Want to start reading immediately? Get a FREE ebook with your print copy when you select the "bundle" option. T&Cs apply.
The Wonderful Crossroads of Marketing and Data Protection
At a recent marketing and advertisement industry conference, I asked the audience a question “Who likes data protection?”. No one, except a data protection lawyer who was due to speak after me, raised their hand. Eventually, even the lawyer slowly put down his hand as the auditorium started to fill with a muffled sound of bewildered chatter. Why? The CMOs and directors of marketing know that soliciting data protection lawyers, privacy officers and Data Protection Officers (DPOs) for their opinion, be it for a certain marketing campaign, data purchase or system design, is an experience to be dreaded.
The privacy department of an organization is often seen by marketers as a department set up with the sole purpose of ruining plans for brilliant campaigns and blocking data licensing deals that would have doubled their marketing efficiency. However, this is not how it has to be! On numerous occasions, I suggest marketers approach data protection and the privacy department in a different light.
DPO as an advisor, not the decision maker
To begin with, your privacy department does not make business decisions. Rather, DPOs and privacy lawyers are there to make recommendations so that the company can make a well-informed and conscious decision on how to use personal data responsibly. They are there to advise the management, not to be in charge of making the decision. Additionally, DPOs can only make recommendations from a narrow perspective of data protection. Let me explain. For instance, they can recommend a processing solution which provides near water-tight protection of personal data. Say, it turns out that this proposed solution costs ten times as much and also slows down the company’s marketing operation dramatically. The management, seeing both sides of the coin, is therefore in a better situation to weigh up the pros and cons and decide to follow either the DPO’s recommendation, taking its marketing activities through a calculated peril, or to take a less water-tight solution and maintain the operational efficiency of its marketing engine.
Furthermore, engaging your DPO or privacy lawyer in project or campaign planning and holding brainstorming sessions with them might bring the organization a solution that can both better protect personal data and enable effective marketing. A privacy department with a good understanding can provide better advice to marketing, as they will be able to think with the marketers.
Understanding how GDPR works
What is important is the dialogue that takes place between marketers and the privacy department because our data protection law itself is neither prohibitive nor prescriptive. The General Data Protection Regulation (GDPR) is a flexible, business-friendly, technologically neutral law. The UK DPDI Bill, expected to be adopted as an act in the near future, maintains and, in certain aspects, even enhances these characteristics.
GDPR accepts that the right to data protection is not absolute. Recital 4 of GDPR says that the processing of personal data shall serve mankind. The right to data protection must be balanced against other rights and freedoms, including the freedom to conduct business. That means many decisions would require thorough consideration of the nuances as well as the context of the marketing data use, rather than simply categorizing certain processing as being either black or white.
The law also requires companies, hence also the CMOs and marketing managers, to be accountable and take more responsibility for their use of personal data. GDPR expects due consideration to be given to data protection implications to the customers and prospects by audience selection, performance measurement and insight generation and have the privacy consideration process documented. The documentation, while it can arguably be seen as an administrative burden, will nevertheless help marketers remember the reasons behind a particular decision at a later date. This is important for example if regulators request evidence that proves you have considered data protection implications of your data use. Your marketers will be grateful to have documented this exercise.
When using personal data, one needs to have a so-called ‘legal ground’. This is like completing a sentence that goes ‘I am allowed to use this personal data because my company has a [blank]’, by choosing one of the six options, listed in Article 6.1 of GDPR, namely; ‘Consent’, ‘Contract’, ‘Legal Obligation’, ‘Vital Interest’, ‘Public Task’ and ‘Legitimate Interest’. If none of the six options is applicable, then what you are doing with the data is illegal. In the marketing context, I observe an over-reliance on ‘Consent,’ better known as opt-in. Surely there are situations where marketers need an opt-in, such as when emailing advertorial content to a consumer. However, there seems to be a general perception that ‘Consent’ provides better protection for personal data. This is very interesting because GDPR does not prefer one legal ground over another; there is no hierarchy among the legal grounds. This means ‘Consent’ is as good as ‘Legitimate Interest’. What’s more, because consent must be specific, marketers might risk losing the flexibility of how the data can be used. Due to the rapidly spreading use of marketing AI tools as a backdrop, focusing on data collection with ‘Consent’ may seriously limit marketers’ ability to use the valuable data asset for future technology.
Lastly, GDPR applies a risk-based approach. When a particular audience analysis is considered critical, marketers can always find ways to make their data use less risky. Pseudonymizing the data, instead of using clear-text identifiers such as names and addresses, is one way of decreasing the risk to the rights to data protection of your customers. If feasible, marketers can go a step further and anonymize the data, so that identifying the person behind the data is no longer possible. Aggregation is a technique agreed upon by many data protection regulators around the globe as a valid way to anonymize personal data. If marketing data scientists can gain the necessary insight from data that are, for example, aggregated on a group of 10 persons, this is great news. By aggregating, the identity of the persons disappears irrecoverably, meaning there will no longer be any risk of data protection that can be associated with your customers or consumers. When data is anonymous, GDPR does not apply and marketing data scientists are free to dice and slice the data as they wish.
Aggregated data can be generated internally but it can also be sourced externally. Useful aggregated anonymous data, often used by marketers, are off-the-shelf consumer lifestyle data files on micro aggregation levels. This type of data finds its roots in the field of cartography. Cartographic data has been used for many decades for strategic location planning, informing local authorities where best to grant permission to open a GP’s practice or for parcel services companies to decide the best delivery routes for the drivers. Anonymous off-the-shelf consumer data can provide useful insights such as the unique characteristics of your customers compared to an average person, or identify neighbourhoods with a high propensity of interest in your service.
Working together for a win-win outcome
For marketers to overcome the fear of data protection, the best way is to open up and get into a dialogue with your organization’s privacy person. Maybe there are many more ways to be smart at communicating relevant messages to your customers while ensuring compliant data use. DPOs and privacy lawyers may actually be marketers’ best friends!