Data-driven marketing, the real risk boards are missing
Indications are that businesses have failed to learn the lessons from the first year of the General Data Protection Regulation (GDPR), according to Stewart Room, lead partner for the GDPR and data protection at PricewaterhouseCoopers (PwC).
“It is really important that the business world reads the runes properly about the regulatory priorities regarding data protection and privacy, and not look at this issue through the single lens of cyber security,” he told Computer Weekly.
Businesses could be misled, said Room, by the proposals to fine British Airways £183.39m and Marriott International £99m for GDPR infringements into thinking that improving cyber security is the top priority.
“That would be misreading the runes and missing the more important regulatory agenda which is focused on data-driven marketing, where unlike cyber security or personal data breaches, there is no legal obligation to tell people you are failing, and that is why it is firmly on the agenda of regulators.”
According to Room, potentially the most important priority of regulators is data-driven marketing, and he believes they are driving this forward at a massive rate.
Evidence of this is to be found in the €50m Google fine in January from the French regulator, the July $5bn settlement between Facebook and the Federal Trade Commission (FTC) and the $170m fine for YouTube in September, which he said are all essentially about data-driven marketing.
Another indicator of this regulatory agenda is the fact that the UK’s Information Commissioner’s Office (ICO) is investigating companies reliant on data-driven marketing and plans to fine those in violation of data protection laws, as stated by the ICO’s Simon McDougal in a recent interview with the Financial Times .
“Organisations are not seeing this for the peril and the risk that it actually is, and the capacity of the regulatory regime, privacy advocates and motivated members of the public to deal with this issue themselves is greater than their capacity to deal with cyber security related to data breaches,” said Room.
While cyber security failures are generally hidden from view, which is why there is the transparency obligation of breach disclosure, he said marketing happens in plain sight, and the number of times people could find a data-driven marketing failure event on any given day is probably countless.
“Every day, a huge number of people see countless examples of data-driven marketing failures, and this creates a class of people that is sufficiently large so as to mean that a fight against data-driven marketing and how this is operating in business is inevitable,” said Room.
“And when that fight occurs, it will be a battle royale because it is hiding in plain sight and people know what advertising they have consciously and deliberately consented to.
“It is important that businesses do not fall into the trap of reading those proposed GDPR fines of July as meaning that data protection and privacy is about cyber security. Yes, they have got to acknowledge the importance of that principle and its criticality, but they have got to see what is also happening on the data-driven marketing agenda, and if they fail to do so, they are going to be in trouble,” he warned.
Room said there is an “incredible power” that the regulator has called the assessment notice. “This power is much more impactful than a fine because it creates utmost transparency, and businesses that are heavily reliant on data for data-driven marketing need to understand that the assessment notice power could be used against them to acquire evidence about compliance with the GDPR, which, in turn, could be used to justify other enforcement activities such as an enforcement notice or a fine,” he said.
As a result, Room said every business board that is heavily reliant on data-driven marketing needs to put it on the risk agenda and at the very top of the risk register .
“This is the Achilles heel that millions of people are recognising and that the regulators are recognising, but it is not being recognised by business leaders. It is hiding in plain sight,” he said.
Systematic security cycle
Another key observation by Room about the past few months is that news of the ICO’s intention to fine British Airways and Marriott International in July was the high watermark of interest.
“It created immediate reverberation. But that had all by disappeared within two weeks because the shelf life of shock and awe is very short, and two months on, it is almost as if it never happened,” he said.
“This is redolent of how cyber security has been, where everyone gets excited by mega events that make news headlines, but then attention peters out, only to be repeated weeks or months later. If failure, moral panic and quiet in cyber security and privacy mirror one another, the point is that we may not be learning the lesson of those big events.”
Room believes that this systemic problem in the economy may never be eradicated if the first couple of months after the first mega fine in the privacy world is any indication.
“The size of the proposed fines should tell the board of any business in the UK that they could be equally affected, and they are high enough to make a difference on balance sheets. Acting logically, there would then be a reaction in the economy for businesses to clean up their acts, but I don’t believe that is happening,” he said.
“My prediction is that we are going to be locked in a cycle in privacy that is equivalent to the cyber one, except the outcome is the GDPR fine, which like data breaches cause temporary shock and horror, but we will not learn the lesson of past failure if the cyber model is anything to go by and if the past few months are anything to go by.
“We should not be surprised if we look back in 10 years’ time and we have a long list of massive fines that have been imposed for privacy failures,” he said.
Businesses will break this cycle, said Room, only if they make it a matter of business purpose . “It is going to need people to see that quality data handling has to be part of the business purpose. That is the only way that we will break that cycle because until it is perceived to be a matter of purpose and therefore more important than anything else,” he added.
Room said his faith in the legal system to deal with this is not high, which is why he is searching for other ideas such as purposeful data privacy and the journey to code.
“This is the idea that we could somehow bake in privacy to tech and data and decouple it from the vagaries of boardroom attention in conjunction with trying to make this a matter of business purpose. I think that is the right route, but I don’t believe in regulation or that the data protection financial penalties regime is going to deliver the kind of outcomes that need to be delivered,” he said.
“We have got to start talking about how we deliver outcomes in code and data – the journey to code – and how do we get the board to see this as a matter of purpose. I believe that where we need to focus is on the journey to code and get the technology companies, data architects and coders to be thinking about the principles and rights of data protection instinctively to reduce the size of the problem at source.
“At the same time, we need educate the board to see this as a matter of purpose, not compliance, because as soon as they see it as a matter of business purpose, it is their problem rather than something for the compliance team to handle.”
Failure to do this, said Room, will in all likelihood mean the continuation of the cycle of penalties for privacy failure that mirrors the cycle seen in cyber security.
“The only way this works is if the board perceives it as a matter of business purpose, and they put in place enough technology and data to limit the possibilities,” he said.
“So what I am predicting is that the next 10 years will look like cyber, but I am saying that the boards and businesses need to beware, because they are missing the data-driven marketing bit.”