As you know, I am a content guy. For me, it is all about the story, the more engaging, the better.
CRM is one of those digital sports topics which I appreciate, accommodate and try to stay knowledgeable about, however truth be told, the process kind of bores me.
Still, at SEAT London, it got interesting – and not in a good way.
If, as we read, data is the new oil then many of us are in danger of those horrible tanker spillages.
The blurb promoting a session on the upcoming General Data Protection Regulation began “data protection compliance is moving from the bench to the starting lineup and the game is about to start”. Many of the content specialists in the room would leave with furrowed brows and engaged in earnest conversations holding recuperative cups of coffee in the break that followed.
To clear up any confusion, I interviewed an expert in the field - Fiona Green, founder of Winners. As ever with CRM, it’s complicated. But this should provide the uninitiated with, if not a solution, then at least the gist of the problem.
And that is a start.
If you work in sports content, it is worth five minutes of your time.
RC: What is the GDPR, why has it been brought in and why is it so important?
FG: It’s a long-discussed update to the EU Data Directive (commonly referred to as the Data Protection Act). The purpose is to provide greater protection for consumers (or to give them/us better control over our data) and also to simplify international business by “unifying” the approach across the EU. It’s important because it dictates the way we can use personal data - information we use about individuals that informs the way we communicate with them, how we market to them, decisions we make about our business based on what we know about our fans, etc.
RC: What are the key changes?
FG: The biggest ones for our industry sector are the use of opt-in’s. Under the current legislation, rightsholders have got away with using opt-out’s (e.g. “please untick this box if you don’t want to hear from us”) or implied opt-ins (e.g. “by completing this form you agree to hear from us”). But the GDPR will no longer allow you to do this - you have to secure a clear opt-in (e.g. “I agree that you can contact me”).
This isn’t just for direct communication; it also applies to the use of website cookies and profiling. Visitors to your website will have to provide a clear opt-in or at minimum be given the right to opt-out from cookies or any other form of profiling.
However, note that the PECR (Privacy and Electronic Communications Guide) has not yet been updated - we anticipate the same level of amendments as those we’ve seen in the GDPR but until they’re published, we don’t know for a fact what they’ll be.
Other major changes are the role of the “data processor”. Previously, only the data controller is held liable for any breaches, but under the GDPR, the data processor will have the same obligations to a data subject.
Fines have been increased from a maximum of €500,000 to €20 million or 4% of turnover, whichever’s the greater.
Finally, for the first time, the GDPR will set a minimum age limit for data subjects. In general, it’ll be 16 but EU states will have the right to select their own level, so long as it’s not below 13. It’s envisaged we in the UK will work with the lower age limit of 13.
RC: What do organisations have to do to comply?
FG: There are so many things from the way they collect data, specifically the information they provide their customers/consumers, to the way it’s stored, transferred and used. Data subjects will also have the right to request access to their data and for it to be destroyed in instruction. They’ll also need to tighten up the paperwork they have in place between themselves and any of their data processors to ensure clarity over their obligations to the GDPR and any breach.
RC: What are the potential problems for those who don't prepare?
FG: The biggest threat is the fine. But there’s also the risk of reputational damage. You can imagine how many column inches might be produced if one of our UK rightsholders is fined by the Information Commissioner’s Office.
RC: What is the international angle to this? Does it cross borders?
FG: Yes, it crosses borders. All organisations, regardless of where they process data, will have to abide by the GDPR when they process data about EU citizens. So for many, it may be simpler just to apply the GDPR to all their data activities that deal with individuals.
RC: Lastly, any further advice?
FG: If any rightsholders have not yet started to think about this, they should do so. A good starting point is the ICO. They provide a lot of free guides and have a free helpline for individual questions. Most organisations will also want to enlist proper legal guidance from data protection specialists. The risk of a breach, and the fine that comes with it, is too great to not take this subject area seriously.