SBphotos - stock.adobe.com
Fear around the EU’s General Data Protection Regulation (GDPR) is having a negative economic impact, according to Chris Combemale, CEO of the DMA Group, which includes the Direct Marketing Association (DMA).
“GDPR implementation is creating a large amount of fear because of misunderstandings around the text and fear mongering from companies using the tried-and-tested marketing tactic of fear, uncertainty and doubt,” he told a recent Westminster eForum seminar in London.
These companies, he said, are “rather unhelpfully” using the threat of fines and a heavy focus on consent to attract business for their legal, consulting and technology offerings.
The DMA Group, which is working to produce a single set of guidance on customer communications across the marketing sector, recognises the GDPR is a risk-based regulation that balances the customer’s right to privacy with the legitimate interest of companies and public sector departments.
“The regulation seeks to embed core principles of accountability and strives to achieve a balance between privacy and innovation,” said Combemale.
A lot of the GDPR-related fear, he said, is around consent, which has been positioned by many as if it were now the only legal basis of data processing under the new regulation, when in fact it is just one of six equal legal bases for processing personal data.
The other five are if processing is necessary for
- The performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Compliance with a legal obligation to which the controller is subject.
- The protection of the vital interests of the data subject.
- The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
“Most of our members will use ‘legitimate interest’ as the basis for normal data hygiene, segmentation, personalisation of offers and channels such as postal, and recital of 47 of the GDPR states that direct marketing is a legitimate interest,” said Combemale.
Although GDPR implementation for large companies is quite daunting from a systems point of view, he said there is no need for marketers to fear the GDPR because it is consistent with the DMA’s guiding principles of putting the customer first, to respect privacy, to be honest and fair, be diligent with data and take responsibility.
Having a single customer view yields many benefits for marketers and consumers alike in terms of relevance, timeliness, efficiency, and money savings, he said, and the GDPR legislates for this, requiring companies to know what data they hold, how and why they collected it, and what they will use it for.
“Companies must also be able to fulfil subject data access requests, but they will not be able to do any of these things efficiently without a single customer view, while the requirement to keep customer data secure is just a basic cost and requirement of doing business in a digital, technology and data-driven economy.
“Yes, the GDPR increases businesses’ responsibility in these areas, and requires businesses to tell data protection authorities and customers when they have had a breach and take steps to protect customers from harm, but that is all just good business practice and should not have required regulation or the threat of fines for businesses to behave in that way,” said Combemale.
Businesses should be accountable for their decisions, he said, urging them to document how they have thought about the potential effect of those decisions on customers. “Be clear as to why you think you are helping, rather than harming your customers,” he said. “Be honest with yourself and your colleagues. Maybe a small tweak to the communications plan shifts the result from harmful to helpful.”
These good behaviours are supported by things like privacy impact assessments and the principle of privacy by design. “It just means thinking about your customers, and that’s good marketing that will create trust in your brand and long-term brand loyalty, as well as increase the value of your customers.”
Combemale urged businesses to use the GDPR as a catalyst to become a customer-centric company, rather than thinking of it as a legal and compliance requirement.