GDPR - anyone working in this area?
Discussion
Council Baby said:
Interesting comments, I work in data and acquisition for marketing mostly and am pretty involved in this with some major clients at the moment. I'm focused on changing all of their new acquisition to compliant consent which is relatively simple.
I've read almost all of the GDPR and the associated ICO advice and it seems particularly vague in areas, especially around legitimate interest.
How would one go about defining legitimate interest? So many possible variations depending on the industry.
For example, if company A makes a living by selling consumer data to specific other businesses who provide consumer services that are targeted at that audience. Could company A possibly argue that it's a legitimate interest? After all their business fails and people lose jobs without them doing that, but it flies in the face of the explicit consent rules.
My take on it is that they can't and they need to find any other way to operate, but I know of several companies who are intending to do exactly this. They'll just name a huge list of people they may sell data to in privacy policies hidden away and wrap consent for 3rd parties up in one unticked opt in with an incentive to get it ticked.
What say the experts here please?
There's a huge difference in B2C and B2C although GDPR makes no distinction. The draft e-Privacy Regulation defines B2B marketing more clearly. There are far more grounds for processing data or marketing under "legitimate interest" within a B2B context. I've read almost all of the GDPR and the associated ICO advice and it seems particularly vague in areas, especially around legitimate interest.
How would one go about defining legitimate interest? So many possible variations depending on the industry.
For example, if company A makes a living by selling consumer data to specific other businesses who provide consumer services that are targeted at that audience. Could company A possibly argue that it's a legitimate interest? After all their business fails and people lose jobs without them doing that, but it flies in the face of the explicit consent rules.
My take on it is that they can't and they need to find any other way to operate, but I know of several companies who are intending to do exactly this. They'll just name a huge list of people they may sell data to in privacy policies hidden away and wrap consent for 3rd parties up in one unticked opt in with an incentive to get it ticked.
What say the experts here please?
Edited by Council Baby on Thursday 22 June 02:20
Outside of having provable, freely given, explicit and unambiguous GDPR compliant consent, legitimate interest would be typically used to contact previous or lapsed customers as an example
The subject of third party data sharing is a different one altogether. For B2C data - this is completely finished as from May 2018.
DELETED: Comment made by a member who's account has been deleted.
Real tough one. The DMA lobbied hard to get B2B email as opt out as their argument was that it would destroy alot of businesses. The revised e-privacy draft states opt out but who knows. This could easily change and fall into line with GDPR that makes no differentiation between B2B or B2CCertainly nearly all of the EU member states currently have a strict opt in policy for B2B email - Germany, Italy etc etc
Practically all of the B2C list brokers have vanished and should B2B email become strictly opt in then you'll see the B2B email marketing market disappear as well IMO. All of the B2B data owners sit awaiting updated guidance from the ICO with baited breath
Candellara said:
Real tough one. The DMA lobbied hard to get B2B email as opt out as their argument was that it would destroy alot of businesses. The revised e-privacy draft states opt out but who knows. This could easily change and fall into line with GDPR that makes no differentiation between B2B or B2C
Certainly nearly all of the EU member states currently have a strict opt in policy for B2B email - Germany, Italy etc etc
Practically all of the B2C list brokers have vanished and should B2B email become strictly opt in then you'll see the B2B email marketing market disappear as well IMO. All of the B2B data owners sit awaiting updated guidance from the ICO with baited breath
Its quite unbelievable, all of this it seems to me. EU law is going to wipe out most of the data management businesses in the UK and some of these are huge businesses. I know that in Germany, for example, legally such businesses cannot exist but this seems like our data industry is going to be decimated by what other European countries want.Certainly nearly all of the EU member states currently have a strict opt in policy for B2B email - Germany, Italy etc etc
Practically all of the B2C list brokers have vanished and should B2B email become strictly opt in then you'll see the B2B email marketing market disappear as well IMO. All of the B2B data owners sit awaiting updated guidance from the ICO with baited breath
Still ploughing through this but the main reason for it seems to simply be data security, companies being required to demonstrate their data can't be stolen.
The opt in/out part seems less of an issue but I may be missing something.
EDIT: Yes I am, so all companies with databases either have to prove their contacts opted in proactively (for example ticked a tick box, etc rather than not specifically opting out) or need to get them to opt in by sending a specific communication. This will be a huge challenge for many companies who cannot prove this and could decimate their databases potentially. Hoever it could also clean up all their database to leave them only with the people who do want to engage with them.
So, in summary:
1. Companies need secure 'data holding' (CRM/Databases)
2. Companies need to prove their contacts have proactively opted in to receive communication from them and if not they need to get them to
EDIT 2: More rambling thought process from me hehe
So, assuming a company has not used opt ins properly and has a database of X,000 people who have contacted it in the past, it then has to contact them all to say 'Is it ok to contact you?' essentially. I'd expect a tiny number of people to respond positively in general. So a database of X,000 could easily fall into the hundreds.
Now the positive side of this is that it removes 'prospects' who aren't really prospects. The negative side is that a company needs to build a whole new database. So whilst its lost a lots of contacts it hasn't really because those that it lost were not prospects anyway.
The opt in/out part seems less of an issue but I may be missing something.
EDIT: Yes I am, so all companies with databases either have to prove their contacts opted in proactively (for example ticked a tick box, etc rather than not specifically opting out) or need to get them to opt in by sending a specific communication. This will be a huge challenge for many companies who cannot prove this and could decimate their databases potentially. Hoever it could also clean up all their database to leave them only with the people who do want to engage with them.
So, in summary:
1. Companies need secure 'data holding' (CRM/Databases)
2. Companies need to prove their contacts have proactively opted in to receive communication from them and if not they need to get them to
EDIT 2: More rambling thought process from me hehe
So, assuming a company has not used opt ins properly and has a database of X,000 people who have contacted it in the past, it then has to contact them all to say 'Is it ok to contact you?' essentially. I'd expect a tiny number of people to respond positively in general. So a database of X,000 could easily fall into the hundreds.
Now the positive side of this is that it removes 'prospects' who aren't really prospects. The negative side is that a company needs to build a whole new database. So whilst its lost a lots of contacts it hasn't really because those that it lost were not prospects anyway.
Edited by Frimley111R on Friday 4th August 11:42
anonymous said:
[redacted]
It usually ends up like that. It is often started with good intentions but the usual outcome is - massive hassle and cost for conscientious businesses
increased government interference in business
And, of course, those businesses and individuals who have always paid scant reference to legislation don't suddenly gain a conscience just because the government has created ADDITIONAL legislation.
A crook who breaks one law in a specific area as a matter of course is not going to suddenly become a goody two shoes just because the government has invented 25 new laws covering that same area.
jonamv8 said:
So how exactly are they enforcing this?! Are they going to visit premises and audit CRMs etc?
Clearly not. I suspect they will just come down on hard on anyone reporting a business for 'spamming' them. It'll be 'policing by fear'. All it takes is for one customer to report a business...I'm sure it will be a "self policing" system with businesses having to make annual returns and annual statements declaring that they are being compliant (as they do already). The main problem is the extra documentation they must retain JUST IN CASE they are ever checked up on by the Information Commissioners.
My hunch is that the ICO will mainly administer these rules by descending on a business if a business suffers a very public or embarrassing data disaster (think Equifax).
Most smaller businesses will largely be left alone.
My hunch is that the ICO will mainly administer these rules by descending on a business if a business suffers a very public or embarrassing data disaster (think Equifax).
Most smaller businesses will largely be left alone.
anonymous said:
[redacted]
Of course it's not patently false. Government regulation is important and I am not against it. What I am COMPLETELY against is OVER regulation and unnecessary regulation and, to a large extent, regulation introduced purely to satisfy a political requirement in that it makes the government seem like they are doing something.What is the use of tons of regulations that are unenforceable or are not monitored properly and the bad guys simply ignore it (as they always do).
What benefit did all those extensive fire regulations give to the residents of Grenfell Tower?
Grenfell is the exception though, rather than the rule. How many people haven't died in fires because of those same regulations that have protected millions of other homes.
I think there is likely to be some interesting outcomes with GDPR, mostly around the clash of legislation. It's certainly interesting in my industry we have competing factors such as recording for compliance in financial transactions vs right to be forgotten and vulnerable customer legislation. We are actually having to build tools to delete calls which have not existed before.
There has been a definite uplift in customers wanting higher security levels and encryption of data.
I think there is likely to be some interesting outcomes with GDPR, mostly around the clash of legislation. It's certainly interesting in my industry we have competing factors such as recording for compliance in financial transactions vs right to be forgotten and vulnerable customer legislation. We are actually having to build tools to delete calls which have not existed before.
There has been a definite uplift in customers wanting higher security levels and encryption of data.
New government legislation always creates a new little ecosystem around it. People trying to scare you, trying to help you comply, help you get around it, or just plain scam you. It's always a feeding frenzy. There's always a long list of people leveraging some aspect of it to get you to part with money. Completely aside from all the fines of course.
buggalugs said:
New government legislation always creates a new little ecosystem around it. People trying to scare you, trying to help you comply, help you get around it, or just plain scam you. It's always a feeding frenzy. There's always a long list of people leveraging some aspect of it to get you to part with money. Completely aside from all the fines of course.
You'd better believe it. Hyenas around a rotting corpse.Eric Mc said:
buggalugs said:
New government legislation always creates a new little ecosystem around it. People trying to scare you, trying to help you comply, help you get around it, or just plain scam you. It's always a feeding frenzy. There's always a long list of people leveraging some aspect of it to get you to part with money. Completely aside from all the fines of course.
You'd better believe it. Hyenas around a rotting corpse.DELETED: Comment made by a member who's account has been deleted.
Many companies don't register with the ICO because processing and holding data for the purposes of payroll is exempt as is holding data for the marketing of their own goods and services and data held for accounting purposes. It's unclear to me whether under the new regime that these exemptions will no longer apply?
Gassing Station | Business | Top of Page | What's New | My Stuff