Marketing used to be a relatively straightforward profession. Not easy, nor simple, yet there was some clarity as to the boundaries of the role. This applied particularly to communications. Before the rise of online and digital, our communication channels were relatively few. In recent decades, and especially in the past five to ten years, there has been a rapid expansion in the options available to marketing professionals, especially in the area of data privacy.
The introduction of the EU’s General Data Protection Regulation (GDPR) on 25th May 2018 was in many ways a response to this technological expansion. European lawmakers sought to provide a set of principles that would protect citizens’ data. The GDPR has since set the tone for other regions in the world to consider their own approach to regulation of data.
As some of the heaviest users of personal data within our firms, it is incumbent on us marketers to ensure we have a solid understanding of data protection best practice. In particular, we need to get the basics right. In this short article, I will identify some of the key areas marketing leaders and their teams should be mindful of right now.
Pro tip: listen to Steven Roberts cover Data Protection 101 on the DMI podcast.
“Transparency is a key principle underpinning the GDPR. Marketers using AI tools that process personal data must be able to explain in clear and simple terms how this data is being used. ” Steven Roberts
The GDPR has sparked a host of similar legislation around the globe, with new laws in countries such as China, Singapore, and South Africa.
The California Consumer Privacy Act (CCPA) is the best known of a range of local and state laws in the USA. This has contributed to a more complex international data privacy ecosystem.
In the UK, the British government is considering a revision of UK GDPR with a new data bill currently in development (as of September 2023). Businesses trading with the UK will need to monitor this development closely, particularly if it affects the adequacy decision between the EU and UK*.
In Europe, a host of adjacent EU legislation is in the process of being introduced. This includes:
Discussions are also ongoing to overhaul the current ePrivacy Directive, which is widely viewed as no longer fit for purpose. All of this legislation has the potential to impact the data processing activities of marketers operating within the European Union. Read more about the Digital Markets Act and the Digital Services Act at Usercentrics.
According to Chiefmartech.com, there are more than 11,000 marketing technology platforms; a figure that grows by the year. Many of these technologies use personal data to more effectively reach and target various consumer audiences.
Marketers contemplating a new platform, or indeed any new strategies involving the use of personal data, should ensure data privacy is considered at the outset. The GDPR’s principle of data protection by design and default is key here. One of the best ways to comply with this principle is by undertaking what is known as a Data Protection Impact Assessment (DPIA).
This involves a two-step process. First, a pre-DPIA is undertaken, whereby a series of high-level questions are asked to assess if the project has the potential to pose significant privacy risks. If such risks are identified, then a full DPIA must be completed. At this point detailed analysis of the project takes place, including consultation with key stakeholders. Such an approach allows for a recalibration of a project if the privacy risks are too high, or the adoption of mitigating actions to reduce the risk level.
Examples for marketers might include the introduction of a new first-party data strategy or the introduction of a CRM platform. It is generally considered best practice that any new marketing tools that may utilise personal data should be subjected to a DPIA.
Artificial Intelligence (AI) platforms are becoming increasingly popular with marketers, powering activities such as automated website chatbots. The introduction of ChatGPT and other large language models (LLMs) provides significant potential for marketers to increase their productivity. For example, generating blogs and articles as part of a content marketing strategy.
Marketers considering such technology must be aware of the data protection risks. Transparency is a key principle underpinning the GDPR. Marketers using AI tools that process personal data must be able to explain in clear and simple terms how this data is being used. This is a considerable challenge as it is not often easy to identify exactly how data is being processed by AI technology.
In addition, Article 22 of GDPR gives individuals the right to object to automated decisions that may have a legal effect. For example, ‘automatic refusal of an online credit application or e-recruiting practices without any human intervention. In these instances, they have the right to obtain human intervention as part of the decision-making process.
Highlighting the potential data protection concerns arising from the use of AI, Google was required to delay the introduction of a new AI chatbot, Bard, following an intervention on the part of Ireland’s Data Protection Commission (DPC). The Commission stated that the tech giant needed to provide further information as to how EU citizens’ privacy rights would be protected. Google subsequently launched Bard in the EU, following what the DPC described as ‘a number of changes, in particular increased transparency and changes to controls for users.
“Data compliance is an ongoing journey. The initial priority is to get the basics right. ” Steven Roberts
As marketers, we are the voice of the consumer, responsible for protecting the brand and reputation of our firms. Consumers have greater awareness of their data protection rights. Much of this is being driven by publicity that has surrounded large fines.
According to law firm DLA Piper, EU supervisory authorities issued €1.6 billion in fines in the 12 months from 28th January 2022. This trend continued in 2023, most notably with the Irish DPC’s issuing of a €1.2 billion fine against Meta for transferring EU users’ personal data to the USA without having adequate data protection mechanisms in place.
In April 2023, the UK Information Commissioner’s Office (ICO) issued a £12.7 million fine to TikTok for breaches relating to the misuse of children’s data. The EU followed suit, and upped the ante, through the September 2023 fine of £296 million by the DPC against TikTok for failing to shield underage users and breaking GDPR rules.
Meanwhile in the US, data privacy has seen more political stances, with attempts to ban TikTok at a state level, such as in Montana, and a noticeably tougher new leadership at the FTC suing Amazon for enrolling customers to Prime without consent, while the Department of Justice launched a landmark antitrust trail against Google in September 2023. In Ireland, staff at government and state agencies are required to remove the TikTok app from official devices; whilst restrictions have also been introduced in jurisdictions such as the UK and The Netherlands.
It's worth noting that whilst AdTech and behavioral advertising were enforcement priorities for the DPC and other supervisory authorities, penalties have been levied against businesses across many sectors of the economy; albeit not at the eye-watering levels we have seen with technology firms.
International data transfers have caused significant headaches for firms seeking to transfer personal data out of the European Union. It is an aspect of data privacy that has witnessed substantial change in recent years. In July 2020, the European Court of Justice ruled the existing Privacy Shield arrangement for data transfers between the EU and US to be invalid. Since that decision, known as Schrems II, both jurisdictions have been seeking an alternative mechanism that is GDPR compliant.
A new Data Privacy Framework was approved by the European Union in early July. While welcome, it remains to be seen whether this will be subject to similar challenges from privacy advocates as was the case with its two predecessors. In the interim, companies have had to find alternative approaches, such as the use of Standard Contractual Clauses (known as SCCs)***.
For firms trading with the UK, the British Government has indicated its intention to streamline certain aspects of UK GDPR with the ambition to make current rules less burdensome for businesses ****.
Many marketers are struggling to keep pace with this rate of change, particularly those in SMEs who may not have access to the same resources as teams in large multinational firms.
It is worth reminding ourselves that data compliance is an ongoing journey. The initial priority is to get the basics right. With that in mind, a number of aspects are crucial as part of any effective data privacy culture within a company:
Training must be regular and ongoing, both for new and existing staff. It is particularly important given the levels of churn we are witnessing in many marketing roles at present, alongside the pace of development in the area of compliance generally. Some experts estimate that 90% of all data breaches are the result of human error. Training is essential to offset this risk.
Many of the breaches we have seen over the past five years could have been reduced or removed if companies had considered the following questions;
All businesses take their lead from those in senior management. The board and executive team must be seen to openly support and advocate, through words and actions, for a strong data privacy culture throughout the organization.
Accountability is one of the overarching principles of the GDPR. Article 30 of the Regulation requires accurate record keeping as part of an effective privacy culture. Companies also accrue significant productivity and efficiency benefits from having clear processes in place, in advance, for aspects such as subject access requests and data breach reporting.
Marketers need to be mindful of the additional compliance requirements when it comes to the data of minors, and also a range of special category data identified under GDPR.
Data protection has evolved rapidly in recent years. The introduction of the GDPR in 2018 has generated increased consumer awareness and higher penalties for non-compliant businesses. It has also been the catalyst for a wave of similar legislation internationally in countries such as China, Singapore, and South Africa. This pace of change, and the increased complexity that comes with it, means it is crucial for marketers and their businesses to establish an effective data protection culture.
New, data-intensive technologies such as AI only strengthen this requirement. By focusing on getting the basics right, with regular training on the core aspects of the Regulation, clear processes and record keeping, and support from the top of the organization, marketers and their teams are well placed to ensure they remain compliant.
* The EU’s adequacy decision, agreed in 2021, essentially states that the UK operates a similar data protection environment to that of the EU. The decision is to be reviewed after four years and could be jeopardised if the UK is deemed to have deviated from the level of data protection currently in place.
** Recital 71, GDPR
*** When incorporated into a contract, SCCs can provide compliance with GDPR data transfer obligations.
**** The Data Protection and Digital Information (No. 2) Bill.