Trendsetters: WFA's Catherine Armitage finds that 70% of Global Marketers Do Not Realize the Impact of GDPR

Among the many elements of contemporary marketing is a growing reliance on data, as well as a need to understand countless new acronyms for tech terms and other buzzwords.  GDPR, which stands for General Data Protection Regulation, will soon take center-stage for brand owners—even if most marketers are not aware of its implications.

The EU's enforcement of the General Data Protection Regulations (GDPR) next spring will affect the data market on a global basis by requiring explicit consumer opt-in for every data user. 

Any companies which offers goods or services to consumers in the EU or monitors the behaviour of people in Europe -- regardless of whether those companies have European operations or not-- could incur severe financial penalties if these requirements are not exactly met. In fact, companies can be fined up to 4% of global turnover for breaching the new rules, which translates to a potential fine of $800 million to $19.2 billion for Global 500 companies.

Note that GDPR has also been adopted into UK law in spite of Brexit and will go into effect as of 25 May 2018.

The WFA (World Federation of Advertisers) has just released research that underscores how far many of the world's biggest companies must go to meet the new standards.  Plus, they've issued a report on how marketers can take steps to adapt to meet new GDPR rules.  Catherine Armitage, Senior Public Affairs Manager in charge of Digital Governance Exchange--the WFA's forum for senior legal and digital marketing governance specialists—has led both initiatives.

She says, "Marketers need to engage with experts from across their organisations to ensure they fully understand the impact of these new data protection rules. That means regular conversations with legal, compliance and digital governance teams to ensure that they are meeting the new challenges presented by these rules. This applies not just to companies within the EU but anyone who uses data to reach consumers within the 28-member states." 

The WFA survey found:

• A majority of brand owners—70%-- felt marketers in their organizations were not fully aware of the implications of GDPR.
• Only 65% of respondents said they expected to be fully compliant before the rules come into force in May 2018.  
• Just 41% said they already had a framework/strategy in place. 
• One in four organizations surveyed said they were still in the initial planning stages.

The knowledge gap was most pronounced among marketing teams based outside the EU. Fifty-six percent of respondents said their European teams were more aware of the challenge, compared to a global average of 44%. Again, this is significant because GDPR rules apply to any company which offers goods or services to consumers in the EU or monitors the behaviour of people located in Europe, regardless of where they are based.

According to Jacqui Stephenson, Global Responsible Marketing Officer at Mars, and chair of the WFA's Digital Governance Exchange, "It is a concern that only nine months away from implementation many marketers are not prepared. The risks of not being ready for GDPR are huge both financially and in terms of consumer reputation."  

Other key findings include: 

• The two biggest challenges for brand owners are "connecting the dots between data stored across different parts of the organizations" which was cited as extremely challenging or challenging by 66% of respondents and "reviewing and understanding compliance levels across third parties," which was cited as challenging or extremely challenging by 73%.
• The top three priorities for respondents was to review consent mechanisms for collecting and processing data, cited as a high priority by 94%, review and updating privacy policies (63%) and reviewing data inventory to assess compliance (56%).
• One in three organizations are planning to hire a Data Protection Officer, which will become a legal obligation for companies that monitor consumer behavior on a large scale (or those that process certain categories of sensitive data such as information about health). However, 30% of organizations said they already have someone fulfilling this role.

The survey results are based on responses from 18 companies, spending more than $20 billion on global marketing communications each year.

To address the knowledge gap, the WFA has created a new GDPR Guide for Marketers, which has been compiled in conjunction with global privacy and cybersecurity legal experts, Hunton & Williams. The report highlights the five key areas where marketing teams need to act.

1. Brand owners need to be able to demonstrate that they meet the GDPR's new and extensive conditions for consent to be valid: consent must be freely given, informed, specific and unambiguous.
2. If getting consent isn't a viable option (e.g. because the company doesn't have a direct link to the consumer to ask for consent), marketers will need to work with their legal teams to identify other ways to collect and use consumers' personal data. They also must highlight such practice in places such as privacy policies.
3. Brands need to explore creative ways to provide clear information about how data will be used in a concise and intelligible form, using clear and plain language.
4. Children's data will be a area of focus, as marketers will need to collect parental consent. The age at which parental consent will be needed could vary from 13 to 16 by country.
5. Marketers looking to use data collected during past marketing campaigns to identify new target audiences will need to work with their legal teams to understand if this is permitted under the new rules.

The WFA's Digital Governance Exchange, a group of 200 senior in-house experts who meet regularly to discuss common challenges on privacy, data protection and message targeting, will be meeting in New York for the first time in December to specifically focus on best practice around GDPR to highlight how brands based outside the EU can take effective action.