08 December 2017
GDPR - silver linings in the new regulatory playbook
James Walker and Luke Lishman
There's a hypnotic drumbeat. The rhythm is constant, and the percussion becomes louder and louder. There's a chant... "G- D- P- R, GDPR, GDPR, GDPR..." Not some long forgotten people's republic or a 70s Olympic ski team but the General Data Protection Regulation; a set of onerous data protection requirements from the EU. Boo!
If you touch personal data from anyone in the EU you’ll have to be ready by May 2018, with the internal processes and customer facing policies all compliant with the new regulations.
But hang on! Don’t see it as a burden or a waste of investment, see it as an opportunity to transform how you use data across your business, how you store it, how you manage it, how you understand it, and most importantly… how you use it! Let’s grab the monster by the tail, and use it to your advantage.
In our research we’ve heard a lot about the challenges of making analytics successful in companies. Rather than viewing new regulations like GDPR as burdensome, they can also be seen as opportunities to take advantage of. Big, mandatory programmes can get the attention and resources that data and analytics teams require to achieve critical mass and traction.
Right to be forgotten
One of the upsides of GDPR is from an analytics perspective is with the opportunity to embed reliance on clean customer data into your value chain. What creates potential issues is what happens when the customer wants that data back. Companies are required to delete all of a user’s information if they request it, the so called ‘right to be forgotten’. While this seems simple enough, companies that have monetized their data (or where data is part of their business model) could find this ‘right to be forgotten’ to be a lot more complex. Not only would you have to delete the information you hold on the user at all levels of your value chain, but also remove that information from data you have sold on to other parties.
This is an especially large problem for ad-tech businesses, companies that very rarely create their own data but depend on buying data from other companies to support their business. Be it ad targeting, tracking, automated content creation, data consolidation, inventory management, almost all walks of ad and marketing tech are powered by data, and in most cases third party data.
This then creates a problem for the firms providing the data, as GDPR states that you must inform your users what you will do with their data and if you intend to sell it and to whom. Just ticking the T&Cs box isn’t enough, it must be clear to the user who must give their explicit consent.
With the USA being the current global powerhouse of ad-tech, and the regulations being crafted in Europe, most of these ad-tech business are not ready for GDPR. GDPR is not all bad for a lot of companies, it’s changing the way they use data, forcing them to adopt new data management processes, allowing them to understand and utilise their data in new ways. For customers it’s providing greater accountability and transparency around what data companies hold and how they use it.
There are different questions that companies will need to ask as GDPR looms - Say you're a price comparison website:
• Have you taken legal advice on GDPR joint liability with provider partners (and potentially your whole value chain?)
• How much extra cost is allowed to prepare for or serve a dramatic increase in SAR access requests from GDPR? It is anticipated that some companies may experience 1000% increase in these types of requests as a result of the regulations.
• How much extra cost is allowed to prepare / serve right to be forgotten (inc. mapping of all data held and protocols for deletion) and costs split or charged by partner providers?
• What costs are being considered (potentially shared with providers) for manual decision (human intervention in decision-making) as provided as a GDPR right vs automated decisions? (e.g. deciding of loans only on basis of credit scores could be subject to an appeal for a human decision)
• Are marketing activities such as affiliate marketing (restricted by affiliates’ consents), re-targeting, e-CRM likely to be restricted and therefore you may see a reduction in the number of clicks, leads, and conversions?
• Will there be reduced leads because of a more off-putting consent gate?
• How much extra cost to allow for preparation and service of enhanced data protection and security protocols (given the size of breach penalties)
• Do you have policies in place for data breaches and what are the increased insurance costs you anticipate?
• Is the business model jeopardized by constraints to ancillary revenue, e.g. a PCW can’t sell leads/cookies to car companies if the subject was seeking car insurance?
But on the good side - a few positives might be:
• High level sponsorship for data and analytics initiatives. We see this as critical to success and GDPR can provide the motivation for this. The potential giant fines are focusing minds.
• GDPR can help the CEO embarking on the analytics journey to get the commitment of the organisation, and scale of resources and investment to make it happen. GDPR can be the Trojan horse you have been looking for. Critical mass and commitment is important, otherwise you see numerous sub-scale activities almost getting traction in the business but ultimately fizzling out.
• GDPR can help create traction to connect data and analytics activities in an organisation. Failure happens when analytics effort is comprised of disjointed ad hoc activities. By enforcing more discipline about what data is held about customers, GDPR can create a broader picture and more ambitious plan for analytics. Not sporadic individual bits of work. Again, unambitious individual efforts will fail to get traction in the business.
•Opportunity to embed data and analytics in business as usual, holistic in terms of integration with other business initiatives. Technology tools can then embed analytics into the normal business as usual process or the firm.
• Greater motivation to assure data quality:
Analytics must be built on a verified foundation of data you can trust:
A single version of the data is an essential building block for analytics capability. Although you might think it would be better to start with use cases in the business that get traction and demonstrate value creation for analytics, what we actually see is that it is vital to first build a rock solid foundation of assured data. GDPR will help make this happen, by being a force for the assurance of data quality.
Some tips to embedding real analytics capability as part of your GDPR project:
• Collect the right data, not everything!Collect the right data for the decisions you are going to suggest with analytics but do not boil the ocean, data lake solutions are collectively everything can lead to problems such as multiple measures, and a GDPR headache of collecting data you don’t need.
James Walker is a Partner and Global Head of Analytics at OC&C Strategy Consultants
Luke Lishman is a Consultant at OC&C Strategy Consultants