GDPR: What has happened one year on? Plus, find out how to set up a data retention policy
It’s 12 months since the General Data Protection Regulation (GDPR) came into force across the EU. Paul Snell explores what the impact of the legislation has been, and hears advice on creating a four-step data retention and deletion policy to ensure you remain compliant
How do you plan to mark this week’s GDPR anniversary? Sending cards to all your clients and customers – providing you have their consent beforehand, of course?
Perhaps the legislation just passed you by and hasn’t had an impact on how you carry out marketing? A poll of IT decision-makers carried out by CybSafe found just 57% think their organisation is currently compliant with GDPR.
Most probably you’re still working out how best to comply, and ensuring the processes and policies established ahead of the deadline last May haven’t been placed in a drawer and forgotten about. Talend, a data integration platform, found almost three-quarters of firms had failed to respond to requests for personal data within a month as required by the law.
The significant fines from regulators eager to stamp their authority, prophesised by the doom-mongers, have not materialised – with the significant exception of a €50 million penalty handed to Google by the French regulator, which the tech giant plans to appeal. Other than that, penalties have been thin on the ground – a couple of public bodies, a Danish taxi firm and a Polish data processor.
Investigations are underway. At the start of this month, for example, the Irish Data Protection Commission announced it has launched an investigation into adtech provider platform Quantcast to determine whether the company’s processing of data to create profiles for targeted advertising complies with the GDPR.
Regulators certainly have plenty to keep them busy. In February, law firm DLA Piper reported there had been 59,000 personal data breaches notified to regulators in the first eight months under the legislation in the EU. Of these, the UK accounted for just over a sixth, the third highest figure.
What has happened in the past 12 months?
At a presentation hosted by content platform BrightTalk this month, Tim Hickman, partner at law firm White & Case and a man Chambers describes as “a walking encyclopedia of the GDPR”, shared five things he’s observed and learned since the implementation of the law last May.
1. There haven’t been many fines… yet
“It isn’t that [fines] are not coming, or regulators are not taking it seriously,” says Tim. “It’s because it takes time and they’re worried about being challenged in courts.”
In spite of in excess of 10,000 reported breaches in the UK, the ICO has only issued 127 enforcement notices in the past 12 months. Enforcement takes time. Regulators need to become aware of the breach in the law, investigate it, and then issue a fine, which can be appealed. “It takes a lot of time to get to the point to issue a fine, and if it’s a big one companies are going to go to litigation,” adds Tim.
2. Companies are much more willing to spend money on lawyers than before
Businesses are now much more willing to fight fines and spend money on litigation. A £500,000 fine might not justify spending £100,000 on legal fees. But if your lawyers can chop £1 million off a £5 million fine, it looks like a worthwhile investment.
“We’re seeing a big uptake in companies willing to invest in proper litigation strategies when previously they would have let it slide. As a result the regulators are taking a lot more effort to ensure their case is really robust, knowing they are likely to be challenged in court,” Tim says.
3. Regulators are overwhelmed…
The demand for data protection expertise is fierce. When preparations for GDPR were ramping up in advance of the deadline, the regulators across the EU were a good source of these experts, tempting them to leave with the higher salaries on offer in the private sector. Now regulators face the same talent squeeze as they deal with bigger workloads.
In addition, the volume of work has increased significantly. GDPR imposes more obligations on regulators, and according to Tim the anecdotal evidence is some are beginning to miss deadlines because they don’t have the capacity to keep up.
“It isn’t that [fines] are not coming, or regulators are not taking it seriously, it’s because it takes time and they’re worried about being challenged in courts"
4. ..But they have the tech sector in their cross hairs
So far, the majority of the headlines and action has focused on the technology sector, and in particular the large California-based social media and content platforms. The introduction of GDPR was in part to give regulators the tools necessary to tackle these companies.
Claimant solicitors have also targeted this industry, bringing claims on behalf of multiple clients. The lawyers are looking for settlements that’ll extract money cheaply and make them a profit. But the tech giants saw them coming, and tooled up with the best lawyers and biggest law firms.
These solicitors have realised the tech sector is perhaps not the place to make quick, easy money so are turning their attention to other less well prepared industries, where the pickings may be easier.
Says Tim: “While the headlines are still about tech companies, the direction of travel of legal claims is shifting away from them – although it won’t leave them all together. Other industries are rapidly catching up in terms of risk exposure.”
5. GDPR is being weaponised by disgruntled employees
Employment solicitors are increasingly using GDPR as a weapon to attack employers, says Tim. It happens like this. A disgruntled employee – having been dismissed – submits a subject access request for all the information the company holds on them. These requests are difficult to dismiss and can be incredibly costly. The idea is to force the company into a settlement. “The nuisance value of this type of claim is phenomenal,” Tim says.
He advises running a fire drill exercise on a subject access request to establish your exposure. Could you find all the information, exclude the info about everyone else, how much would it cost and how long would it take?
How to set up a data retention and deletion policy
If you think your GDPR compliance efforts were completed on 29 May 2018, think again.
Speaking at the Adobe Summit in London this month, Stephen Yeo, former B2B marketing director at Panasonic Europe, told delegates “the bulk of the workload is now”.
Of particular importance was his advice on the retention and deletion of customer data. He says he has seen policies online for major companies which essentially say they will hold onto your data “until you tell us not to”.
“That’s against the law, and it’s very clear you should only keep data for the shortest time possible,” says Stephen.
When you’re adding significant numbers of contacts to your database a year – it was around 40,000 new records for a variety of reasons at Panasonic – managing this retention is like trying to hit a moving target.
Stephen and his colleagues came up with a four-step process to manage the retention and deletion of its contact data, with marketing automation platform Marketo at its heart. It took the business a year to come up with, and he shared how they achieved it.
4 step process to manage retention of your marketing data
1. Create a deletion policy based on segmentation
It’s likely new contacts entering your database will be there for different reasons, and each group may need to be retained for different lengths of time. At Panasonic for example, data on customers with warranties need to be held for longer due to the potential need to issue safety recalls.
Stephen advises data will be divided between ‘actives’ – those who’ve entered your contact database through an action of their own (entering a competition, for example), and ‘passives’ – those who you’ll likely be targeting under legitimate interest. “The majority of your contacts are probably going to be passive unless you have 100% market share,” he says. Passives will need a shorter retention date than actives.
2. Create a database with a single record
When a new contact enters your database, each record should have a deletion date assigned to it based on your policy. A marketing automation system can automate this process for you.
3. When a contact acts, a new deletion date is triggered
You’ll need to set up listening campaigns within your database, so when contacts do something the deletion date will automatically update in line with their interaction.
4. Execute your data purge
Run a report (Stephen did this annually), that will export all the contacts whose deletion date has passed. Rather than deleting this data straight away, you’ll need a few safeguards in case there’s an ongoing relationship that’s not recorded within the system.
At Panasonic, this buffer had two stages. First the list of contacts was sent to IT, which ran the list against the company email system to check the address against any email or phone call logged in the system linked to a sales rep. If a connection was found, the contact was taken off the deletion list. Following that, the list was passed to sales for a final check, where it could remove any contacts that had been missed and were active. Once these two stages had been completed, the contacts could be deleted from the database.
Stay paranoid and assume the worst
The message from Stephen is the work is far from over, and marketers should stay paranoid. Assume the worst, that you’ll experience a leak or hack – research by Hiscox found almost two-thirds of UK businesses have suffered a cyber attack in the past 12 months.
“The advice from the legal team was if you implement these very sound procedures, and if you show you’re doing your best to be compliant with the law and protect your database, if that hack or leak happens you’ll be in a far better place than if you do not. I don’t think it’s possible to keep that data retention policy under control with humans, you have to have automation to do it,” Stephen says.
Far from signalling the end of marketing, GDPR should be seen as an opportunity to rethink your marketing strategy and reposition the function as a source of genuine competitive advantage.