Viewpoint: GDPR could turn out to be one fine mess, but nobody knows for sure

David Murphy

One topic is front on mind for digital marketers right now – GDPR. We run a lot of events, as a result of which I see a lot of presentations, and GDPR crops up more even than artificial intelligence.

So when I get yet another press release in my inbox announcing the results of research that finds that x per cent of companies feel they are not fully prepared for GDPR, or don’t know what they need to do to comply, it’s fair to say it doesn’t pique my interest too deeply.

But one landed in my inbox today that did. In was from Ensighten, which specialise in data privacy and omni-channel data management, and found that “45 per cent of UK businesses have put money aside to cover possible fines for not being GDPR compliant by 25 May.”

Strictly speaking, that sentence is missing a word, that word being “surveyed”, because at 152 marketers surveyed, the sample size is small to say the least, arguably too small to be representative. Nonetheless, I was struck by that figure of 45 per cent. So they spoke to 152 marketers and just short of half of them said not that they were unsure if they were going to be compliant come 25 May, but that they expected to be found in breach of the rules and to be fined, and had set aside money to cover it.

Maximum fine
Given that the maximum fine that can be brought for non-compliance is €20m or 4 per cent of the company’s turnover (whichever is the greater), that’s a staggering statistic. I suspect in many instances, it’s not so much a case of companies burying their hands in the sand over GDPR, but more likely, they have done most of what they think they need to do, but don’t want to throw too much more money, including legal fees, at it, until they see how things play out come 25 May.

As one ad industry veteran put it at an event recently: “A lot of companies are expecting someone to be hung out on a meathook over GDPR. They’re watching to see what happens and hoping it’s not going to be them.”

That said, 7 per cent of respondents, or 10 of the people surveyed, admitted to not having implemented any GDPR-related actions yet. Which seems less surprising than just plain daft.

Legitimate interest
I think what the industry has been waiting for on GDPR is guidance from the Information Commissioner’s Office and it’s been a long time coming. The concept of legitimate interest is an important part of GDPR. For B2B marketers in particular, though not exclusively, it provides a potential legal basis for companies to continue to communicate with customers and prospects without having to ask them to positively opt in to receiving those communications. That guidance was finally issued on 23 March, only two months before the deadline for compliance, and many feel it could and should have been issued earlier.

For the record, there are six lawful bases for organisations to process personal data. In the ICO’s own words, these are:

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

And legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

While many consumer-facing organisations have gone down the consent route – hence all those emails in your inbox asking you to give the company sending them permission to carry on communicating with you – the companies sending them know that they are going to lose people as a result of sending them.

Consumer apathy
In some instances, this may be a positive decision by the consumer who signed up to an e-newsletter years ago and has been receiving it ever since and never got round to unsubscribing. In others, undoubtedly, it will more likely be apathy on the part of the consumer, who sees an email from a company he or she is used to getting emails from and ignoring, so ignores this one, as a result of which, they won’t see any more unless and until they notice the communications have stopped and opt back in.

Nonetheless, as some people argue, this is not necessarily a bad thing, since those consumers who positively opt in will arguably be more loyal and of more value than those who don’t. It’s interesting here to look at the approach taken by the RNLI (Royal National Lifeboat Institution) a UK charity. It decided to anticipate GDPR long before it was due to come into force. In October 2015, it pledged that, from 1 January 2017, it would target only those existing or potential donors by telephone, email or direct mail that had given their explicit consent. At the time, it said it thought that decision would cost it £35.6m between 2016 and 2020.

But in an interview with Third Sector magazine, RNLI’s then-head of funding strategy Tim Willett said its annual summer fundraising appeal in 2016 saw a response rate of 32.8 per cent, more than three times the 10.4 per cent achieved in 2015. The average donation was almost three times higher at £8.39, compared to £2.94 in 2015.

So far, so encouraging. In absolute terms, however, the numbers don’t look quite so good. The initial campaign invited around 900,000 of the 2m people on the charity’s database to positively opt in. More than 223,000 did so during the first wave of the campaign in March 2016. 66,000 of these were invited to donate to the summer appeal. The appeal raised £554,000. In 2015, the appeal raised £910,000 from roughly 310,000 people.

It’s worth noting, of course, that there would have been some cost savings in targeting roughly a fifth of the people targeted in 2015, and Willett told Third Sector: “21 per cent of our supporters brought in 61 per cent of the amount we would normally have raised, so we’re spending significantly less in going to a smaller group of people who are significantly more engaged.”
(Thanks to Decisionmarketing.co.uk for these stats and quotes.)

As of 2018, more than 500,000 people had positively opted in to the RNLI’s communications, possibly as a result of them contacting the charity to ask why they no longer communicated with them. Anecdotally, I have heard that many long-time supporters didn’t realise the significance of the email asking them to opt in and subsequently wondered why the comms had dried up.

Doubtless there will be many more such stories once GDPR comes into effect on 25 May. It’s unclear whether the average consumer has much idea about the significance of the date, particularly when the last few weeks have been dominated by Facebook’s data problems.

For businesses, however, it’s a different story. Many will be waiting with baited breath and, as the Ensighten research suggests, actively expecting trouble. Whether or not they get it depends on how tough the ICO decides to be, and at this moment in time, that’s something no-one can second-guess.