Insights into research-based consent optimisation and compliance

September 2018  |  SPOTLIGHT  |  DATA PRIVACY

Financier Worldwide Magazine

September 2018 Issue


Data privacy exploded into the public consciousness in March 2018 via the front and online pages of every newspaper and news broadcaster. The Facebook-Cambridge Analytica data scandal will prove to be a pivotal moment in contemporary social, political and business history. It has also led other privacy activists, consumer groups and data fundamentalists to be emboldened by the implementation of the EU’s General Data Protection Regulation (GDPR). The latter being those people who agree that consumers have lost control of their data but disagree that businesses handle data properly and that the law provides reasonable protection over their data.

On 25 May 2018, Max Schrems, the Austrian lawyer and privacy activist, celebrated the GDPR becoming law in Europe by filing complaints against Facebook, Instagram, WhatsApp and Google to the value of €7.6bn. Mr Schrems could make this complaint because the GDPR is an acknowledgement that the protection and care of an individual’s personal data is sacrosanct. It is a regulation with draconian sanctions if entities fail to honour their obligations under it. Furthermore, lurking in the background, ready to test the provisions of Article 82 of the GDPR, are the claims management companies seeking a fresh claims pipeline once the payment protection insurance (PPI) gravy train runs dry in 2019.

Under the GDPR, personal data rights have been placed back in the hands of the data subject. It is defined as any information relating to an identified or identifiable data subject. This might include a name, telephone number, email or IP address. The GDPR identifies special categories of personal data, such as biometrics and health data, where additional conditions must be met.

The GDPR introduces seven key principles which should lie at the heart of the approach to processing personal data. From “lawfulness, fairness and transparency” to the “accountability” principle, the GDPR requires that you take responsibility for complying with its principles and demonstrate evidence that you have the appropriate processes and records in place to demonstrate you comply.

Consent is one of the six and its conditions are outlined in Article 7 of the regulation. The key component of Article 7 is that consent has to be active and demonstrable. This will have a profound effect on how long and the purpose for which an organisation can keep personal data (both of which are subject to specific articles in the regulation) and the importance of a continuing review. There will have to be an audit trail showing that consent is still active.

Compliance with a principle-based regulation, like the GDPR, is challenging. There is no approved certification process so compliance will be an ongoing process, influenced by UK case law and judgements made elsewhere in Europe.

It is also important to note that the regulation applies to the processing of personal data in the context of the activities of an establishment, controller or processor in the EU, regardless of whether the processing takes place in the EU or not. The regulation applies to the processing of personal data of data subjects who are in the EU by controllers or processors not established in the EU, where either processing activities are related to the offering of goods or services to such data subjects in the EU or to the monitoring of their behaviour in as far as their behaviour takes place within the EU. The latter point is highly significant since many corporates monitor the behaviour of EU citizens online and that alone brings them within the scope of GDPR. US gaming companies reacted to this by denying access to EU data subjects. Other US corporates are inundating their supply chain with data processing contracts, mandating compliance with GDPR.

One of the key factors to consider when collecting consumer data is whether or not you have a desire to market additional products and services in the future. In many instances, this is going to be the case, so collection forms need be designed with consent in mind.

To improve the chances of gaining the highest levels of consent from consumers, data collection forms need to be carefully designed with particular attention paid to the language and positioning of your consent requests. Small changes in the wording of your consent statements can have a positive impact, especially if you understand your key demographics and how they prefer to be spoken to.

The quality of consent can vary, as can the different ways consent can be gained. Good consent requires the consumer to be provided with a clear and understandable statement that openly highlights an organisation’s wishes to use the data for marketing purposes. Bad consent is often collected when statements are confusing, the consumer struggles to understand their options or how to choose between them and accidently consents when they meant to opt-out, and this is likely to result in unhappy customers and an increase in opt-outs. Missed consent can also occur: this is when the statement is not positioned properly and so unclear that a supporter accidently opts-out and an organisation loses opportunities to expand its database with people who are willing to engage with its marketing.

Consideration should also be given to who the company’s audience is and how they respond to particular communication channels. For example, we have found large variations in the likelihood of different age groups responding to marketing emails. If companies are collecting data online, it is easier to break down consent to make the experience more interactive; whereas consent collected on paper is more difficult to manage and needs to be easier to digest.

When considering GDPR strategy it is important to think about a company’s customer base and target audience. Think about how customers interact with the business then build consent statements around their expectations. Our research found that generally a younger demographic may be more responsive to a light hearted and friendly statement; whereas an older more mature demographic often responds better to factual information and looks for comfort that an organisation is going to respect their data.

When combined together and used effectively, optimising consent statements can increase customer trust, improve engagement and ultimately increase revenues by engendering better relationships. If customers understand the value of a company’s products or services and see that it respects their data, then the benefits are clear to see. On the flip side, by giving customers a clear option, those who do not want to consent to further marketing can make their wishes known and companies can avoid spending their advertising budget on people who do not want to engage with them.

The GDPR has changed the way organisations operate, but it is the changes to consent that have the most immediate impact on marketing. We estimate that on average, organisations are likely to have a 25 to 50 percent success rate when asking for consent, meaning they could lose the right to contact up to 75 percent of their supporter database. The most forward-thinking organisations have already looked into ways to improve their consent process. Consent statement optimisation can be applied in several ways, from asking their current database to re-consent to receive marketing, to postal campaigns sent to contacts they have the details for but do not have the right to contact via email marketing. A strong consent statement can then be used for the future so that charities can begin to build up their databases with engaged supporters who have clearly indicated what communications they will accept, which helps get all new relationships off to a good start.

A carefully considered, clear and tested consent statement can be considered proof of an organisations’ push for GDPR compliance. However, many organisations are also using research to back-up their decisions regarding legitimate interest. By considering what different segments in their audience feel about their communication, and what communications they might expect, an organisation can limit the risk of complaints and provide evidence of their decision making.

 

David Cole is the managing director at fastmap, Dean Armstrong QC is chairman at Elias Partnership and Richard Merrygold is director of group data protection at HomeServe. Mr Cole can be contacted on +44 (0)20 7242 0702 or by email: david.cole@fastmap.com. Mr Armstrong can be contacted on +44 (0)20 3488 3126 or by email: richard.dutton@eliaspartnership.com. Mr Merrygold can be contacted on +44 (0)1922 651 545 or by email: richard.merrygold@homeserve.com.

© Financier Worldwide


BY

 

David Cole

fastmap

 

Dean Armstrong QC

Elias Partnership

 

Richard Merrygold

HomeServe


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.