‘Biggest danger is apathy’: John Lewis data privacy boss on EU data protection laws

Retailer John Lewis appointed former Unilever chief privacy officer Steve Wright to the role of group data privacy and information security officer six months ago. He spoke at the Direct Marketing Association GDPR event on Friday, about how brands can start preparing for the updates.

“My biggest worry is that this is all set against a backdrop of confusion,” he said. “The biggest danger is apathy, that tendency to just bury heads in the sand. We’ve got to get a grip on what we want to do with this [customer] data: how and when we use it, and why we want it.”

Here are the takeaways:

Get immediate C-suite buy-in
Some of the changes involved with GDPR involve tightening how businesses conduct bread-and-butter marketing techniques like profiling and how they obtain consent from consumers on whether they can use data. But the laws also apply to how companies must respond to security breaches, and heavy fines (of up to 4 percent of global turnover) will be doled out for those who fail to respond to breaches within the specified 72-hour window. That makes it far more than just a problem for marketing departments, so getting C-suite attention and buy-in early is paramount, according to Wright.

And that’s not a matter of flagging it with the board but getting them to understand it, take responsibility and accountability for it. Wright got the ball rolling at John Lewis by asking three board members to take accountability. “We’ve now started to implement a data accountability model for [John Lewis-owned] Waitrose, which involves its managing director and his marketing director,” said Wright. “These people’s names are on the line. I’ve explained to them that they’re responsible and accountable.”

Humanize the message
Anything around data privacy and protection is complex and sensitive. Finding ways to humanize the message to get everyone on board internally will be a must. John Lewis’s Christmas TV ad campaigns have become a national event and are the fruits of its longstanding partnership with creative agency Adam&EveDDB. Now it has brought in a creative agency to help it build the same communications strategy for GDPR. “You’re going to need a really good communications program,” said Wright. “It’s funny how you can be great at advertising outside your business but less so inside: Don’t just send people the relevant [GDPR] articles. Create materials they’ll understand.”

It’s a journey
Companies don’t have to implement the GDPR until May 2018, but brands mustn’t confuse that as the end date. Businesses must figure out what frameworks and programs can work to prepare for the changes, and that may take them into 2020. “We have hundreds of databases and data lakes. For us it’s a journey, and it’s not going to end on May 28. If you think that’s going to happen, you’re kidding yourselves,” he added.

Wright also warned businesses not to just regard the GDPR as a box-ticking compliance issue. The regulations actually open up bigger opportunities: The chance to reset the relationship between businesses and their customers, and create a two-way dialogue that puts the balance of power on a more even kilter. “This is changing the way we think of the data and how we use it, and giving in to a two-way dialogue with customers which puts them on a much more even footing,” he added.