Ever since the GDPR was introduced, businesses from every industry have had to rethink and reshape their sales and marketing strategies to ensure they are acting ethically and legally. In many ways, customers are now more invested in their privacy rights than ever before, as well as more wary of business behaviour. As a result, the task of driving innovation while complying with regulation grows ever more difficult for those working in the direct marketing and AdTech industries.
In fact, a recent announcement from the Information Commissioner’s Office (ICO) threatens to put a complete stop to direct marketing in its current form. In its new Draft Code for Direct Marketing, the ICO appears to suggest that Legitimate Interests may no longer be available as a lawful basis for processing personal data for direct marketing purposes.
This suggestion by the ICO could have far-reaching ramifications.In fact, many industry professionals are concerned that the radical regulatory measures proposed will have a dramatically negative impact on innovation, and overall customer experience as a result.
In a recent webinar, over 700 senior data innovation and privacy professionals from around the world gathered to discuss these concerns, highlighting four main takeaways:
Contract, consent and anonymisation are no longer able to be relied upon for the processing of personal data under the GDPR. This makes it more difficult for personal data to be processed with complex algorithms, such as those used in the AdTech space for personalised marketing.
In place of contract, consent and anonymisation, companies must be able to consider Legitimate Interests as a lawful basis for processing. This requires new technical controls and measures that protect data when in use.
This is an SOS: These direct marketing approaches are being scrutinised and challenged, which means that innovative data uses are at risk.
Immediate action is required.
The challenge for regulators is that advancements in the technology used for processing data for direct marketing purposes has been moving at an unprecedented speed. In many cases, these technologies have outpaced the measures that enable e-commerce to be carried out in a privacy-respectful and lawful manner.
This, combined with incidents such as the Cambridge Analytica and Facebook data scandals, has seen regulators inevitably become more prone to erring on the side of caution and implementing stricter regulations. Indeed, regulators are frequently sceptical about the availability, or even the existence, of the appropriate technical controls that would be required for processing data legally under Legitimate Interests grounds.
However, you only need to look at the GDPR itself to see that there is in fact a solution available to help the direct marketing and AdTech industries continue innovating. What’s more is that it does so while also achieving GDPR compliance by protecting consumers’ privacy. The solution is Pseudonymisation, newly defined at the EU level, with a heightened standard relative to past practice. It is repeatedly mentioned as not only a recommended safeguard for protecting data, but is also explicitly linked to express statutory benefits that can enable greater data use.
GDPR-compliant Pseudonymisation embeds privacy policies in data in a use-case-specific, privacy-enhanced way, to satisfy the statutory and contractual requirements that can support privacy-respectful and lawful direct marketing.
Indeed, the use of Pseudonymisation could potentially change the very nature of the relationship between the ICO and the direct marketing and AdTech industries. We believe that the ICO’s new proposed Draft Code for Direct Marketing is really about requiring organisations to prove the existence of technical and organisational safeguards for data subject privacy: safeguards that can ensure demonstrable accountability for companies as well.
Now is the time for the direct marketing and AdTech industries to act: technical and organisational safeguards, such as Pseudonymisation, need to be implemented and used now, to ensure that the industry can demonstrate accountability to regulators. With this kind of approach in place, privacy-respectful and lawful direct marketing could continue to flourish, while supporting and protecting individual privacy rights alongside.
By Gary LaFever, CEO & General Council, Anonos