As the countdown to the implementation of General Data Protection Regulation (GDPR) in European Union comes closer, a new survey of global marketers highlights the need for brand organisations to work faster and harder to get to grips with the challenges of GDPR, even if they are not based in the EU.
The World Federation of Advertisers survey found that 70 per cent of brand owners said that they felt marketers in their organisations were not fully aware of the implications of the General Data Protection Regulation (GDPR).
Only 65 per cent of respondents said they expected to be fully compliant before the rules come into force in May 2018 and just 41 per cent said they already had a framework/strategy in place. One in four organisations surveyed said they were still in the initial planning stages.
The knowledge gap was more severe among marketing teams based outside the EU. Fifty-six percent of respondents said their European teams were more aware of the challenge, compared to a global average of 44 per cent. This is important because the rules apply to any company which offers goods or services to consumers in the EU or monitors the behaviour of people located in Europe, regardless of where they are based.
Despite the fact that companies can be fined up to four per cent of global turnover (representing a potential fine of $800m-$19.2bn for Global 500 companies) for breaching the new rules, 40 per cent said it was extremely challenging or challenging to raise awareness of data privacy issues internally.
The report highlighted that the two biggest challenges for brand owners are “connecting the dots between data stored across different parts of the organisations” which was cited as extremely challenging or challenging by 66 per cent of respondents and “reviewing and understanding compliance levels across third parties,” which was cited as challenging or extremely challenging by 73 per cent.
The results are based on responses from 18 companies, spending more than $20bn on global marketing communications each year.
“It is a concern that only nine months away from implementation many marketers are not prepared. The risks of not being ready for GDPR are huge both financially and in terms of consumer reputation. If you are looking for help getting your marketing organisation up to speed then the WFA’s new Guide to GDPR for Marketers is the best place to start,” said Jacqui Stephenson, Global Responsible Marketing Officer at Mars, and chair of the WFA’s Digital Governance Exchange.
The top three priorities for respondents was to review consent mechanisms for collecting and processing data, cited as a high priority by 94 per cent, review and updating privacy policies (63 per cent) and reviewing data inventory to assess compliance (56 per cent).
Another finding of the report was that one in three organisations are planning to hire a Data Protection Officer, which will become a legal obligation for companies that monitor consumer behaviour on a large scale (or those that process certain categories of sensitive data such as information about health). However, 30 per cent of organisations said they already have someone fulfilling this role.
WFA highlighted five key areas where marketing teams need to take action for GDPR:
• Brand owners need to be able to demonstrate that they meet the GDPR’s new and extensive conditions for consent to be valid: consent must be freely given, informed, specific and unambiguous.
• If getting consent isn’t a viable option (e.g. because the company doesn’t have a direct link to the consumer to ask for consent), marketers will need to work with their legal teams to identify other ways to collect and use consumers’ personal data. They also have to highlight such practice in places such as privacy policies.
• Brands need to explore creative ways to provide clear information about how data will be used in a concise and intelligible form, using clear and plain language.
• Children’s data will be a particular area of focus, as marketers will need to collect parental consent. The age at which parental consent will be needed could vary from 13 to 16 by country.
• Marketers looking to use data collected during past marketing campaigns to identify new target audiences will need to work with their legal teams to understand if this is permitted under the new rules.
“Marketers need to engage with experts from across their organisations to ensure they fully understand the impact of these new data protection rules. That means regular conversations with legal, compliance and digital governance teams to ensure that they are meeting the new challenges presented by these rules. This applies not just to companies within the EU but anyone who uses data to reach consumers within the 28 member states,” said Catherine Armitage, Senior Manager, Public Affairs at the WFA.