What is responsible marketing?

January 2021

What is responsible or ethical marketing?

What core values should you embrace and what type of projects can marketers apply these values to? Following some difficult moments, over the last year or two, trust in advertising remains stubbornly low.

Now more than ever we need to focus on open and transparent marketing campaigns to build back trust with customers.

Here are my six pillars of responsible marketing:

1. RESPECT – put simply, your customers sit at the heart of your campaigns.  As one ICO speaker said to me at a DMA conference a few years ago “don’t piss people off”. That should be easy shouldn’t it? Ask yourself the question, how would you feel if you received the message/communication you’re planning to send out?

2. VALUE – create a credible value exchange. According to DMA research 88% of consumers believe the value exchange between consumers and corporates is skewed towards corporates. If customers receive relevant messages, they consider the value exchange is fair and will happily share their data.

3. TRUST – build trust in your campaigns. According to the Advertising Association, since 1992 consumer trust in advertising has halved to 25%. A project might involve marketing, product, compliance, risk, legal, sales, distribution teams and all of them need to put customers at the heart of their activities. In particular customers need to feel they can trust companies to do the right thing and, recently, this has been in short supply.

4. JARGON FREE – we must speak the same language. For marketers, the data privacy teams can sometimes talk gobblydegook. Article this and recital that, results in everyone else’s eyes glazing over in double quick time. And that’s just within the business. We all need to make a concerted effort to speak the customers’ language.

5. BE OPEN – openness and transparency are watchwords. Responsible brands employ responsible marketing techniques which revolve around providing a clear explanation of how data is used with clear pointers to help customers manage their data preferences. Explaining how data is going to be used and not feeling worried about how customers will react should be the norm.

6. RISK v REWARD – balance risk and reward. Only the business can really decide where this balance lies and that view needs to be shared across all teams. The compliance teams cannot own this, although they can help the business make those decisions. In the end data privacy is a business decision.

So, how can these principles translate into actions and projects? Here are just a few examples of responsible marketing projects:

  • Privacy by Design – what does this mean? If you’ve designed a new workflow or invested in some new technology, you need to consider your customer’s privacy needs from the start. You may have to evaluate the risks to understand the positive and negative impact of your decisions. You may ask your customers how they feel.
  • A brand led privacy communications campaign – have you asked your brand team to develop a clear and easy to understand privacy comms campaign? There are a few teams who have used video or graphics to bring their privacy policies to life, such as Channel 4, The Guardian, Amnesty International and the ICO themselves have materials which work hard to explain their policies clearly.
  • Data strategy –I’m not talking here about deciding what tech to buy but a clear strategy and decision about how to recruit and retain customers. Have you carried out a project in your organisation to figure out what data you really need to make a difference to sales? Have you worked through your database and minimised the volumes of data you need? Have you considered whether you need all the cookie data that is collected? A strategy based on what will make your messages relevant to your customers and prospects will almost certainly use far less data than is being collected at the moment.
  • Making data privacy part of your business culture and values – behaving ethically and treating customers well will reap huge benefits in terms of enhanced trust and increased sales.

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

When does your CRM marketing plan morph into a data privacy project?

August 2020

Marketing plan: 10 tips for turning your database into a goldmine

I’ve worked with a lot of organisations who ask me, quite reasonably, whether they can leverage their customer database to deliver more business. I say, “Absolutely let’s do it but if you’re developing a customer data strategy, you need a privacy strategy to go alongside it”.

Why?

Sometimes, my clients are sitting on large databases which have grown organically over the years – companies are proud of their databases. A large database, even unused, is like a commercial comfort blanket. ‘Surely, it’s good to have a lot of data even if I’m not sure where it came from?’

And sometimes, my clients have no databases but want to start building one up to help deliver their commercial objectives. In this case their question is often where do I start?

With the introduction of GDPR came a very welcome focus on developing coherent customer focused strategies for leveraging sleeping giants or nurturing a nascent database.

In a nutshell, we should get very excited about new business opportunities, but we also need to tread carefully. We have to ask the tedious questions like;

  • do you have permission to market to these people?
  • when did you last communicate with these people?
  • do you have a retention policy in place?
  • how do you keep track of marketing permissions?

This is followed by a collective groan whilst we start to understand whether we really are sitting on a goldmine.

Here are my top 10 tips for turning your database into a goldmine

1. Where is your customer data?

Perversely as technology becomes a bigger part of our business operations the organisational silos have grown. This means a challenging time for management as they figure out where all the buckets of customer data sit.

Databases can spring up like mushrooms all over the organisation and it’s important to ensure you know where all the customer records are – not least so that the poor customer receives a consistent service from you.

2. What permissions do you have?

Find out what marketing permissions have been given. When were these collected and what opt-in/opt-out statements were used? If the answer is “I don’t know”, you need to do a bit of stripping back until you are confident you have robust data. You may need to carefully communicate with your customers to update those permissions.

3. Is your privacy notice up to date?

In order to market to customers, it’s important to set out in your privacy notice what you intend to do. For some, it can be a novel idea to have a plan but it’s a good discipline to have some visibility, in advance, of what you plan to do with your data. This includes emailing, profiling, social media marketing, data sharing, cookie management and so on.

4. Do you have an email preference centre?

This is immensely useful if you want to avoid a ‘one size fits all’ marketing opt-in/opt-out. Maybe you want to subscribe to products from one part of the organisation but not another.

I used to work at the Guardian: I like sports news but don’t like entertainment news and want to be able to choose one email over the other. A technology solution helps to keep these up to date as well as keeping a record of what was presented.

5. What about your cookie policy?

Is it compliant, is it up to date, are permissions stored somewhere safe? Can they be updated? Do you work with ad tech partners? Again, for larger businesses with complex cookie management, a technical solution will help you keep on top of the detail.

6. Do you have a clear view about consent and legitimate interest?

Be clear about when to use each permission type and what lawful basis you are relying on. We shouldn’t believe consent is superior to legitimate interests, they are equal in law, but sometimes consent is a requirement. It adds complexity to managing your marketing permissions but strategically using legitimate interests has a significant effect on your ability to market to different constituencies through different channels.

7. What about your emails?

Are you familiar with the difference between GDPR and PECR and how they interact with each other? Are you emailing your customers? If so, you may be able to rely on the soft-opt in for marketing permissions rather than consent? Again, it makes a huge difference to the size of your addressable audience.

8. Is your marketing stack up to the job?

Can it maintain a mixture of permissions in one platform and retain its integrity over time? Having rules in place can help you to automate when you need to change the status of individuals’ marketing permissions.

Do you know where your marketing tech providers process the data? With the latest pronouncements from CJEU on Schrems II – where data is processed has become a hot topic.

9. How transparent are you with your customers?

Have you explained to your customers why you are capturing their data and what you’ll do with it? Have you provided a good answer to the customers’ question “What’s In It for Me?”. Channel 4 and The Guardian do this well.

10. How long are you going to keep this data for?

In many cases, not a lot of time was spent worrying about data retention when GDPR was introduced but now, more than 2 years later, any gaps in your retention policies are starting to look like glaring holes.

It’s most definitely time to make sure you know what you’re going to do with the data – Keep it? Re-permission it? Delete it? Anonymise it? Pseudonymise it? So many choices!!! The DPN have produced detailed data retention guidance to help tackle this topic.

And finally, take your marketing team on the journey with you. Explain why we need a strategy for privacy, how this is a branding job as much as any other campaign. It should reflect our company values and re-assure customers that we are good people to do business with.

 

Do these challenges resonate with you? Our practitioner consultants can provide you with the data protection support to help you get your customer data platform up and running in double quick time. Get in touch 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Seven Step Ad Tech Guide from DMA and ISBA

May 2020

The DMA and ISBA guide for marketers and advertisers to help navigate through the complexity of handling personal data in Ad Tech.

This guide was written in response to the ICO’s Ad Tech Update which looked into how data was used in auction style Real Time Bidding.

The ICO had identified a number of concerns relating to the protection of the rights of data subjects through the use of Real Time Bidding (RTB) in the programmatic delivery of digital advertising.

As background for the uninitiated, the majority of digital advertising is delivered programmatically (through automation) via a variety of methods including Real Time Bidding (RTB).

RTB is defined as the delivery of programmatic advertising by a real-time auction method. To support this process, there are a myriad of technology solutions (Ad Tech) providers who enable advertisers to identify and target recipients of advertising delivered in real time.

The guide written in collaboration with the DPN and PwC UK, aims to support UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of data subjects.

It is a practical guide to the seven steps participants can take to ensure they adhere to the legal requirements and demonstrate their understanding of the regulator’s concerns. The DMA and ISBA were able to consult with ICO during the development of the guide.

It’s designed as a reference with clearly defined sections allowing readers to read the whole document or dip in as the need arises. Where suppliers are mentioned these are noted as examples and are not recommendations.

This guidance is divided into seven clear steps:

1. Education and Understanding – a comprehensive introduction to cookies and programmatic advertising with a detailed glossary of terms.

2. Special Category Data – the ICO highlighted the importance of treating special category data with care and this section steps you through its definition and usage.

3. Understanding the Data Journey – a key challenge is being able to track how data is captured and who processes it. This section explains how to complete a Record of Processing Activities as well as introducing the IAB’s Transparency and Consent Framework.

4. Conduct a DPIA (Data Protection Impact Assessment) – the ICO noted the limited use of DPIAs in Ad Tech. This section sets out to explain what it is, when to use it as well as some pointers to what questions to ask.

5. Audit the Supply Chain – the ICO highlighted that you cannot rely on contracts to provide assurance around the use of personal data. This section provides audit check lists and questions you need answered when auditing suppliers.

6. Measure Advertising Effectiveness – the ICO have queried whether it’s necessary to use all the data collected through Ad Tech platforms. This section provides links to reference materials for improving insights into advertising effectiveness to allow for a proportionate approach to using personal data.

7. Alternatives to Third Party Cookies – what does a post third-party cookie world look like? This section provides some suggestions about alternative methods of targeting including the adoption of contextual targeting. It also provides references to some industry initiatives which are exploring different ways of targeting in a less intrusive manner.

See the full 7 Step Ad Tech Guide

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketers: Will You Need to do a DPIA for that?

February 2020

Why Marketers need to understand Data Protection Impact Assessments

The ICO published its draft Direct Marketing Code of Practice on 8 January 2020.

One of the key topics which emerged from DPN’s analysis of the draft Code is the ICO’s clarification of the types of marketing / profiling activities where organisations should be carrying out a Data Protection Impact Assessment (DPIA).

In simple terms, a DPIA is a process that helps companies to identify, assess and mitigate privacy risks right from the start of a project.

An organisation must be able to demonstrate accountability and privacy by design principles by showing they have taken the appropriate measures to safeguard the ‘rights and freedoms’ of individuals.

When should a DPIA be conducted?

The ICO states, in their draft Code, that any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing.

The following examples are given:

  • when conducting ‘large scale’ profiling of individuals for marketing purposes
  • matching datasets for marketing purposes
  • processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
  • using geo-location data for marketing purposes
  • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
  • targeting children or other vulnerable individuals for marketing purposes

That certainly sounds like a lot of situations, doesn’t it?

We anticipate a lot of marketers who have never conducted DPIA before will have to learn fast.

The ICO suggests it’s likely that ALL marketers will need to carry out a DPIA at some point. The Regulator says this will bring financial and reputation benefits – and crucially, will help to build trust with individuals.

The draft code includes a ‘good practice recommendation’:

“Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.”

So what do you need to do?

When carrying out a DPIA for marketing, organisations must be able to:

  • describe the nature, scope, context and purposes of what you are planning to do
  • assess its necessity, proportionality and any compliance measures in place
  • identify and assess risks to individuals
  • identify any additional measures which may be appropriate to mitigate any risks

As with any ‘new’ process, it will take time, patience and practice to embed into the culture and develop expertise within your teams. Over time, marketing teams will get more and more adept at carrying out DPIAs.

Smart marketers see the DPIA process as a way to demonstrate they’ve truly focused on their customer or prospect – from the planning phase all the way through to implementation.

It helps to recognise and tackle any privacy issues early on and helps to prevent any undesirable consequences.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.