It’s a year today since the GDPR regulations came into operation, but it probably feels like longer to most marketers.
What’s changed? Well, according to the news, there’s been €55m of fines delivered across Europe, although this includes a chunky €50m for Google’s ad personalisation misconduct.
In the UK, there haven’t been any fines to date, although an enforcement letter has been delivered to a firm in Canada. A menagerie of fines and further letters can be seen on the ICO’s website, but most of them – including a £385,000 fine to Uber – are under the ‘new’ Data Protection Act rather than the GDPR.
Of course, GDPR has made everyone more aware of data protection regulations, whether they want to be or not. And perhaps more importantly, it’s raised awareness of how data flows around the organisation, how much of it there is and the importance of taking care of people’s data, especially within protected categories.
In the last year, we saw a vast number of vendors roll out solutions; some of which were user-friendly and many that were not. The fifty-one different comments on our blog post ‘reconsenting Mailchimp lists ahead of GDPR’ showed not only confusion around how to handle mailing lists, but also how last-minute Mailchimp’s own guidance was. One of the major things we learnt was how broad a base for data processing ‘legitimate interest’ is – and if we’d known this ahead of GDPR, our blog post would have looked a lot different!
Overall, our analysis of GDPR’s intent was ‘handle data responsibly’ and that’s a firm, fair and necessary mission. Knee-jerk deletions of consumer data were almost certainly unnecessary but completely understandable, given the size of the fines. One of our overall feelings about the handling of GDPR was that it uncomfortably straddled a few roles: many of those responsible were marketers with limited support and a limited grasp of regulations, however well they’d handled PECR in the past.
That said, the fact that no UK fines have been given out is either a sign that most British organisations handled the regulations responsibly – or that the mammoth amount of administration and organisational re-architecting is still a work in progress. Right now, no news is good news – although time will tell.
There’s no doubt that the recent revelations surrounding Facebook and Cambridge Analytica have brought the notion of personal privacy under even greater scrutiny. Throughout April, we have been finding out whether or not our own data was shared and, at a time when the GDPR regulations are now imminent, more and more of us are clamouring to better understand and protect our personal data.
But what does this mean for those living in the public eye? Most of us are present on social media but what about those people who are actively and publicly promoting themselves across the media. Do the same privacy rules apply?
For many companies, this notion of privacy may not just be a personal matter but also a business one. As comms professionals, we are well versed in building up the reputation of CEOs or business leaders to increase awareness of a company. In some cases, however, business leaders are more than just synonymous with a brand, sometimes they ARE the brand. Just look at Elon Musk and Richard Branson. As a result, they have to act like a brand, as they have a significant impact on their company’s ability to win and maintain the trust of their customers. In other words, they are expected to be fully transparent and to lay all their (metaphorical) cards out on the table.
Being in the public eye and under a spotlight poses risks, so how can you still ensure that the person concerned has some level of personal privacy?
Assess the risks
Before pushing someone into the spotlight, you need to first identify where the risks and potential privacy breaches lie. You can do this by conducting a privacy audit.
This first involves discussing what the person is happy to share publicly and those areas that they wish to keep private. Then, you need to analyse the vulnerabilities where this kind of information could be brought to light. This goes much further, collating all the information that is publicly available to gain a true idea of their current public presence. With all of us now constantly sharing so much information online, many of us are simply unaware of what is actually out there. I’m sure you have seen how old tweets have come back to haunt many a celeb. This audit aims to uncover forgotten information, unknown information and also joins together seemingly random bits of information which forms a picture or profile of the individual.
Beyond assessing their background, you also need to analyse the reputation of those that they’re associated and working with to avoid (and plan for) any unexpected surprises.
Having this comprehensive overview enables you to make informed decisions on how to best build their profile and to be proactive and preventative, rather than reactive, when it comes to safeguarding their privacy. You know when and where problems could arise, and you can begin to close identified loop holes. All unwanted content that contains inaccurate, out of date personal information or that is not of interest to the public can be removed. But be aware, this is not so easily the case for defamatory information.
Take it or leave it
Equipped with this knowledge, you are also able to assess when to dismiss or to engage with an opportunity; knowing when you should be proactively approaching the media and when you should hold back.
Unfortunately, some people abuse the web by trolling others, and you shouldn’t overlook the threat this poses. It’s vital to determine whether this is a ‘real’ person with a reasonable concern or complaint, and so deserving of a response or, if they’re just a troll who thrives on creating unfounded controversy. Having performed that ‘privacy audit’ you’re able to make that call. If the claim is completely speculative, do not engage! The second you open the door to a troll, you’re inviting in trouble.
Similarly, you may come up against the issue of someone intentionally spreading fake news about the person. In this case, it is important to respond and counteract this by directing the public to factual and reliable sources that disprove the claims. You can also report this fake news outlet to the platform in question. For example, by filing a complaint with Twitter.
And if the worst happens?
It’s important to state at this stage, that despite your best efforts it’s not possible to guarantee someone complete privacy protection.
If a breach of privacy does occur, legally it would be advised to not respond and disclose further private information, but to combat inaccurate allegations, and be aware that the person is entitled to a right of reply. Quickly sharing their side of the story can dramatically shift the tone and balance of public discussions and conversations. I’m sure that many of you would have been greatly moved by the interviews with Jennifer Lawrence after her private photos were leaked online. And in instances where a privacy breach reveals wrongdoing, as we’re currently seeing with Mark Zuckerberg, then mitigation action will need to be taken immediately.
Once you have said your piece, it is time to leave the matter there. Let it go. You may still be familiar with the old phrase, “today’s news will be tomorrow’s fish and chips papers” and with the shift online, news now has an even shorter shelf-life.
Of course, online articles cannot be so easily thrown away as a newspaper. The Founding Director of the Life Sciences Project at Harvard Business School once referred to the permanent availability of information online as a “digital tattoo” – but there are ways to help them fade.
It’s vital you re-start a cadence of regular ‘business as usual’ content to help displace and dilute the negative news and ensure that you’re also being spoken about for the right reasons, not just the wrong ones. It’s about re-balancing that person’s public presence. You may have seen the recent exposé of Elon Musk’s family splashed across the news, but if you search for him on the internet, you come up with an array of other content and stories.
To further push down those unwanted Google results, maximise your use of third parties and back links. Having a reference from a third party or even setting up your own fundraising page can all help create more ‘background noise’ that isn’t associated with that personal privacy breach. And if needs be, you can always invoke Google’s right to be forgotten.
Note as well that though GDPR rules may not apply if it is an individual who has breached your privacy, if it is a company, such as a tabloid newspaper, who has leaked personal secrets or images then they are technically processing your personal data, without your consent. That’s a fineable offence!
Striking this rather delicate balance between privacy and transparency, promoting a company and safeguarding personal information is no easy feat. But it is still possible for your business leader to make a distinction between their private and public personas, between what is general knowledge and those elements only known by their family and friends. At the end of the day, privacy is a fundamental right for all.
Facebook (and many of the social networks) have already been putting greater transparency measures in place in the recent waves of scrutiny and interest. For example, Facebook discussed openly how it deals with abuse and radicalisation, and Canada allowed consumers to see what ads a company is running at any one time.
Facebook’s latest move to be supportive is to help with the forthcoming GDPR regulations. Compared to many overly legalistic guidelines, Facebook’s information does a good job of explaining what businesses using Facebook need to know. For example – and I’m paraphrasing – it essentially says things like “when we do custom audience matching, we’re the data processor, when you decide the purpose of processing data, you’re the data controller”
Now back in January, Facebook approached this from the user perspective, giving consumers the ability to control how they were advertised to and it’ll be interesting to see how this evolves and how the ICO views this. At the moment, the privacy page is very granular, but it’s not the easiest page to reach or customise. I imagine that come May, Facebook will present a pop-up that users cannot click away from, forcing them to review their ad and privacy choices.
Otherwise, they’ll be marketing on the basis of legitimate interest rather than unambiguous consent – and whilst this is still legal, it’s on slightly shakier ground. After all, ‘legitimate interest’ could justifiably be argued based on a link to demographic groups (e.g. you’re 18-21 and list ‘music’ as an interest, so Facebook will serve you music-based ads) but it does rather put the onus for consent back on the advertiser. Since advertisers aren’t in control of the platform, and doing ‘per ad consent’ would be a nightmare, this isn’t a great solution.
In the meantime, if you’re one of the advertisers that contributes to Facebook’s $36bn ad revenue, use this page and know where you stand!
Privacy will be a big theme in 2018. If you’ve not yet come across the General Data Protection Regulation (GDPR), where have you been hiding? The regulation will come into play in May 2018 – and if privacy and data protection wasn’t already all people could talk about last year, then just you wait for the explosion this year!
GDPR brings a host of challenges for businesses – particularly for marketing folk. But I won’t go into that now, we’ve already covered this in a previous blog post which you can read here.
But one consequence of GDPR is that people will become more aware of the protection of data and their privacy – which has already started to result in people losing trust in some of the major technology providers.
We are not far off a major breakdown between consumer-business relationships at the rate we’re going. Last year Uber was hacked and hid it, YouTube allowed sexualised remarks to be left alongside content featuring children, Google was sued for gender discrimination and that’s only a handful of last year’s scandals in the tech sector.
Big players can just about ride out this type of negative attention due to their dominance of the market – although many responsible companies have responded and changed in response. But what would happen if this was an attack on one of the smaller challenger brands? It could be their ending.
Internal culture is becoming part of a brand’s identity. For a long time now, sites like Glassdoor and social media have given outsiders an inside view of a company’s ‘employer brand’ and culture. But culture hasn’t been exposed in the way we’ve seen it in 2017 – people have actively ‘outed’ poor behaviour and we’ve seen boycotts of services (like brands pulling ads off YouTube) and regulators swoop in (European demanding fair taxes from Google, Facebook and Amazon).
For transparency to work, brands must work on what they deem is the right internal culture because it will live on outside the company. If the marketing team hasn’t spent considerable time with HR in the past, then it’s time to start now.
All employees and all customers are advocates of some kind, whether good or bad. HR and marketing must work together, not just at a tactical level to engage these advocates, but at a strategic one, especially given the incredible harm bad advocates can have on a brand.
Alongside HR, marketing must monitor how the company operates and keep a firm hand on the tiller. More than ever before, the inner workings of a company are projected externally – either through social sites like Glassdoor, or more simply, the way that staff talk to customers, partners and each other. This makes it far more important that HR and marketing are on the same page to ensure alignment in the way they engage advocates. And today, every single member of staff is an advocate. This is especially important if there is a cultural change – and if there’s resistance – marketing must help to mitigate that, which often means working very closely with the senior management team.
In a competitive talent market, HR teams and business leaders will have been busy building their employer brand, but in 2018 it’ll be about building employer trust. There are a number of surveys and studies which show the impact of a bad employer brand – mostly focusing on the consequence of your talent acquisition with higher costs to recruit and candidates turning down roles at companies with a bad rep. But in today’s world the impact of a bad reputation is so much higher, as we saw with the Uber and YouTube boycotts.
Marketing has an inherent skill in building trust. With HR, marketing becomes fundamental in navigating the company during this new era of trust. And customers and employees will demand proof of this trust – regulations like the GDPR will make sure of that!
Does the new General Data Protection Regulation (GDPR) make you want to just delete all your data and start afresh? We felt that way at first – when you start grappling with an 88-page pdf written in dense legalese while taking advice from different people, you may feel more confused than when you started out.
Wetherspoons actually did decide to delete all their customer data – but we’ve found out that you don’t need to be that drastic.
We met some brilliant, plain-speaking people, and ran an event with a particular focus on what GDPR means for marketing data. Facilitated by Firefly CEO Claire Walker, our team of experts included Simon Morrissey, Head of Data and Privacy at law firm Lewis Silkin, Nicholas Dunn-McAfee, Head of Policy and Research at the PRCA and Simon Loopuit, CEO and founder of trust-hub.
The overwhelming message from this panel of experts was that there is huge opportunity for companies to become GDPR compliant. There is too much emphasis on the ‘hefty’ fines – too much stick, not enough carrot in our opinion. Even Simon Morrissey didn’t mirror the scaremongering messages you often see from other lawyers and talked about how brands who are GDPR compliant can gain competitive advantage.
From a reputation perspective, handling data in a respectful manner shows your customers that you are safe guardians of their personal information. People are wising up to how their data is used, and trust is the primary pillar in establishing a strong and lasting relationship with them.
Furthermore, better data means better engagement. With customers actively opting in to being marketed to means they’re more likely to be engaged with what you send them. No more ‘why is this company spamming me and how did they get my contact information?’. With GDPR we will see the rise of granular consent – where customers are asked for their preference on how and when they are contacted (more on this in step 5).
To become GDPR compliant requires a thorough audit of your current processes and data (see step 1 below). This first critical step may mean an overhaul of processes and how data is used, which at a minimum will make your company more efficient. But also forcing yourself to rethink and question every process and data point may prompt new and better ways of working. This discovery process could unearth some hidden gems.
It’s all well and good me telling you the benefits of getting your house in order, but how do you get to that point? Well, we have some brilliant practical steps to help you get started now. And we mean now: Simon Loopuit from trust-hub advised us that it’s a six to nine month process, so it’s time to get going.
Practical steps for marketing professionals
This data map must not only incorporate internal data but also the data about you and your clients that your vendors hold. When noting down the data points, also note the purpose of the data. This is an important step as it will help inform your marketing strategy and transform your processes – maybe you don’t need this data point, or maybe there’s a better way to use this data.
Don’t think that responsibility lies with IT. Your department is responsible for the marketing data you hold and use. However, personal data cuts across all areas of the business so you must get engagement from all departments. It’s not about being scared into action, ensure you communicate the benefits of reviewing your data map.
All this work will take an incredible amount of time and effort. Therefore it needs to be a marketer’s number one priority between now and May 2018. To do this effectively, clearly outline the need to switch priorities and explain the benefits in the long-run – and also be ready to keep having to explain the benefits for those who may be impatient!
Yes, your data must be compliant, but you must ensure the vendors that handle your customers data are also compliant. Data breaches often happen due to a weakness in the supply chain. Not everyone will be as proactive as you, so ask your vendors and suppliers the right questions so you feel confident that the right measures are in place to safeguard your customers data.
If you haven’t transitioned away from opt out (pre-ticked) consent, then do that right away. Consent also doesn’t mean ‘all on, all off’. Give your customers choice in how and when they receive information from you. It might be that some customers prefer certain channels over another, or they prefer a certain frequency? Give them options, just not too many, it has to align with your marketing strategy which can’t be too siloed.
There are three ways to react to GDPR – fight, flight or freeze. Many brands are like a deer in the headlights, freezing and taking no action at all. Some, like Wetherspoons, choose flight and ditch all their data in favour of starting over. We tell you to choose ‘fight’ which we’d actually change to ‘face head on with a positive and determined mindset’ (catchy, hey!) because rolling up your sleeves now will give you many long-term benefits for your brand.
Like all marketers – and Tom Cruise in Mission: Impossible – we’re keenly aware of a ticking clock right now. Yes, the GDPR countdown clock is ticking increasingly loudly. One thing we’ve been struggling with until today was our Mailchimp list. Our monthly newsletter, Spark, goes out to about 2,000 friends, family and clients past and present, and whilst GDPR doesn’t materially change much of what is already in PECR or previous data protection regulations, it’s a good opportunity to have a spring clean of contact lists.
NB. Mailchimp has just (17.4.18) published its own templates for this, which can be found here (https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms) – in our opinion, it’s not perfect, but neither is the solution that we detail below. We’ll leave it up to you (and our helpful commenters) to work out the best way for you.
But there’s no straightforward way of doing this. Our first idea was to use an opt-in confirmation or re-subscribe form, but more often than not, this gives an error message because you’re sending a message to an existing subscriber. Similarly, there are ‘reconfirm’ forms, but they’re a bit tricky to find and may not exist in all subscriptions.
After a few minutes on chat with Mailchimp support, we found a way of doing it with groups. Here’s how:
– Under ‘Lists’, select your list
– Under ‘Manage contacts’ select ‘Groups’
– Under ‘Groups’ select ‘create group’ and enter the description as something like ‘I would like to stay subscribed to this newsletter’ and enter ‘Yes / No’ in the dropdown boxes
– Create your next campaign, and at the top of the newsletter, ask people to click on a link to stay subscribed. Hyperlink this text, and when you select ‘Web Address’ paste this text *|UPDATE_PROFILE|* into the box
– This will create a link in the newsletter where people can update their profile in a web page created by Mailchimp. You can see it if you go to the main ‘Lists’ page, and on the dropdown arrow next to ‘Stats’ select ‘Signup forms’ and ‘General forms’. This should show you the profile update form, where you can select or deselect any fields – but don’t remove the options that you added in the previous steps
– Once the newsletter has gone out, you can see where people have clicked in the ‘Lists’, ‘Manage Contacts’, ‘Groups’ option
– Don’t throw the baby out with the bathwater – give people four or five newsletter iterations before you start manually unsubscribing them
This process will give you a list of people who have actively consented – and re-opted in – to be contacted by you, without having to unsubscribe, then re-contact, everyone, confusing them in the process.
In fairness, this process should be easier, but Mailchimp is based in the US and might not be quite as up to speed with this as it should be. We’ll keep you updated on any changes as we see them within the platform, but until then, this is probably the easiest way of doing it.
Receive thought pieces from our leadership team, views on the news, tool of the month and light relief for comms folk