- Irrespective of Brexit, the General Data Protection Regulation (GDPR) and the forthcoming ePrivacy Regulation will be in place for many years to come.
- There is real commercial value in personal data for most businesses – far beyond use in day-to-day operations.
- Preparation and foresight are key to ensuring that you can extract maximum value from the personal data that you hold.
It is uncontroversial (and perhaps bordering on understatement) to say that compliance with the GDPR has presented many businesses with an unwelcome challenge. Some have risen to this challenge as a defensive measure to guard against the expense and adverse publicity that can accompany a data breach, or to mitigate the risk of being sued under the Data Protection Act 2018 (DPA) or facing enforcement action by the Information Commissioner. Looking through a more positive lens there are other real, but perhaps less obvious, benefits to taking a strategic approach to your data governance. If your business deals directly with consumers or if you work with strategic partners or sponsors who do so, the value of personal data for direct marketing purposes can be significant.
Although most businesses would recognise the value of maximising direct marketing opportunities, many organisations may be failing to make the most of these opportunities by not taking a forward-thinking approach to data governance. This can be a particular problem if data protection compliance issues are addressed in a piecemeal fashion. Although it may appear a less costly approach, dealing with data protection issues on an "as and when" basis can ultimately lead to higher legal and administrative costs. An example of this is where a sports venue operator enters into an agreement with a sports team or sponsor for the use of facilities. The venue operator would clearly see the value of such a contract in terms of revenue for providing the use of their facilities but there could also be considerable opportunities for cross-selling which would only be possible if all parties involved were able to share customer personal data in full compliance with the GDPR, DPA and the Privacy and Electronic Communications Regulations (PECR). Initially, the parties may be keen to agree a deal quickly and fail to consider the wider data protection issues. At best, this may prevent the parties from making the most of the opportunities before them. At worst, a failure to put in place an appropriate data sharing agreement (including any cross-border transfers) and present the end-customers with an appropriate privacy notice could lead to action being taken by the Information Commissioner or a class action by the data subjects themselves. Businesses who rush to get a basic agreement in place may later realise that they wish to make the most of the opportunities otherwise available and, ultimately, find themselves spending significantly more on legal and other costs as they try to retrospectively put the necessary arrangements in place.
Taking a more strategic approach by ensuring that potential data opportunities are spotted early and the necessary agreements and other documents are put in place to enable the desired marketing activities, can lead to lower costs and realised value much sooner. Following the implementation of the GPDR last year, many businesses seemed to be under the false impression that they could only market directly on the basis of consent. In fact, depending on the specific circumstances, direct marketing on the basis of legitimate interests is a potential option and is usually preferable to consent. While this is true in many cases, for businesses with a wider offering, including those working with strategic partners and sponsors with significant cross-selling opportunities, a consent-based approach to marketing is likely to be the more valuable option, provided that they get their data governance right from the outset.
If the full range of potential marketing opportunities is explored at an early stage, you can put in place the contracts, privacy notices, terms and conditions and CRM systems needed to ensure that you can use the personal data for the desired purpose and in full compliance with data protection legislation.
How we can help
We offer a full suite of data protection compliance services (including expert advice, access to resources, data breach support, training and audits).
Contact our data protection specialists to discuss how we can help your organisation achieve good data governance while maximising opportunities.