Brands gird for bureaucratic headaches from EU data protection laws

Despite Brexit, which was announced one month after GDPR, the U.K. is no exception. But as brands prepare for the long, bumpy road to complying with GDPR — which will take over a year for many bigger companies — we caught up with those at the DMA’s Data Protection Update to ask what their biggest challenges will be. Their answers, edited for clarity:

Zoe Rowland, senior data compliance manager at Cancer Research
The big challenge is around governance and writing down what we do. My background is public sector, which is relatively bureaucratic, but in the charity sector, there isn’t any real oversight of getting people to think before they do things and writing down what they are doing.

The challenge is the organizational change which isn’t that apparent to the consumer: How do we communicate what is often really boring for people in the organization? How do we communicate what it is that we’re doing in a way that feels like it’s a benefit to people?

Fedelma Good, director of information policy and business controls at Barclays
In preparing for GDPR, brands should not forget that at the heart of the regulation is the intent to provide individuals with greater transparency, understanding and choice about their personal data. And that isn’t limited to customers or even prospective customers. It embraces everyone whose personal data you hold: shareholders, suppliers, partners, pensioners and, of course, your employees. If your employees understand in the first instance why getting this right is crucial for them, for your customers and for your business, then you will have laid an excellent foundation.

Claire Knight, head of data protection at L’Oréal
One of the challenges in the future is that many people don’t understand how these technologies work. I often get technologies coming into the business, and I say, “Draw me a diagram,” and they can’t. So if they can’t do it, how can our marketing team do it? If we don’t explain to the consumer what our value is, consumers will just opt out. The incentive is on us to be a bit more creative in providing the consumer what they want.

Gillian McNulty, senior loyalty analyst at Boots
If you tell [people] how you use their data, you get the most engaged customers, so that seems like the best way to go about it rather than to con people into giving you bits of information.

But at the same time, you have slightly old-school marketers who are very much “Oh but if you get people to opt in, [as opposed to] opt out, then suddenly you get a lot less people to market to.” And now with Brexit, that’s made things all the more complicated. We’re trying to convince the company GDPR is the right thing to do across the board, not just for EU customers.

Simon Daniels, head of marketing operations at Hanson Wade
We’re obviously at this point where there’s more heat than light. We’re still waiting for more answers. Consent is crucial. What does it mean to get explicit consent? And to what extent do we need consent? Profiling covers just about anything you can do with a database, so that’s crucial question for us.

Another is how the new legislation interacts with the existing legislation. The electronic privacy regulations don’t go away, so you’ve got layers of stuff on top of each other which makes life that little bit more complicated.