Failure to navigate the complexities of General Data Protection Regulation (GDPR) could end up costing businesses millions. Has your business created a compliant framework?
Business is under increased scrutiny around their data protection policies and this will only escalate now that the European General Data Protection Regulation (“GDPR”) has come into force. GDPR became a reality on 25 May 2018. The protection and regulation of customer data isn’t new for businesses, however the new law has brought numerous changes that make data protection compliance harder than ever before. For example: the standards for customer consent are higher; organisations have to be able to demonstrate they have considered and documented a lawful basis for holding any data; and the regulator has greater powers of enforcement, in particular in the form of powers to impose huge fines. Failure to navigate the complexities of the new law could end up costing businesses millions.
Customer Relationship Management (CRM) systems have been around since the mid-90’s. Often the customer data within these systems has been migrated from one iteration to another. In light of GDPR, the rules around keeping and using this data have become stricter. If businesses cannot justify retaining the data, they must delete it. If they are relying on consent as a justification, they may need to obtain fresh consent to the new high standards. Thus, an individual must tick a box, reply to an email or take some other action to indicate consent. The obvious pitfall of asking people for their active consent is that many will simply not respond.
Keeping track of consent for large organisations is a headache. Particularly as many use multiple CRM and data management systems running in parallel. A recent survey of senior legal counsel by KPMG and Legal500 found that only 42% of UK organisations have adopted a data compliance management system. Furthermore, many companies’ employees who are outside of legal and compliance departments seem to still be grappling with GDPR. This means that in a worst-case scenario, obtaining and tracking fresh consents by using various systems may even lead to non-compliance.
Businesses offering a broad range of services have their own particular challenges under GDPR. These companies hold vast amounts of customer data, which they are likely to want to use to cross-sell their varied services. It’s not unusual for retailers to offer their own branded retail banking or mobile phone services to existing loyalty scheme holders.
In order not to fall foul of these new regulations, companies will need a clear understanding of what consent their consumers have given and ensure that the consents are robust and wide enough to enable the sharing of data across the group and the marketing of wide ranging products and services. The days of catch all marketing consents are over.
Among all the hype about obtaining fresh consents, there is a further legal nuance which businesses may wish to consider. If they are a company marketing a narrow range of their own products, they may be able to rely on the lawful basis of “legitimate interests” (instead of consent) under GDPR and the “soft opt-in” under the Privacy and Electronic Communications Regulations (“PECR”), which runs in parallel with the GDPR and regulates marketing by electronic means. To do so they must show that the use of the data is proportionate, has a minimal privacy impact and people would not be surprised by the marketing. They must also provide people with appropriate and timely opportunities to opt-out of the marketing. However, the law in this area is narrow and also under discussion at European Union level (in the form of the ePrivacy Regulation). Developments need to be monitored.
If companies are going to rely on the soft opt-in and “legitimate interests”, they need to document that and ensure they remain strictly within its narrow boundaries. However, with customers being more aware of their rights under GDPR, businesses may still be challenged if they take this approach. As with any other option, the key is to document the processes for offering and maintaining appropriate opt-outs and restrict the marketing activity appropriately. To avoid these challenges and restrictions, and the risk of fines or regulatory change, businesses may decide only to undertake marketing based on consent – a difficult commercial decision. One thing is clear; business will need to take a rigorous approach to compliance with GDPR, PECR and the forthcoming ePrivacy Regulation; and be able to demonstrate to the regulator how they comply.
Understanding your organisation’s data and creating a compliant framework is challenging in the short term, but worth it in the long run since GDPR is here to stay.
For more information, please contact Lucy Jenkinson.
© 2021 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.