A new survey of global marketers highlights the need for brand organisations to work faster and harder to get to grips with the challenges of GDPR, even if they are not based in the EU
Share this post
Only 65% of respondents said they expected to be fully compliant before the rules come into force in May 2018 and just 41% said they already had a framework/strategy in place. One in four organisations surveyed said they were still in the initial planning stages.
The knowledge gap was more severe among marketing teams based outside the EU. Fifty-six percent of respondents said their European teams were more aware of the challenge, compared to a global average of 44%. This is important because the rules apply to any company which offers goods or services to consumers in the EU or monitors the behaviour of people located in Europe, regardless of where they are based.
Despite the fact that companies can be fined up to 4% of global turnover (representing a potential fine of $800m-$19.2bn for Global 500 companies) for breaching the new rules, 40% said it was extremely challenging or challenging to raise awareness of data privacy issues internally.
The results are based on responses from 18 companies, spending more than $20bn on global marketing communications each year.
“It is a concern that only nine months away from implementation many marketers are not prepared. The risks of not being ready for GDPR are huge both financially and in terms of consumer reputation” said Jacqui Stephenson, Global Responsible Marketing Officer at Mars, and chair of the WFA’s Digital Governance Exchange. “If you are looking for help getting your marketing organisation up to speed then the WFA’s new Guide to GDPR for Marketers is the best place to start.”
Other key findings include:
- The two biggest challenges for brand owners are “connecting the dots between data stored across different parts of the organisations” which was cited as extremely challenging or challenging by 66% of respondents and “reviewing and understanding compliance levels across third parties,” which was cited as challenging or extremely challenging by 73%.
- The top three priorities for respondents was to review consent mechanisms for collecting and processing data, cited as a high priority by 94%, review and updating privacy policies (63%) and reviewing data inventory to assess compliance (56%).
- One in three organisations are planning to hire a Data Protection Officer, which will become a legal obligation for companies that monitor consumer behaviour on a large scale (or those that process certain categories of sensitive data such as information about health). However, 30% of organisations said they already have someone fulfilling this role.
To address the knowledge gap, the WFA has created a new GDPR Guide for Marketers, which has been compiled in conjunction with global privacy and cybersecurity legal experts Hunton & Williams.
The report highlights the five key areas where marketing teams need to take action:
- Brand owners need to be able to demonstrate that they meet the GDPR’s new and extensive conditions for consent to be valid: consent must be freely given, informed, specific and unambiguous.
- If getting consent isn’t a viable option (e.g. because the company doesn’t have a direct link to the consumer to ask for consent), marketers will need to work with their legal teams to identify other ways to collect and use consumers’ personal data. They also have to highlight such practice in places such as privacy policies.
- Brands need to explore creative ways to provide clear information about how data will be used in a concise and intelligible form, using clear and plain language.
- Children’s data will be a particular area of focus, as marketers will need to collect parental consent. The age at which parental consent will be needed could vary from 13 to 16 by country.
- Marketers looking to use data collected during past marketing campaigns to identify new target audiences will need to work with their legal teams to understand if this is permitted under the new rules.
“Marketers need to engage with experts from across their organisations to ensure they fully understand the impact of these new data protection rules. That means regular conversations with legal, compliance and digital governance teams to ensure that they are meeting the new challenges presented by these rules. This applies not just to companies within the EU but anyone who uses data to reach consumers within the 28 member states,” said Catherine Armitage, Senior Manager, Public Affairs at the WFA.
You can download WFA's GDPR guide here.
Both projects have been led by Catherine Armitage and the WFA’s Digital Governance Exchange, a group of 200 senior in-house experts who meet regularly to discuss common challenges on privacy, data protection and message targeting.
The group will be meeting in New York for the first time in December with a meeting specifically focused on best practice around GDPR to highlight how brands based outside the EU can take effective action.