns. Communicating clearly.
Finally, focus. GDPR requires businesses to justify the processing of the personal data they collect. This requires focus on the data actually needed, and not the marketing ‘nice to haves’. If you really need to know someone’s inside leg measurement, and can prove why you need it, then you can continue asking for it. Otherwise, avoid collecting any unnecessary data and stay focussed on the essentials.
People do business with organisations that they know, like, and trust. Building trust comes through projecting transparency. A study by Harris Interactive found that 93% of online shoppers cite the security of their personal data as a concern. A report published by the Chartered Institute of Marketing shows that 57% of consumers don’t trust brands to use their data responsibly. Many consumers have lost trust in the big holders of data such as Google and Facebook – particularly with stories such as the recent exposure of up to 87 million Facebook user profiles to Cambridge Analytica.
Behavioural insights researchers say that social trust is one of the most important and underappreciated economic indicators that we possess. And GDPR represents a real and valuable opportunity for businesses to build that social trust by being upfront and honest about what they are doing with data. Doing the right thing. Being transparent. Being responsible. Businesses that can show that an individual’s data is being treated with respect and held securely will show that they have their customer’s best interests at heart, strengthening both trust and customer engagement.
So, for Marketors, GDPR shouldn’t only be about unthinking compliance with a set of abstract verbose legal rules. As with Y2K it should be about overhauling data management software and procedures to avoid serious issues of business compliance and reputational risk – while remaining level-headed and not panicking.
It should be about taking the opportunity to using data to engage on a trusted deeper, meaningful and personal level with customers. To understand their specific needs. To stay relevant while respecting privacy and transparency. To give consumers control and to continue to build trust, which should ultimately – if done right – lead to increased commercial success.
And while it is now truly down to the wire to prepare for GDPR, I hope that businesses will seize upon these positive opportunities for change and respond with the same level of tenacity, innovation and investment to prepare for this deadline – and to pursue the business of trust – as they did in the months leading up to New Year’s Eve 1999.
© Stefan Fafinski 2018