Teleperformance Roundtable on European Data Protection Regulation in association with the DMA
October 9th 2014 Jumeirah Carlton Tower Hotel,
London
The European Data Protection Regulation is coming.
Is your business prepared?Every business throughout the EU with a customer faces having to comply with new data
protection rules, expected in Spring 2015, in a challenge many are yet to prepare for.
The regulations will profoundly alter the way customer information, which is increasingly
amassed from growing numbers of sources in a digital sea of data, can be collected held and most
importantly, used.
There will be particular constraints on advertising, marketing and any use by third parties without
explicit consent from the customer, with stinging financial penalties for those who fail to comply.
In a process entangled in privacy concerns amplified by the security leaks from US whistleblower
Edward Snowden, businesses may end up paying the price for a popular unease about how
knowledge is gathered and used online.
1
Against this backdrop, Teleperformance brought together senior figures
from the Financial Services and Retail sectors, including heads of data and
privacy and operational professionals and consultants with responsibility for
data management to discuss what lies ahead, amid uncertainty - still - over
what can, and cannot, be used for sales and marketing and the potential
impact on the wider customer experience.
Following introductions by chair William Carson, Head of Market
Engagement at Teleperformance, guest speaker at the event Mike Lordan,
Director of External Affairs at the DMA gave on overview of the draft EU
proposals following his meeting with Commissioners in Brussels:
“The draft proposals are essentially designed and aspire to improve trust
between consumers and businesses in order to improve trade by building
“a new gold standard of data protection” which the Commission hopes will
become the international benchmark for data protection.”
“The regulations, broadly, seek to ensure consumer information is not given
to third parties for commercial use in ways that could identify them as
individuals without their explicit consent.”
A major concern quickly reached in the discussion was the impact on UK
businesses, particularly start-ups and smaller enterprises that the Government
is relying on to the kick start the economy. As one expert noted: “How can you
monitor and legislate without crushing or stopping economic growth? It’s a
hard balance to get right with this, particularly as customer data is now so vital
to how companies perform and market themselves.”2
This identified that one of the biggest potential risks to most companies are
‘professional’ or opportunistic claimants seeking out sites which have sign-up and
marketing processes which are unclear or inadequate. “We will need to change
our data protection and privacy mind set. Instead of making sure consumers
rights are fulfilled, we need to be in a position to easily prove that consent has
been obtained, so that opportunistic claims can be quashed immediately.”
Around the table, some saw getting consent without disrupting business
models, or creating levels of administrative and technical complexity, as the
central problem.
Mike spoke of the continuing battle he has led to tone down plans tilted
firmly towards restricting business innovation which impacts the consumer.
“We’ve submitted lots of business evidence over the past years to explain
why these regulations won’t work, not least because they will stifle
innovation.”
But he said that the spectre of Edward Snowden loomed large. “His name
crops up at all the meetings,” he said. “That’s the climate we are in still.”
Concerns were expressed by those specifically accountable for ensuring
their businesses were compliant that the directive would actually frustrate
the very consumers it is designed to protect. “Like passwords, customers
will have issues remembering who they’ve given consent to, and who they
haven’t and indeed what such consent covers.”
Uncertainty also remains about how long the consent will apply for.
Moreover, consent given to receive marketing messages about a product
does not mean the consumer has consented to receive consent to a plethora
of other products that weren’t originally advertised.
3
For some particular businesses the impact is even more acute. Advertising and
Outbound Telemarketing it was noted, both use data gathering and profiling into
their campaigns, whether through apps that respond to television commercials or
billboard screens with cameras taking data from passers-by or from data brokers
and list suppliers.
Mike Lordan said that this was understood by the UK Government which is “on
board” with loosening the draft restrictions and ensuring the final wording does
not hinder economic growth. But being on board may not be enough. Germany,
the strongest backer on the data protection measures, wants a tough regulatory
environment and as with all EU legislation the UK Government is largely powerless as
EU law has to be followed by all member states.
For the optimists, some progress towards a looser directive was being made, he
suggested. For example, the latest draft keeps telemarketing as an opt-out from the
provisions. However Mike went on to explain “the EU Data Protection Regulation and
its requirement for explicit consent will lead to a revision of the E-Privacy Directive.
If adopted in the Regulation, the notion of explicit consent would extend into the
directive, thus have an impact on how consent is collected for direct marketing
communication. When revising the ePrivacy Directive, there is a high risk that the EU
legislator will want to review the rules on telemarketing and harmonize them.”
But how long before the whole churn of debate and business uncertainty begins
again? William Carson citing an article printed only two days earlier in Wired
magazine suggested that the directive could already be outflanked by new
technologies, which harvest information from people as they go about their daily
activities. The constant data stream from mobile smart devices coupled with a
person’s social media activity and location tracking is already identifying individuals
in all but name.
“This all raises the question of whether we are going to see, or should see, the law
changed more frequently to keep pace with developments which could add further
complications for businesses”
And after the battle over content is done, the puzzle of wrestling with how to make
the regulations work will remain, and is already bemusing many businesses.
“From a consumer standpoint, it should be simple, but technology has made things
very complicated with pins, passwords, contact centres and so on.
4
These regulations are easier to state than to enact on
the ground. Yet we face punishing fines for not getting it
right. Then there is the more obvious difficulties created
in managing the customer journey.”
One guest from the Financial Services industry
stated that car insurance firms, for example,
anticipate needing to speak to all named drivers
on an individual policy at the point of application
or renewal, an obvious derailment of the seamless
customer experience that consumers expect.
There are also issues around whether people
will understand what they have consented to,
particularly if consent is woven into online terms
and conditions and agreed using a tick box.
“And what about high street retailers that offer a
broad spectrum of products and services - everything
from groceries and household goods to insurance
to banking. Are they going to need explicit consent
for each sub-sector from an individual? Or is it one
consent for all within a brands panoply of offerings?”
There was also a sense that there will be major
issues for market places, such as Amazon and eBay.
“The directive could create some real issues for their
business models as profiling and ‘recommendations’
presented by email or dynamically are fundamental
to their success. The Parliament text requires an opt-
in for profiling which may have severe legal effects
on the individuals (e.g. health details). The text also
requires marketers to offer the individual with an
opt-out possibility from profiling.”
All company representatives at the round table were
concerned that controls on information will also
slow down processes, further irritating customers at
a time when “friction – free customer engagement
and experience is the expectation”. Further
challenges for businesses seeking to operate
efficiently include the potential burden where non-
compliance has been identified. The draft proposals
will require that breach notification procedures will
include mandatory notification to the ICO, in addition
data processors must notify controllers of breaches
and notification must also be sent to individuals
where privacy is affected.
No details of penalties for non-compliance have
emerged yet, but it may be based on company
turnover – possibly five per cent and fines up to
€100Million could be expected.
But despite the current absence of details, a clear
immediate step ahead of the regulatory changes did
emerge among all those attending already charged
with wrestling with the looming problem of complying:
Act now. Gather as much permission as possible.
5
Daunting as the task may first appear, it was felt the process for reviewing
a business’s Data Protection and Privacy Compliance could be broken
down into a number of straightforward tasks and activities:
• Review processes to clarify what data is collected, how is it collected
and stored. Is all the data collected appropriate and necessary and
does it align with what customers would expect?
• Explain to customers what is done and why regarding the collection of
their data and where po ssible, give them choices.
Some of the actions discussed rolled up into a possible approach to
conducting a review of current processes:
Data Collection:
• What data is collected, where, when and how?
• Is personal data collected which could be deemed excessive in relation
to the purpose for which it was collected?
• Is any personal data kept longer than necessary for the purpose for
which it was collected?
• Are answers to queries consistent with customers’ expectations?
Process:
• In the privacy policy include detail of what data is collected, how it is
stored, how it is used to benefit customers and what their options are
for deleting their data.
• When creating an account or when someone signs up make it clear
at that time why certain information is collected and explain clearly
why it benefits them, providing a link to the detailed section in the policy. 6
• Allow people to purchase without creating an account – but give
customers compelling reasons to create an account by telling them the
benefits they will get from having a registered account.
• Provide customers with ‘the right to be forgotten’ by allowing
customers to delete/obfuscate (replace their customer details with
dummy data) their account history – but give them reasons NOT to
do this.
• Give customers a choice to NOT be tracked, recorded and profiled. But
give them compelling reasons why entrusting their data is good thing.
Compliant by design:
• Keep wording and processes simple and unambiguous
• Collect basic audit information which shows what consent was
provided and when
• Where possible and appropriate, start collecting explicit consent
where this currently relies on implied consent
• Keep privacy policies up to date, making it easy for customers to see if
anything has changed
• Make sure you are in a position to easily prove that consent has
been obtained
As the DMA’s Mike Lordan put it:
“Companies should start collecting ‘informed consent’ now, before the regulations come in. Because they will, and probably very soon.”
With special thanks to the DMA and Council Members
7
www.teleperformance.com @TPmarketingUK TeleperformanceUKTeleperformanceUKwilliam.carson@teleperformance.com
The Teleperformance Round Table Events are held throughout the year
and bring together leading industry commentators, analysts and senior
commercial and public sector professionals to discuss a broad spectrum
of business challenges across all sectors.