GDPR – What does Design by Data mean?

Having attended a number of talks on the new GDPR regulations in the past week we thought that it would be a good idea to talk about one of the most interesting points in the 260-page document which forms the basis of the new rules.

One of the best things about Professor Tim Walters 2 hour keynote in London last week was the following:

From 25th May 2018, designers of digital systems are duty bound to design solutions that are compliant with the new guidelines.


This has three major ramifications:

  • It must be as easy for a customer to revoke consent as it is to give consent when agreeing to share their data
  • Dual culpability (meaning that GDPR compliance is the joint responsibility of implementation partners and clients) also means that controls will need to be built which allow customers to request access to their data
  • Because the onus of proof of consent now sits with the company holding the data processes around capturing data will need to be more robust

In this blog, we’ve outlined what this might mean in all three scenarios.


1. Making it easy to revoke consent


There is a lot of room for interpretation of the new rules. But if customer sign up journeys exist online then logic dictates that for it to be ‘as easy’ to revoke consent that this must also exist online. For those of you thinking, ‘hey couldn’t they just unsubscribe from our newsletter template or email us to ask for their data to be removed?’… apparently, the answer to this is no. Policymakers apparently plan to apply a very literal interpretation of the rules.

So if customers are going to be able to manage their own preferences online what does this really mean?

Well, firstly, as part of the sign-up process it will certainly help if companies collecting the data are more precise on what the consent is for and what data could be handed back. If you’ve not checked your consent agreements recently this is certainly something to look at. Moving forward it is not permissible to ask a customer to sign up for non-descript consent (E.G. marketing updates) or to hide the fact that you plan to share their data with other partners.

If a customer does want to be forgotten it’s important to think about what this means. For example, if they’ve purchased something before and want us to forget about those orders that are fine, but, we might want to keep a record of the products that they bought so that we can forecast seasonal changes in overall demand.

Finally, on this point, we expect to see more companies taking a more intelligent approach when it comes to user preference management. There’s a benefit to organisations in taking this approach too – if you involve end customers in managing their own engagement more effectively you should have a more engaged target list.


2. Access to Data

Under the new rules, customers can request a copy of all data records in every business systems. For businesses who send emails, run events, sell products and have customer services teams this could have a massive impact as the way customer data is handled can be very different at a departmental level. In some cases, they use completely different systems.

As customers can do this for free the time taken to find customer data is an absolute example of unproductive staff time. Creating a process for finding this information efficiently and with a minimum of staff time is likely to be a priority for many businesses ahead of the deadline.

However, I’ve got a novel idea. Rather than minimising staff time in response to data subject request could we not eliminate it?’

I recognise that this isn’t totally straightforward. The UK data protection legislation alone would mean that careful thought would need to be given to what credentials should be provided in order to access data. There would also need to be a judgement made around whether this process would make it more difficult to revoke consent than to give it.

If an organisation could create an automated data access request, that ensures data is only shared with the individual it belongs to, they could create an immediate competitive advantage by eliminating a whole area of redundant cost from their business.

3. Proof of consent


This is likely to be the biggest short term impact of the new regulation.

For anyone running a web-to-lead CRM Integration, a lead source of ‘website’ is no longer sufficient. You now need the date that the person gave consent and what that consent was for. If a customer complains, this information is vital in proving that the company collecting the data was compliant.

For most businesses, there is a question mark over where this data should live. So many businesses collect consent agreements in their CMS, CRM, ERP and email marketing tools but these systems tend to be replaced every 3-5 years.

Firstly, there will need to be a greater adherence to a ‘single point of truth’ in data strategies that exist in most organisations at the moment. Failing to consolidate data records into one system will mean a massively disruptive process when it comes to finding all records of one customer.

Secondly, when it comes to migrating systems, organisations will have to look further than moving data which is useful to themselves. They will also have to look at what they need to migrate to ensure customers can still access their data and consent agreements. For CMS vendors this may well include migrating user data tied to micro-conversions like newsletter sign-ups and document downloads as well as the more traditional conversions like sales and event attendances. For CRM vendors this will mean moving more than Accounts, Contacts, Leads and Opportunities.

Overall proof of consent rules and the migration of data will reduce the speed of changing from one system to another.


Summing Up

Unlike most regulations, GDPR is actually interesting…. Well, it is sort of. Some of the stuff above falls into the category of ‘good practice but we haven’t got round to doing it’, so the good news is that there’s now a deadline for enacting positive change.

The other good piece of news is that unlike most forms of digital disruption this change is being forced rather than companies having to be brave to break the mould. Companies who embrace the regulation (FYI – most companies haven’t even started to work on it yet) will avoid fines and potentially gather competitive advantage by streamlining what could be a very disruptive process.

Fancy a chat about GDPR? Give us a call at any of our offices listed below or drop us an email

London +44 (0)203 874 3574 | Boston +1 (617) 340 7044
Belfast +44 (0)28 9044 7800 | Dublin +353 (0) 1839 6580 | Leeds + 44 (0)113 357 0056

Alternatively, check out our latest blog topics for more great digital marketing insights and trends.

Share This

Subscribe to our mailing list