Why personalisation is a good thing, when done well

June 2020

“Hi, you haven’t finished watching Jeffrey Epstein: Filthy Rich”, said an email my husband received last week.

It annoyed him. Feeling like his behaviour was being monitored, he promptly clicked the unsubscribe button. Not only that, he went through all of his streaming services’ emails and dumped them too! (Perhaps a petulant ‘lockdown’ moment!)

He knows his TV habits are analysed and is happy to be given recommendations based on what we’ve watched in the past. They’re actually often a pretty good prediction of our tastes. But a personalised email, out of the blue? For him, it felt a step too far.

“75% of customers expect organisations to understand their individual needs” (Source: IBM Survey)

There’s plenty of research showing that many of us like the brands we interact with to know a little about us. We like getting relevant offers and services.

It therefore makes sense for businesses to learn more about their customers. However, they need to get the balance right. We just don’t like it when this feels like consumer surveillance … it just gets creepy. (What was probably intended to be an innocent nudge felt like bossiness or spying to my husband).

Being upfront with people. Telling them why they should share personal details, shouldn’t be seen solely through the prism of compliance. It’s also about giving people a good customer experience and building brand reputation.

The more your customers like and trust you, the more they’ll be willing to do business with you AND share information about themselves.

Apologies, but I am now going to mention the ‘G-word’. GDPR, somewhat unfairly, often gets bashed up for hindering lots of things. I say unfair, because GDPR doesn’t stop you personalising your customer engagement. It does ask you to put a few checks and balances in place.

This means putting your customers in the driving seat – giving them control over what information they provide and telling them what you plan to do with it. Here are just a few points to think about.

Transparency

Do you clearly tell people what’s in it for them? Do you let them know from the outset how you plan to use the information they give you?

Control

Do you let people choose what they share? (I won’t be alone in my dislike of the *mandatory field with no clear reason given as to why I have to share this information). Also do you make it easy for people to ask you to stop using their details? (I also won’t be alone in betting infuriated when I can’t easily get in touch).

Have limits

Do you collect information you don’t really need? Try not to fall into the trap of gathering details with the ‘it-might-be-useful-at-some-point-in-the-future’ approach. Also be careful not to use the information you have for a different purpose, (which you haven’t told anyone about).

Refresh

Do you regularly update what you know about your customers? Do you ask them if they still have the same interests? Over time, what you think you know about your customers may become so inaccurate its actually counterproductive. Quite often what you know is only a snapshot at a particular moment in time, not a lasting profile of their habits.

(This reminds me of being asked by a home store what my interests were. I might have been interested in sofas at the time, but this was temporary. New sofa in situ = no interest anymore).

The ‘don’t-be-creepy check’

Do you carefully consider whether what you are doing might surprise people? Would they really expect you to use their information in the way you are? Just because you’ve ‘buried’ in your T&Cs / privacy notice that you do something, doesn’t mean people won’t be a bit freaked out when this becomes clear to them.

And, if they’re like my husband (the grumpy, privacy-savvy demographic is fairly big) they might choose to make engagement doubly difficult.

Be Lawful

Okay, here’s the technical bit (I wish I had one of those shampoo advert graphics for this, you know, the ones that show how Jojoba nuts stop dandruff or something). Yes, you do need to identify a lawful basis under GDPR for all your activities, and this includes the information you collect for personalisation purposes. Are you relying on consent? Can you rely on Legitimate Interests? Is it okay to wrap this up as part of your service terms? All questions that should be answered, and the answer will be depend on the specifics of what you are doing.

For me, the key is not to be afraid to telling people what you are up to. Be transparent – people aren’t stupid. My husband knows his TV habits are analysed, but he doesn’t want to feel like ‘Big Brother’ is watching. I know brands will be keeping track of my interactions with them, just don’t be creepy. Tell people what you’re trying to achieve, and you may be surprised at what they’re happy to share.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Why is it so hard to explain how we use personal data?

June 2020

Five ways to help explain complex and contentious data uses

I was chatting to my niece the other day, a young mum with two young children who spends a lot of time on Facebook. She has hundreds of friends. She had posted a message asking if it was true that when you install the Covid app it will ask permission to share all your contacts from Facebook. One of her friends had posted;

“I am asking you to please delete me and my details from your phone contact list and any other app, as well as un-friend me on Facebook before installing the tracking app on your smart phone.”

I was rather taken aback by this wildly inaccurate assertion given the reality is a far cry from this. The device is basically designed to pick up blue-tooth signals so you are able to track whether you have been in close proximity to anyone who has reported symptoms/tested positive.

I don’t propose to go into the pros and cons of centralised vs de-centralised databases as the arguments have been rehearsed extensively elsewhere. Whatever your political persuasion we need this track and trace programme to succeed. This is a public health crisis and we need everyone to sign up. If there was ever a situation requiring special measures, this must surely be it.

There is a caveat though; we can’t allow carte blanche to collect and keep any data.  Some have expressed valid concerns about the open-ended nature of some of the proposals. Is it really necessary to keep ‘Track and Trace’ data for 20 years?

My niece’s post got me thinking about the importance of clear and transparent communication from Data Controllers around the use of personal data and how, thus far, it has been largely absent.

Successfully explaining the how and why of data processing has to be a top priority otherwise we’ll see many more of those misleading messages spreading like wildfire and resulting in anxious and concerned people avoiding the app and reducing the efficacy of the programme. This point applies to every single business who processes personal data.

To keep things practical here’s a checklist of five ways to help get the message across:

  1. Use different communication methods – not everyone likes reading long screeds of text. Particularly if, like my niece, you are dyslexic. It’s not going to happen. I know it is early days but I hope that NHS and the government indulge in some creative communication methods such as infographics, videos, cartoons to get their message across. Channel 4 are an exemplar as are The Guardian.
  2. Using plain English – if you have to write it down, make sure it’s couched in terms that your target audience will understand. Plain English, short sentences, easy to understand words should be deployed to get your message across. Various reports place average reading age as 8, 9 or 11. Whatever the truth there are large chunks of the population who will not understand what you have written if you restrict your messaging to rather formal and, frankly long-winded, DPIAs and Privacy Statements.
  3. Use layers of communication – the ICO advocates a layered approach to communicating complicated messages. If you create a thread through your messages from clear top-level headlines with clear links to additional information there is a higher chance of achieving better levels of comprehension.
  4. Keep it short and sweet – having read the 30 + page DPIA for the Covid app I was struck by how repetitive it is. Not only do you lose the will to live but comprehension levels are low and confusion levels are high leading to Twitter storms about what is and is not in the document. All of which is rather unhelpful.
  5. Be upfront and transparent – not only is it easier to understand but most sensible people can work out for themselves if the data processing makes sense without anyone needing to embellish it with soothing words which obfuscate and confuse. It can feel scary to tell individuals what is happening with their data but if you can explain why and, crucially, explain what’s in it for the individual all will be fine. For those fans of Gogglebox over the last few weeks, it’s perfectly obvious that people can work out what’s going on.

Overall though, this is a major marketing challenge. Explaining how you use personal data is an important branding project which allows a company to reflect their values and their respect for their customers.

The marketing teams need to get close to their legal colleagues and use their formidable communication skills to make these important data messages resonate and make sense.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketers: Will You Need to do a DPIA for that?

February 2020

Why Marketers need to understand Data Protection Impact Assessments

The ICO published its draft Direct Marketing Code of Practice on 8 January 2020.

One of the key topics which emerged from DPN’s analysis of the draft Code is the ICO’s clarification of the types of marketing / profiling activities where organisations should be carrying out a Data Protection Impact Assessment (DPIA).

In simple terms, a DPIA is a process that helps companies to identify, assess and mitigate privacy risks right from the start of a project.

An organisation must be able to demonstrate accountability and privacy by design principles by showing they have taken the appropriate measures to safeguard the ‘rights and freedoms’ of individuals.

When should a DPIA be conducted?

The ICO states, in their draft Code, that any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing.

The following examples are given:

  • when conducting ‘large scale’ profiling of individuals for marketing purposes
  • matching datasets for marketing purposes
  • processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
  • using geo-location data for marketing purposes
  • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
  • targeting children or other vulnerable individuals for marketing purposes

That certainly sounds like a lot of situations, doesn’t it?

We anticipate a lot of marketers who have never conducted DPIA before will have to learn fast.

The ICO suggests it’s likely that ALL marketers will need to carry out a DPIA at some point. The Regulator says this will bring financial and reputation benefits – and crucially, will help to build trust with individuals.

The draft code includes a ‘good practice recommendation’:

“Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.”

So what do you need to do?

When carrying out a DPIA for marketing, organisations must be able to:

  • describe the nature, scope, context and purposes of what you are planning to do
  • assess its necessity, proportionality and any compliance measures in place
  • identify and assess risks to individuals
  • identify any additional measures which may be appropriate to mitigate any risks

As with any ‘new’ process, it will take time, patience and practice to embed into the culture and develop expertise within your teams. Over time, marketing teams will get more and more adept at carrying out DPIAs.

Smart marketers see the DPIA process as a way to demonstrate they’ve truly focused on their customer or prospect – from the planning phase all the way through to implementation.

It helps to recognise and tackle any privacy issues early on and helps to prevent any undesirable consequences.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.