eu data reform - ticking all the boxes?
DESCRIPTION
Over the course of the next 12-14 months, the European Commission will introduce a major overhaul of EU Data Protection Regulations (EUDPR). The changes will introduce greater protection for consumers, especially online, with a stronger focus on personal data security. Companies who fail to comply will face huge fines.TRANSCRIPT
EU DATA
REFORMPROTECTION
SEP 2014
EUREFORM
3DATA
TICKING ALL THE BOXES?PROCESSING & STORING DATA
2EU DATA
REFORMPROTECTION
IN B
RIEF
WHAT’S HAPPENING?
The European Commission (EC) has agreed to a reform of the way in which the current Data Protection Act (DPA) is enforced and the changes will be made within the next 12-24 months, as determined by the EC. The reform will introduce higher standards for companies to meet and an easier process for making complaints resulting in the risk of huge fines for those who don’t comply. It’s designed to encourage companies to have security of customer data at the forefront of their minds from the outset – a concept known as “privacy by design”.
The EU Data Protection (EUDP) reform will have a huge impact on marketers in various different ways, so we’ve aimed to breakdown the changes and summarise key information in a series of guides and blog posts.
This guide is the third in the series and looks at how the changes will impact the way you store and process customer data now and what will need to change in order to comply with the reform once it’s introduced.
WHAT DO I NEED TO DO? If you missed our first two guides, take a look at the resources section of our website where you’ll be able to access the first in the series EU Data Protection Reform: Our guide to what’s coming for a general overview and second in the series Can I have your number? Data collection and consent for a breakdown of how to approach data collection with EUDP in mind.
The most important thing to do at this stage is to understand the changes and grasp how they’ll impact the way you currently operate. This is the only way to identify what will need to change in order to comply with the new standards. The changes are a few months away but it’s better to address this now so you’re fully prepared.
3
IN THIS GUIDE
STORING DATA ................................ 4HOW IT WORKSHOW WILL THE REFORM CHANGETHE WAY I WORK?
PROCESSING DATA .......................... 9HOW IT WORKSHOW DO THE CHANGES IMPACT HOW I CURRENTLY WORK?
WIDER VIEW .................................... 11A MULTI-CHANNEL JOURNEY
TIME TO GET THINKING .................... 13
TAKE NOTE ...................................... 14
WHAT’S NEXT? ................................ 14
WHAT’S NEXT IN THE SERIES? ........... 15
4EU DATA
REFORMPROTECTION
SHARE THIS GUIDE :
HOW IT WORKS
STORING DATAData can be one of the most valuable assets for a business; helping to show who your customers are, where they live, what they’re purchasing and providing invaluable insight into how to target your marketing activity. This information is also personal data. If you’re storing and using any personal data then you need to familiarise yourself with how the EUDP enforcement will impact your current operations.
Currently, when organisations collect customer information it’s often stored for future use. At present, there’s very little visible enforcement against storing information after it’s been used for its original purpose, so customer details such as location, preferences and behaviour are stored and used for analysis, analytics and marketing; often without the customer’s knowledge. The EUDP reform will change this.
Customer provides postal & email address
Company stores information
Company ful�ls orderCustomer provides postal & email address
Company stores information
Company ful�ls order
Customer provides postal & email address
Company stores information
Company ful�ls order
Customer provides postal & email address
Company stores information
Company ful�ls order
Customer provides postal and email
address for delivery of an order
Company stores address and purchase
information and subscribes customer to email newsletter
Company fulfils order
Location and purchases used to
personalise website and email content
5
SHARE THIS GUIDE :
HOW WILL THE REFORM CHANGE THE WAY I WORK?
TIME
• You shouldn’t store information after it’s fulfilled its original purpose unless you have clear permission from your customers to do so. For the example on the previous page, the company would need permission from the customer if they wanted to store and use the address and order details after the order had been fulfilled.
• You can only store customer data for a reasonable amount of time. The nature of your organisation will largely determine the amount of time it’s deemed reasonable to store your personal data and so storage time should be decided with a little common sense. What is certain through, is that if you store any personal data for more than 6-12 months after it has first been used you will have to be able to demonstrate that you have a very good reason for doing so.
In the festival example, it’s clear why the data is collected and when it will no longer be used for that purpose. But the car dealership example is a little less clear. Long-term relationships and extended customer relationships mean that previous purchase information and ongoing communications may still be relevant for many years after a purchase, so for some organisations it may be expected to store information for an extended period. You should assess your situation with common sense and follow the DPA rules to make an informed decision of a “reasonable” length of time for your organisation.
2YRS2YRS 2YRS
Signs up for 1 o� event
customer buys acar 2 yrs warrenty
dealer stores info for 2 years
festivel sends comms 6 monthsbefore & after
6 months after no longer relevant
cars every 6-7 years
6-7YRS
2YRS2YRS 2YRS
Signs up for 1 o� event
customer buys acar 2 yrs warrenty
dealer stores info for 2 years
festivel sends comms 6 monthsbefore & after
6 months after no longer relevant
cars every 6-7 years
6-7YRS
2YRS2YRS 2YRS
Signs up for 1 o� event
customer buys acar 2 yrs warrenty
dealer stores info for 2 years
festivel sends comms 6 monthsbefore & after
6 months after no longer relevant
cars every 6-7 years
6-7YRS
2YRS2YRS 2YRS
Signs up for 1 o� event
customer buys acar 2 yrs warrenty
dealer stores info for 2 years
festivel sends comms 6 monthsbefore & after
6 months after no longer relevant
cars every 6-7 years
6-7YRS
2YRS2YRS 2YRS
Signs up for 1 o� event
customer buys acar 2 yrs warrenty
dealer stores info for 2 years
festivel sends comms 6 monthsbefore & after
6 months after no longer relevant
cars every 6-7 years
6-7YRS
2YRS2YRS 2YRS
Signs up for 1 o� event
customer buys acar 2 yrs warrenty
dealer stores info for 2 years
festivel sends comms 6 monthsbefore & after
6 months after no longer relevant
cars every 6-7 years
6-7YRS
Customer signs up to receive information
about a one-off upcoming music
festival
Customer buys a car from a dealer with a 5
year warranty
2 weeks after the event, the details have fulfilled their original purpose – is it OK to
store?
On average, new cars are purchased every
3-7 years - so is it reasonable to store customer details for this length of time?
Festival sends comms 6 months before and 2 weeks after the event
Dealer stores information and
contacts customer throughout 5 years
with service reminders etc.
6EU DATA
REFORMPROTECTION
SHARE THIS GUIDE :
ACCURACY
• If personal details are being stored, they must be kept accurate and up to date. The longer data is kept, the more likely it is that details have changed and are out-of-date. Customers’ contact details, lifestyles and preferences change over time, so a company such as a car dealership must make every effort to keep information accurate, or delete it. They could store the record so it states that the customer once lived at X address and now lives at Y address. Over time previous purchase information may also become irrelevant as preferences change.
DELETING OLD DATA
• Personal data which has fulfilled its purpose should be deleted. Removing contact, payment and personal details about previous and current customers helps protect your customers from online fraud and identity/information theft should there be a data breach.
ANONYMITY
• Data which should be deleted can be anonymised if you use it for other purposes, such as analytics. This is achieved by either removing or overwriting details from records, or by creating summary or reporting data.
RecordName: Mr XYZAddress: 1 Data StreetCar preference: budget
Record used Permission to store?
YES - Store Record
NO - Time to delete or anonymise this data
RecordName: Mr XYZCurrent Address: 9 Email Ave.Previous Address: 1 Data StreetCar preference: family estate
historic data
delete historic data
create summary reportshistoric data
delete historic data
create summary reports
historic data
delete historic data
create summary reports
Historic purchase and customer information
Create summary reports
Delete Historic data
7
SHARE THIS GUIDE :
TECHNOLOGY
• You are responsible for any personal data you collect and store.• The technology you use will need to safeguard any data you hold. Measures should be taken
to ensure data is secure and safe from risk of data breach. For example; passwords for database files, data encryption, ease of safe data transfer etc.
• Who can access the data you hold? You should have technology in place to only allow the relevant people access to customer data. That said, it should be simple to access and update your data to comply with accuracy rules.
• You should be able to retrieve data and the permissions you hold for that data quickly and easily. It’s important to think about how you can store this information effectively using your technology systems.
Think about the technology you use for your marketing campaigns…
Speak to your technology providers about the reform and begin future proofing your processes in order to comply with the reform. If you address the issue now then you’ll be well prepared once the changes are introduced.
Email address details are stored
by CMS system and fed into... Website email
sign-up
CRM system in order to store the
data
It’s likely you’ll then use this data in
your ESP to power your campaigns
If a customer purchases from you, their details will then exist in your ecommerce
platform
For customer services, Outlook is often used to communicate on a personal level, adding another level of data
storage
8EU DATA
REFORMPROTECTION
SHARE THIS GUIDE :
B2B
For business to business communications such as prospecting emails, current legislation states that you’re allowed to do this on an opt-out basis, i.e. If your contact hasn’t opted out then you’re fine to contact them. This has previously led to an industry where corporate contact details are often collected with little or no permission and entered into contact databases or CRM systems and routinely bought and sold in large prospecting lists.
Names, email addresses, job title and many other business details are personal data. After the reform you’re going to need prospects to opt-in to you storing and using their details. This will affect how you obtain data, who you contact and how you contact them. You should start looking into whether you have the relevant consent to communicate with your business contacts and if you haven’t, it’s a good idea to start gaining this consent or planning on how you can work without that data.
Current law: Allows B2B prospecting if the recipient hasn’t OPTED OUT
Tick here to opt-out of marketing communications
Tick here to opt-in to marketing communications
After the reform: Consent needed to collect and store personal data. NOT OPTING OUT will no longer be enough consent, OPT-IN permission is needed.
9
SHARE THIS GUIDE :
PROCESSING DATAIf you’re collecting, storing or using personal data then you’re likely to be processing it. The term processing covers any operation performed on personal data whether it’s manual or automated. The EUDP will most definitely impact how you currently process the data you hold.
It’s a good idea to assess how you currently store information and bear in mind the technology involved in the processing stage. Lay strong foundations in your technology and processing to comply with the EUDP reform and it shouldn’t be a problem.
At present, organisations have a lot of flexibility on what they’re allowed to do with customer data and they don’t really need permission in order to perform these processes. It’s not unusual for organisations to profile individuals based on buyer behaviour for targeting or marketing automation, or to use customer postcodes to build affluence models. There’s nothing forcing companies to remove any links to individuals from the information that they process, but the reform will bring significant change.
HOW IT WORKS
HOW DO THE CHANGES IMPACT HOW I CURRENTLY WORK?
PROFILING
• You won’t be able to process any information for profiling that’s still linked to an individual person if you don’t have their permission to do so. Affluence modelling, calculating customer lifetime value, profiling based on engagement will all be big no-nos if the information still links to an individual who hasn’t consented to this type of processing.
• It’s OK to profile anonymously in order to build business intelligence. Using grouped information to build personas, creating reports on best performing areas using postcodes, or creating charts/diagrams to calculate engagement are all fine as long as you can’t link the information back to an individual.
TARGETING
• You won’t be able to process information in order to personalise your campaigns without clear permission to do so. For example, if you’re currently using address information to send targeted offers based on location in your email communications; or if you’re using previous purchase information to inform the products you’re offering in your next email message, you won’t be able to do this without clear permission after the reform.
• You won’t be able to share data with any other department/sub-brand without clear consent from the individual. For example, if you’re a bank and your customer has provided you with their details to set up an online banking profile, you won’t be able to share their information with any other part of the business (loans/insurance etc.) without gaining permission first.
10EU DATA
REFORMPROTECTION
SHARE THIS GUIDE :
BEHAVIOUR
• Cookie laws apply to whether you’re still able to show online adverts based on web behaviour. If the customer isn’t logged in to an individual account and the adverts are generic, this isn’t breaching the DPA. BUT if you want to use this web behaviour in your email communications (directly to the individual) you need permission to do so.
GROUPED VS. INDIVIDUAL DATA
GROUPED
YES - WITHOUT PERMISSION
• Grouping data to analyse best performing areas based on postcode.
• Grouping data to calculate averages e.g. average engagement with marketing messages.
• Grouping data to develop customer personas.
• Grouping data to calculate spending trends.
INDIVIDUAL
NO - YOU MUST GAIN PERMISSION
• Using location to target offers in email marketing communications.
• Using web behaviour to target marketing messages.
• Using affluance models developed from an individual postcode to target marketing emails.
• Calculating customer lifetime value of an individual.
• Profiling based on engagement with marketing messages
11
SHARE THIS GUIDE :
WIDER VIEWEvery business operates differently and it’s hard to be specific about how the changes will affect your organisation. It’s up to you to apply this information in the context of your organisation.
Here’s a scenario of what could happen to an ecommerce retailer after the reform.
One Saturday afternoon, Sophie takes herself off to her local high-street for a shopping spree. She visits Shoeshop and decides to treat herself to a new pair of shoes. At the till point Shoeshop ask Sophie for her email address so they can send her an online copy of her receipt which she agrees too.
When Sophie returns home, she takes out her phone to check her emails. She finds the online receipt from Shoeshop as promised and also a welcome email from the brand featuring some of their new season products.
A few days later, Sophie receives another email from Shoeshop featuring some Sale items. She spots a pair of boots she likes so she clicks through to Shoeshop’s website from the email. Sophie’s in luck, the boots are in her size so she adds them to her basket and continues to online checkout where she creates a profile with Shoeshop as she’s a new online customer. She proceeds to enter her delivery details and telephone number so Shoeshop can notify her when her order has been despatched.
After placing her order Sophie receives an order confirmation email and a couple of days later, an SMS message to notify her of the date and time of her delivery. Sophie thinks this is great so she can make sure she’s home to receive her package.
A couple of weeks later, Sophie receives an email from “Handbagshop” – a different division of Shoeshop. She also receives an SMS text message promoting an in-store event in a couple of weeks’ time.
Over time Sophie continues to receive marketing emails from both Shoeshop and Handbagshop tailored to the things she likes to browse on the website and with targeted discounts to use in her local store. She doesn’t really open the Handbagshop emails as she’s not interested in their products, so she either skips over the emails or deletes them from her inbox.
A MULTI-CHANNEL JOURNEY
12EU DATA
REFORMPROTECTION
SHARE THIS GUIDE :
WHAT’S ALLOWED NOW?
• When Sophie provides her email address so Shoeshop can send her an online receipt, they also add her details into their newsletter mailing list triggering a welcome email and further promotional newsletters from Shoeshop.
• When Sophie visits Shoeshop’s website via the email on her mobile device, her email address is linked with her mobile phone’s IP address meaning Shoeshop can monitor her web behaviour to tailor their email communications to her. They also use cookies to display adverts on their website relevant to her browsing behaviour.
• At the checkout when Sophie enters her address details, these details are then used to profile Sophie based on affluence using her postcode to determine the discount to offer her in their email campaigns. They also use Sophie’s details to create some customer personas to enable them to understand their customers’ individual demographics and characteristics.
• When she provides her mobile number for delivery notifications, she’s also added in to Shoeshop’s SMS notification list so they can send her sale and event SMS messages.
• Shoeshop have a sister brand Handbagshop and they often share customer data to reach a larger number of people with their email marketing communications.
WHAT NEEDS TO CHANGE FOR EUDP REFORM?
• After the reform, Shoeshop would need to show Sophie that her email address was being collected so they could send her an online receipt, but they’d need to additionally ask for her permission to add her email address to their newsletter mailing list. They’d need to explain what this entails and what she’d receive as a result. Shoeshop would also need to retain proof of Sophie’s consent.
• In order for Shoeshop to send Sophie tailored email communications according to her browsing behaviour, they’d need to ask her permission to do so upon sign up. It’s OK for Shoeshop to display adverts based on Sophie’s web behaviour because these are anonymous.
• After the EUDP reform, Shoeshop would be unable to use Sophie’s address details for anything other than fulfilling her order without her permission. Shoeshop should instead show Sophie how they can use her location to provide better content and ask her whether she would like to opt-in. Shoeshop would need to be clear what data would be used and how it would be used. If Sophie doesn’t agree then her details would need to be deleted or anonymised.
• Similarly, Shoeshop could only store Sophie’s mobile number for delivery notifications and once the order is complete they’d need to delete this information. Shoeshop would need to ask Sophie to opt-in to SMS marketing or delete the data.
• Under no circumstances could Shoeshop share Sophie’s personal details with anyone else (even their sister/sub brand) without her clear, given permission to do so. If Shoeshop are unable to prove Sophie’s expectations of Handbagshop’s emails then they’d be risking HUGE fines.
13EU DATA
REFORMPROTECTION
SHARE THIS GUIDE :
TIME TO GET THINKINGThere’s a lot of information to take in but the best way to tackle the reform is to think about how you’re currently working and how the changes will impact these processes.
STORING DATA
• How long do you store your data for?• Do you store data after you’ve used it for the reason it was given?• What do you do with old data?• How do you ensure your data is accurate and up to date?
PROCESSING DATA
• How do you currently process your data?• Do you share data with different departments/sub-brands?• How do you use your data to power your campaigns?
CONSENT
• Do you have permission to store data?• Do you have permission to process your data?• How do you currently gain consent?• Are you able to prove consent?
14
SHARE THIS GUIDE :
WHAT’S NEXT?
TAKE NOTE
This guide is only one of a series of publications we have available for you to read and download on the coming EU Data Reform. In order to stay up to date with the most recent guides & blogs, visit the Communicator website resources section & blog feed.
You can also keep your eyes peeled for conversations around the reform on Twitter by following #EUDP, we’ll be tweeting using the hashtag so if you have any questions please feel free to ask!
A lot of what we’ve discussed in this guide already exists in the DPA but companies are able to push the boundaries. The only consequences to marketers and organisations now is loss of consumer trust and some email deliverability issues. Neither of these are desirable; but are clearly risks worth taking to some companies wishing to build their multi-channel offering. It’s important to note that any strategy should be built on a strong foundation and if you’re breeching the DPA that’s not a great place to start.
Stronger data and permission standards are nothing without enforcement and it’s this enforcement which should be making marketers stop and take note. It won’t be long until management teams come knocking on marketers’ doors with questions on how to avoid the risks and heavy fines so do your research now and make those changes to stay ahead of the game.
1
2
3
4
5
6
7
OUR GUIDE TO WHAT’S COMING
CAN I HAVE YOUR NUMBER?DATA COLLECTION & CONSENT
TICKING ALL THE BOXESPROCESSING & STORING DATA
GETTING YOUR DUCKS IN A ROWWHAT CAMPAIGNS CAN YOU SEND?
SAY WHAT?!TRANSLATING THE CHANGES TO YOUR CUSTOMERS
IS IT ME YOU’RE LOOKING FOR?THE RIGHT TO BE FORGOTTEN
WHAT’S THE DIFFERENCE?MARKETING PERMISSIONS VS. DATA PROTECTION
WHAT’S NEXT IN THE SERIES?
You can download the following guides atwww.communicatorcorp.com/resources so keep an eye out for the rest of the series, available over the coming months.
THOMSON HOUSE,
GROAT MARKET,
NEWCASTLE UPON TYNE
NE1 1ED
UNITED KINGDOM
EMAIL : [email protected]
TWITTER @CommCorp
TEL : +44(0)844 870 8971
EU DATA
REFORMPROTECTION
@CommCorp
#EUDP