The closer May gets, the more the term "RGPD" is on everyone's lips in the marketing ecosystem. Both a source of fear and opportunity, the regulation is causing companies to question their relationship with personal data.
What is behind this acronym? Which levers will be most impacted? What are the business opportunities?
In order to get a clearer picture, we take advantage of the arrival of M13h within the Labelium Group (to which Feed Manager also belongs) to ask a few questions to Mickaël Avoledo, associate director in charge of the regulatory offer.
What is the RGPD?
The General Data Protection Regulation(GDPR) is a European regulation that will apply to all organisations that use the personal data of individuals living in the EU. It is a European regulation that will apply to all organisations that use the personal data of individuals living in the EU in the course of their business.
What is its purpose?
The legislator has three main objectives with this text:
- Standardize the rules on personal data protection at European level. As it is a regulation and not a directive, it is immediately and uniformly applicable in all member countries
- Better protect the personal data of EU citizens, and provide more transparency on how companies collect and process their data
- Facilitate the free circulation of data in exchange for making the actors who process them accountable (the latter will have to be able to prove their compliance at any time)
When will it be implemented?
The date of entry into force is 25 May 2018. According to a study by EY published on 31 January, only half of the companies surveyed declared that they were in compliance with the RGPD. The other half only have a few weeks left to do so!
However, 25 May will not be a real deadline. The authorities are well aware of the scale of the task for businesses and certain points may be subject to "tolerances" in the first instance. The CNIL is primarily seeking to verify that serious steps towards compliance have been taken and that certain key principles of the text are respected.
What are the penalties?
Organisations that fail to comply with the regulation risk a heavy fine of up to 4% of global turnover or €20 million, whichever is higher.
What will change?
In addition to the increased importance of sanctions, several points change in relation to the current French data protection law.
In terms of scope, the text hasextraterritorial application: companies outside the EU that process the data of European citizens are affected. Furthermore, companies and their processors become co-responsible for compliance with the text.
Theapproach is also changing. Firstly, from a system of prior declaration of processing, we are moving towards a logic of "accountability" which implies reinforced documentation. For example, companies will have to formalise their processing operations in a register of processing operations, indicating the source, the storage location and the third parties within the organisation that have access to the data. Secondly, the text introduces the notion of " privacy by design ": the strictest confidentiality parameters are applied by default (no more opt-out, for example) and only data strictly necessary for the purposes of processing may be collected ( minimisation principle).
The rights of individuals are also strengthened. In addition to the rights of access and modification, the text introduces new rights such as the right to be forgotten, the right to portability, the right to object to profiling, etc. The company will have to inform people of these rights before collection.
Another important issue for marketers is the legal basis for data collection. The company can invoke several bases to justify the collection of personal data, such as legitimate interest or the execution of the contract. But the most solid basis remains that of the user's consent. This must be expressed in a clear positive act. This notion continues to be debated at the moment, particularly with regard to consent for the deposit and collection of information linked to cookies, the raw material for digital marketing.
Finally, in terms oforganisation, a Data Protection Officer (DPO) must be appointed in the company. He or she will have to ensure the use and security of data within the organisation. He or she will also be the privileged intermediary for discussions with stakeholders on the management of personal data.
Which levers will be impacted?
To begin with, all the levers for the pure conquest of new customers and prospects must be rigorously controlled. If external data suppliers are used (3rd party data, email databases, etc.), it will be necessary to check that they have collected valid consents within the meaning of the RGPD and to require this contractually.
Regarding web retargeting, whatever the channel (search, display, social, ...), the main impact could be on reach. As mentioned above, several legal bases can be used for the deposit of cookies for advertising targeting purposes. The basis chosen (legitimate interest or, more likely, consent) will have a major impact on the reach of retargeting, as will the methods of implementing consent if it is retained (in particular the famous "clear positive act" which is the subject of debate).
Finally, advertising and loyalty emailing is also a lever in the line of sight of the regulation and will be particularly observed.Opt-in is the watchword. Although the practice is still widespread today, it will be forbidden to pre-check a box to subscribe to a mailing list: it is up to the Internet user to actively take this step. Moreover, the purposes will have to be clearly separated in the collection of consent, potentially leading to a multiplication of checkboxes and an end to the mixing of genres with "too generic" consent. Finally, the legal information (listed in articles 13 & 14 of the regulation) will have to be clearly displayed at the time of the collection of consent, and of course, the unsubscribe links (= "withdrawal of consent") will have to remain in the emails, or even become more sophisticated, by giving access to a real privacy centre allowing to withdraw consent by purpose.
Are there any opportunities?
Although the RGPD seems relatively restrictive, it has several advantages for companies.
If we were to choose two of them:
- Increasing the overall quality of data. The RGPD leads organisations to collect and keep only what is really necessary, which allows them to remain focused on the essential: the data that can really be used.
- Building trust. The Regulation is a good opportunity to promote transparency to build trust. In the same vein, companies that move from push to pull marketing will clearly benefit from the regulation and its requirements on consent, as well as limiting advertising waste on low engagement targets.
In conclusion, if the RGPD is first perceived as a new constraint for marketers, it is a real source of opportunities and deserves a strategic questioning under two axes: how to limit the impact on my marketing operations while being compliant? What competitive advantage can I gain from compliance?