Data Protection 101

by Steven Roberts

Posted on Aug 5, 2022

Many marketers are still confused when it comes to regulations around data privacy. While GDPR is the best known data regulation, it has been a catalyst for other data privacy developments around the world, from California to Singapore and Brazil. Your business is only as compliant as the least trained person on your team, so ongoing training of existing staff is essential.

In this episode podcast host Will Francis chats with Steven Roberts, a veteran of marketing who has made the shift into data protection - he's so good at demystifying the whole issue, he's even written the book of Data Protection for Marketers.

A full transcript of this episode is available below. 

The Ahead of the Game podcast is brought to you by the Digital Marketing Institute and is also available on Apple PodcastsSpotify, and YouTube.

And if you enjoyed this episode please leave a review so others can find us!

Steven's 5 GDPR takeaways for marketers

  1. Audit your data
  2. Look at your processes and procedures carefully 
  3. Regular training
  4. Get the basics right and keep building on that.
  5. Identify data protection champions in your marketing team
“Sometimes as marketers, we rush off and look at the next shiny thing. Whereas before we delve into brand purpose, we should look at the people that have trusted us to give us their data. Are we auditing it correctly? Do we have the right procedures in place? Are we storing it effectively?” Steven Roberts

Podcast transcript

Will: Welcome to "Ahead of the Game," a podcast brought to you by The Digital Marketing Institute. I'm your host, Will Francis and today I'll be talking to Steven Roberts, all about GDPR and data protection for digital marketers. Steven is Head of Marketing at Griffith College. He has over 20 years marketing experience internationally, a certified data protection officer, and columnist for a marketing magazine. He's on a mission to help marketers understand that data protection and GDPR better. And his book published last year "Data Protection for Marketers: A Practical Guide" aims to do just that. Steven, welcome to the podcast. It's great to have you.

Steven: Thanks. Will, it's a pleasure to be here this morning.

Will: Yeah, I'm really glad we've got you. Because this is something we've not really talked about on the podcast, it's an important area. And I think it's something that all our listeners would really benefit from engaging with a bit more deeply and getting their head around, particularly as GDPR has matured. And I think there are a lot, you know that the whole area is maturing a bit more. But you know what, let's just start with an overview, set the scene if you like, just tell us what data protection is in the context of being a digital marketer.

Steven: Sure. So I guess the background, first of all, Will, is that you know, as marketers, it's digital marketers, where we're one of the largest users of personal data within our companies, and for our brands. And if you look at the broader marketing technology landscape, by my count, the last time I did a piece of research, there were over 8000 marketing technology platforms available to us.

So as a profession, we have plenty of opportunities to interact with personal data. And that's really where data protection and the GDPR comes in. So what is the GDPR? It's the General Data Protection Regulation was introduced in May 2018, introduced by the EU, and it was intended to provide a kind of a harmonized data protection environment across all of the EU member states. And really, you know, in terms of what does it mean for marketers? Well, look, there's 99 articles, and it's very easy to get kind of caught up in the individual detail of them. But when you're talking about data protection, you're really thinking about any personal information or information that could identify a person, that you or your business is using and from a digital marketing perspective, obviously, and that you're using for marketing purposes. I think there are some key kind of principles and elements to it that we'll probably talk through during the course of this interview, but some elements would be transparency. So for example, am I being transparent with my consumers with my potential customers as to how I'm obtaining their data, what I'm processing it for, how long I'm retaining it for, you know, another one would obviously be accountability as well that I have processes and procedures in place that can give people trust and confidence that their data is being used for the purposes for which it was obtained.

And you know that there is an adequate kind of lawful basis or basis under law for that processing. It's fair to say that GDPR is very much been on all of our radars as marketers since it was introduced, I think part of it was the potential for these eye-watering fines. No, up to 4%, of global turnover. And we are starting to see quite a number of large fines being issued by EU Data Protection Authorities, there was nearly 1.1 billion in fines issued in the 12 months up to January 2022. So it's not just, I guess, an empty threat or concern, in terms of these potential for fines, we are actually starting to see them impact not just the big tech firms, but also smaller and medium-sized businesses as well.

Will: That's interesting. Just in terms of the level of understanding of that, do you think most businesses understand GDPR? Or is it still a big sort of, you know, is there a big mystery to most?

Steven: I think people are actually quite fearful or uncertain about it. To be honest, I think it's a, you know, an acronym that if you throw into a conversation, people suddenly start getting quite wary about and I think part of that does come from maybe a lack of understanding of the regulation or also maybe the kind of word of mouth that has gone round with regard to GDPR. What I would always say and what was one of the purposes for which I wrote the book last year, a lot of it gets caught up in a lot of legal and compliance and jargon for want of a better word. And once you actually look through that and look at some kind of clear case studies and clear examples and I guess get to the fundamentals of what the regulation is about. I think that removes a lot of concerns that people have. And it gives businesses and digital marketers peace of mind. And what I would always start is what I was considered to be the kind of twin pillars, which are the do you have a lawful basis for processing the data? And are you adhering to the seven data protection principles within GDPR? So, I think you're spot on Will, there is plenty of confusion still out there. But I think the answer is for us, as digital marketers, and marketers more generally, is to educate ourselves and get the basics and build iteratively.

Will: It sounds like you've found ways to simplify it for businesses and digital marketers. And you said there, there's two pillars, you made it sound way less scary to me, you know, there's the lawful basis, and then the seven key principles. So let's unpack that. Start with this lawful basis.

Steven: So really, there are six lawful bases, you can look at contract, you can look at consent, there could be a legitimate interest, there could be a legal basis, there could be a vital interest on behalf of the data subject, or there could be a broader public interest. And really, I guess I'll talk through them in a little bit more detail. So as marketers consent, that has to be freely given has to be unambiguous, specific, and informed. So really, if you are going to set up an email list for your newsletter, you've got to make sure that people if you're relying on consent, you've got to make sure that individuals have the information to make a fully informed decision, essentially, and that that consent is affirmative. So they've had to express it in some way via they've had to actively tick a box or something like that.

Will: Yeah, they can't just be a customer that's bought something from you, and you've got their email address, they have to have explicitly said, "I'm okay to receive your communications," right?

Steven: Well, that's actually an interesting piece, well, maybe we'll do a slight digression down that route. With customers, it's certainly under Irish law, it's slightly different. So if you've got a customer, and they've had an opportunity to opt-out, at the time of purchase of the product or service, and they've chosen not to do so you can contact them as a business within the next 12 months, as long as it's offering them a similar product or service. So that's an area that marketers sometimes there is a little bit of confusion around. So generally, if it's an individual who's not a customer, the standard rule is they'd have to consent or opt-in. But if they're a customer, and it's a similar product or service, you can work on the basis, you inform them at the time of purchase, and give them an opportunity to update. Now you can continue to communicate with them, offering them an unsubscribe each time you communicate, as long as each correspondence is within 12 months of the previous one. So that's a question I actually get asked quite a lot.

Will: Is that specifically under Irish law, is there something similar in the GDPR or?

Steven: My understanding is that that is similar, because it's coming through the ePrivacy Directive, which is a linked piece of legislation to the GDPR, but slightly separate, but I would recommend any of our listeners that are operating outside of Ireland, just to you know, to double-check that within their local laws, but that is a kind of a difference between customers and non-customers. And when we go back to non-customers, absolutely, they have to consent in an affirmative opt-in manner. So that was the first lawful basis, the second one will be contract. So obviously, if I let's say I'm signing up to a mobile phone contract, they'd obviously have a requirement under that to capture certain information it could be billing data, it could be, you know, my address, that type of thing. So if it's required for the processing under a contract, that's another basis. Let me see, where are we at? after it's a legitimate interest. So that's quite a broad one.

Will: This was the one that got a lot of interest around it. Because a lot of us felt wow, there's a loophole.

Steven: So a legitimate interest, really it's a three-part process, you're looking at purpose, necessity, and balance, so you're looking at the purpose of the processing, as I mentioned, and whether that can be achieved in a different manner or a manner that doesn't involve data processing of individuals personal information, you're looking at the necessity of it, and then you're looking at balancing the rights of the business with the rights of an individual. So that's on that side. Then the next three are there's maybe slightly less relevant to marketers, but you've got if there's a vital interest so that's obviously if somebody is in personal danger. Their vital interests are threatened and they're not in a position to give consent, you have the ability to process their personal data for that particular purpose. So typically, maybe it could be a medical issue or something like that, where their own health or person is in danger, there's a public interest. So that could be a public health interest. Or it could be, you know, a lot of the examples we've seen recently in terms of businesses and government bodies processing around COVID.

And then lastly, you would have if there was a lawful basis, and again, or based under law, so that could be revenue processing your financial details, or it could be the statutory body for like Irish water, for example, processing information only because they are...a motor tax, for example, because there's something under law that allows them to do that. So those are the kinds of six lawful basis, and then you pair them up with a second pillar.

And that second pillar is really around the principles. And I always find right I generally find that anytime someone has a concern, or query within their business as a digital marketer, usually, if you go back to these two pillars, you can get fairly close to the root of the problem. So not to take too long on it, but just to talk you through those seven principles. So it's got to be lawful, fair, and transparent. So there's got to be that basis in law that we just chatted about, it's got to be fair in terms of would there be a reasonable expectation this is how data is being used, you got to be transparent about it. So you've got to provide that information. Let's say if you're getting consent for an email, marketing campaign, for example, or a newsletter, are you being transparent as to how that data is gonna be used and retained, etc. Purpose limitation. So you're only using the data for the purposes for which it was originally obtained. And then data minimization.

So again, as marketers, we tend to kind of go, ah look, I'll ask that question on the survey, just in case Will, just in case I'll need it in the future. And really, you know, do we need it, what's the minimum amount of information we require, in order for the particular processing to take place? Accuracy. So if you're holding information, it's got to be accurate. So if somebody has obtained information from you, or I for a marketing campaign, for example, and there's an incorrect address or a name is wrong, or some other element of personal information, we can go back and request that be amended. Storage limitation, again, that's a key you want to have a retention document in place, that's probably when we might return to in due course, you know, only retaining information for as long as you've originally stated you would do so or for the requirements of that particular processing, integrity, and confidentiality. So all aspects of security of the data. And then the last one is accountability. And accountability is kind of this overarching theme. It's really about how do you show the data protection as a living, breathing kind of thing within your organization. So have you processes have you policies. You know, is there documented proof of how you approach data protection?

Will: That's interesting. I mean, now you talk about them, it does seem quite clear. Although there is a lot around it, that is about reasonableness and fairness. And it is subjective, you know, like data minimization, well, who's to say I don't need your shoe size? You know, because I think with also this... because of this issue with third-party cookies going away, all marketers are being told you must gather your own data on your customer's first-party data. So if you are a shoe shop, don't rely on these kind of like middlemen, Google, and Facebook to help you reach the right customers. Just find out more about your customers find out their shoe size or find out their gender, whether they've got kids, etc. So you can offer them more relevant products. Am I ever in danger of straying, for instance, if I'm a shoe shop, is it okay to ask if someone's got kids and what everyone's shoe sizes are? Or what do you think?

Steven: Well, it depends. I mean, we've talked about them. I mean, if they're already a customer, you will have quite a bit of data on them. And again, you can reach out presuming they've been given the opportunity to opt-out at you know, at the time that they bought the set of shoes. You know you can reach out again, with a similar product or service. So if it's a, you know, it's a size 10 shoe or whatever it might be well, then I would think it's reasonable if you've informed people at the outset, where it's not a customer, and you're looking to obtain the data. Again, it's just been transparent, you know, and you're right. It is a lot about reasonableness and fair use of data. So I think you've got to look at it in terms of, you know, would you or I reasonably expect that this data was being used in that way. And when we gave our consent, you know, was this covered by that were we transparent and upfront about it?

Will: If on the front page of the online shoe retailer, they say tell us your shoe size and gender so we can send you the latest products. I mean, you would reasonably expect that they're gonna store that data and they're gonna use it to you know, so you're right. I think that's very transparent, isn't it? And everyone knows what's happening.

Steven: I think so and as well, I mean, again, you know, you've got an opportunity on your website to outline exactly how you're gonna use that information. And that's really where digital marketers and their companies should spend time making sure that you're being transparent. And then just adhering to it. And we talked about one of the principles being around kind of storage limitation. So don't suddenly be holding that for another 10 or 20 years without a lawful grounds for doing so. You know, so that's why I always say that I feel they are the twin pillars, the principles and the lawful bases. If you allow yourself to be guided by them, they generally answer most of the queries you would have as a digital marketing team. And going back to your point about reasonableness, Will, you know.

Will: It's so interesting that, isn't it? I studied law in my 20s. And I was really surprised when doing so how much of law comes down to what is in English law anyway called The Reasonable Man Test. I don't know if there's an EU or an Irish equivalent. And they still have some really antiquated thing. But in English law, they still talk about this hypothetical man on the Clapham omnibus. I don't know if you've ever heard about this?

Steven: I haven't. I haven't no.

Will: And it's a very old-fashioned legal way of saying the average person in the streets, yeah. And the test is, would the average man on the Clapham omnibus, which is like an old-style bust [SP] in South London. Would they think that this was fair and reasonable, so would your average person in the street think it's fair and reasonable, it would just, it really astounded me how much of law came down to that, because the end of the day, you can't codify everything, you can't put every rule down on paper with very clear boundaries, a lot of it has to come down to, you know, for a law to not be like a billion pages long for a statute not to be a billion pages long, it just has to be some basic kind of guidelines. And then, you know, reasonableness and fairness. So I think your own sense of that should definitely be a guiding light, when managing data, right?

Steven: I think so, Will, I think so. If you asked yourself, or most of us listening asked, Would I reasonably expect my data to be used in this way? That's a pretty good guide for anyone when they're looking at how personal data is being used within their firms. Now, obviously, you have to go back to the principles, the lawful basis, etc. But if you're looking for a rule of thumb, if I was this customer, would I reasonably expect my information was being used in this manner and for this purpose? And as you say, like the Clapham example. I think that you know, that is a pretty good guide. You know, it's interesting, in a way, as marketers, we're in this long-running debate around, you know, as marketing and art or science and probably, you know, for my 20-odd years, and it always feels like it's a mix of both. But then you look at an entirely different discipline like law and data protection. And you realize that there's also a heavy amount of context there, isn't there? You know. So sometimes I think we look at other disciplines and go, oh gosh it would be great to have, you know, these firm, fixed scientific rules. But you know, the reality is, an awful lot of human life is around judgment calls and aspects of data protection are no different.

Will: Hello, a quick reminder from me that if you're enjoying our podcast series, why not become a member of the DMI so that you can enjoy loads more content from webinars and case studies, to toolkits and more real-life insights from the world of digital marketing, head to, sign up for free. Now back to the podcast. 

Well, that brings me on to wonder how you got interested in this particular area, then, you know, thinking about how we kind of weigh up different industries and professions and disciplines. How did you get into this?

Steven: Yeah, good question. Will, as I mentioned, and as you said at the outset, I've been in marketing for a little over 20 years at this stage, and mainly within the kind of tourism, heritage, education kind of not for profit sectors, I guess those would be the various sectors that I've had marketing roles within but over the last five to eight years, I'd increasingly noticed data protection aspects or issues crossing my desk, and it kind of sparked a broader interest and I kind of said, "Look, I really need as a marketer to know this well, and to have a detailed understanding of it." And I kind of prompted a journey. Will, to be honest, so I studied to be a certified data protection officer. I knew GDPR was upcoming. So I took a postgraduate course in that area and then got the DPO certification. And then I got involved with the Data Protection Committee in the college here in Griffiths.

So we're one of the largest private third-level institutions in Ireland. So we'd have over 7000 learners across our campuses. And I was very involved in setting up the Data Protection Committee there. And I started then writing articles on data protection for our marketing magazine, and a number of other national, international publications. And just going back to the, I guess, our earlier conversation, there seemed to be a gap for talking about data protection in a way that wasn't overly reliant on compliance or legal terminology. And to put it into kind of three matter-of-fact, straightforward examples, and descriptions. So that just led to then I had the opportunity to write the book last year for Orpen Press, "Data Protection for Marketers," and as I say you know, as a marketer, for more than two decades, I knew the issues that we face. And having been involved in data protection for many years, at that stage, I felt I could give a fairly clear-sighted kind of view to the whole area and try and make it practical, and maybe not try and cover every single part of GDPR. And it's minutiae, but to guide on the key pieces, like the lawful bases, the principles, you know, the rights of individuals, all of those areas that really how the journey kicked off, you know.

Will: Yeah, I suppose coming to it as a marketer, you understand that unless this stuff is actually actionable and applicable, then it's kind of useless. And like you said, a lot of the existing information out there it's in legalese. It's not in the kind of language marketers will engage with. And I think that's why it has been quite just this kind of scary, kind of ominous thing. This specter that looms over marketing a bit that people kind of yeah, sometimes completely ignore because they just can't deal with it, or they just don't understand or they implement badly. I mean, I do wonder about when GDPR came in in May 2018, I feel like there was a panic. And I felt caught because I was still doing... I still had some clients, we're still doing some marketing consultancy, then I kind of fully transitioned to just telling other people how to do it now. But yeah, and I just felt like clients were actually kind of asking me to make poor decisions on their behalf. I think knee-jerk decisions. Was it a mistake? You know, like a lot of small to medium-sized businesses, were essentially chucking away their entire email lists. Well, or they were asking people to re-subscribe and, you know, a very small proportion did. Was that the right thing to do?

Steven: Well, yeah, that's a good question. I think to go to the outset of your question, there was definitely fear on the part of marketers. I guess there's two elements to answer really, the first one is, I think a lot of it came from the fact that many of us didn't know what data we had. We haven't necessarily audited correctly, there's a lot of churn in marketing. So marketing manager A is in for a number of years, he or she and their team obtain a lot of data, they move on to maybe the record-keeping, particularly in smaller mid-sized businesses isn't as strong as it could have been, or should have been.

Will: Spread across various systems, not really very kind of organized. Yeah.

Steven: Exactly, exactly. And we've all faced that at some point. So I think that was a wake-up call when GDPR came in, and people really hadn't audited their data. On the second part of it, you know, if the data that you have, if that's old leads, you know, if it's been obtained over a long period of time, and really it exceeds what it was originally obtained for, you know, going back to those principles, again, the purpose for which was originally obtained and stored only for the length of time for that purpose. You know, a lot of databases didn't need cleaning up. I mean, I'm sure like myself, Will, you can remember when you had a data, you know, a database target of just grow it by X amount. And really, I'm not sure that that's the right way to go. A lot of it is about having the right data. So I think there is a benefit, and a lot of us are paying for it. You know, if you look at marketing technology platforms, a lot of us are paying based on the volume of leads we have. So it's about having the right leads for your business. And I think GDPR actually did many of us a favor, enforcing us to look at that auditor properly. And rather than just having 10,000 people of which maybe 9000 were lukewarm, you actually had a smaller database that was properly effective, and you were getting a proper return from it.

Will: So do you think then there is a business case for this stuff?

Steven: I do. Yeah. I mean, I think, first of all, look, the reality is you know, it's a requirement under law. But there is also a business case as well. First of all, we're seeing we're kind of more and more coming into a time where a data is kind of the new oil or the, you know, it's basically fueling the 21st-century economy. And at the same time, people are more and more aware that their data is being used by big tech firms, by businesses in general. So I think there is a benefit to businesses more broadly, just in terms of that trust, and from a reputational perspective in being very sound, in terms of their data privacy and data protection practices. And I think that will increasingly come to be the case, but there's broader aspects to it as well. And the first one, as we say, is there's a clear marketing and business benefit from having audited your databases and having, you know, clean databases that have effective leads and effective contacts.

And the second part is that you know, you can't underestimate, particularly for a smaller, medium-sized business, the amount of upheaval that can happen, if you get an access request in and you don't have processes in place to deal with it. If there's a data breach, and you don't realize that you have, you know, 72 hours to report that or you don't have processes in place, or that the one person that has experience of this is away, or they're sick, or they're... you know, that can really clog up a business for a significant amount of time. And the other side of it is Data Protection Authorities have significant powers, they can suspend processing, it's not just necessarily a fine. So, you know, there's a carrot and a stick element to it is the honest answer, Will.

Will: Yeah, because that's it, it seems like it's all stick. Right? And I think, you know if I was the owner of a 20-person business, or I'm the finance person of a 100-person business. Yeah, what's the argument to me that we should actually spend time on this because I'm just interested in making money and making the bottom line look as healthy as possible this quarter, this year. But as you say, it's about being ready to respond to any data requests from customers. It's about quality over quantity, and going forward for many years to come having better data practices, right? And building that foundation now, getting the house in order now. Because it's kind of unavoidable. If it is all a mess, isn't it? But then it's not just a thing you do for now, like I say, you're building a foundation for many years to come of having more efficient practices that reap benefits from month to month, year to year forevermore.

Steven: Yeah, I think there's another aspect of that. Will, and we probably haven't talked about it that much as yet. But really the ongoing importance of training. So we know, as marketers that there's a huge level of churn, generally within our industry. You know, it was always a sector where people tended to move quite regularly. But that's been exacerbated by, obviously, the impact of COVID and lockdown. And really, you know, it's kind of a slightly worrying statistic is that up to 90% of data breaches are due to human error. So really, your business is only as compliant as the least trained member of staff on your team. So there's two aspects that are trained. The first one is, you know, a lot of us would have undertaken training back in May 2018. With GDPR, with its arrival, but you've got to continue to undertake training of existing staff as well as new staff because the GDPR is, you know, that law is bedding in there to suit as you say, it's four years plus since it came into effect. And really, you know, starting with training and having a regular commitment to training is a great way of maybe reducing the fear factor and making sure that people are thinking about the key aspects of data protection when they're going about their day-to-day roles within digital marketing.

Will: We've talked about GDPR a lot. Is that gonna become the template for the kind of regulation that's gonna be, I suppose, inevitably rolled out in other parts of the world, do you think?

Steven: I think it is. I think it is, I think the GDPR has, okay, if you look at it from the use original ambition was this harmonized data protection environment across the EU, I think that is still an ambition yet to be realized. There are still local nuances in individual countries, but it has definitely sparked a wave of similar legislation around the world. You know, probably one of the best-known kind of laws internationally would be the CCPA, the California Consumer Privacy Act, which mirrors not all of GDPR but substantial amounts of it. Then you've had new data protection laws in China, in Singapore, in Brazil. So, it very much has been the catalyst for countries around the globe to really look at their data protection laws.

Now, for businesses, it creates a minefield, because if you're trading internationally, you have to not only unless you're based in Ireland, and in my case, for example, you've got to be aware, not just of the EU, as GDPR. But you've got to make sure that, you know, if you're trading into California, for example, that you're adhering to their local law. So it's becoming, in my view, more complex rather than less. But that's probably more of a reason than any to make sure that people are getting trained up that they are aware of the requirements. But it is challenging, and certainly from multinational marketing team, team of digital marketers, it's, you know, I can see it going more in that direction, rather than less in the coming years.

Will: I mean, I suppose I've always worked on the assumption that you know, if you're compliant with GDPR, you're almost certainly okay with anywhere else in the world. Because GDPR would be I say, you know, it seems to be the most from my layman's understanding the most stringent. And also, it seems very likely and very logical that everywhere else will kind of catch up with that. So is that a kind of good default way of working. Do you think?

Steven: Yeah, again, look, you're still gonna need to check the local laws, but it is a good rule of thumb, Will. And that's really what we're trying to talk about through a lot of this discussion. Yes, I think it's reasonable to say that the GDPR has one of the highest compliance bars in terms of its data protection requirements, and most companies don't want a twin track or multiple track approach. They're gonna go, okay, what's the highest standard we have to hit? let's adhere to that. And then everything else will, you know if there's slightly more lenient legislation and other countries around the globe. Well, at least we've hit this bar of the GDPR. And that's kind of more broadly covers. That said, there are, you know, if you are sitting within a multinational digital marketing team, there will undoubtedly be local nuances. It could be what, cookie consent, it could be you know, it is we're chatting with your legal and compliance teams. But again, if you're in that situation, you should have access to reasonable resources within firms of that size.

Will: You talked about businesses being fined for this stuff. I'm curious, have you got any examples of the actual breaches that have happened that have ultimately incurred fines?

Steven: Yeah, I mean, I'll try and avoid naming names per se, but some of them certainly with the technology firms, a lot of it seems to relate around transparency, and not being completely transparent in terms of how people data is gonna be used, or maybe shared with third parties. And when it comes to smaller businesses, the examples that I would have seen would have been maybe, you know, human error, where somebody has sent some sensitive data to an individual that they shouldn't by accident, because maybe the CC field was copied in wrong or, you know, and then it even comes down to minor things like people using the CC field rather than Bcc in their email. And suddenly it goes out to a large group whose information has been shared, unwittingly. So you know, then you've got the very large examples of being hotel firms and airlines where they've had cyber attacks or data breaches. And it could be millions or tens of millions of people's data being...

Will: Because malicious actors have actually gotten in.

Steven: Malicious actors. Exactly, exactly. So it's a real mix. Well, it's a real mix. But I would say with smaller businesses, a lot of it comes down to...

Will: Careless spilling of data.

Steven: Yeah, yeah, that type of thing, you know, or else, that they just haven't gone back to those twin pillars in terms of storing it for only as long as it's needed, or retaining it for only as long as it's needed. So, yeah, I mean, there's actually what I, again, maybe most relevant to our Irish listeners, but I'm sure the UK's ICO, the Information Commissioner's Office is similar, but there's very good case studies in their annual reports. And you might go, oh, God, you know, I have to read through this annual report in data protection, they often have some good examples of firms who've fallen afoul of, you know, could be particularly around direct marketing, actually, you know, people have used databases in the wrong way or they've... there was actually an interesting example in that the Irish data protection commission's report, I think it could have been its most recent one, certainly within the last two years, but you had insurance companies that might be contacting people as a reminder that their policy is up for renewal. But within that, they're actually packing that message with a lot of marketing information and the DPC has come back and said, "That's not really a renewal reminder that's more of a marketing piece."

Will: It's fully actually the ICO in the UK, I just looked up their annual report they said in 2020/21, we issued three fines totaling £39.7 million. And the biggest one was, in October 2020, we fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 of its customers. Found that the airline was processing a significant amount of personal data without appropriate security measures in place. And they did not detect cyber attack in 2018 that went on for more than two months. And so basically, yeah, similarly with Marriott, they fined Marriott £80.5 million, again, failing to keep millions of customers' personal data secure. So there's a running theme there, as you say. And where there are large, well-known companies like that they are natural targets for malicious actors who know that, because we all assume God, a company like that, I mean, they'd have all their stuff locked down, right? But hackers know that that's not the case. They know that everyone's only human and that things get missed. And these big famous companies can leave things in an encrypted form.

Steven: Well, that's it, Will, you know, yeah, you're absolutely right. I mean, those are two... And they were two early kind of headline fines as well, not long into the GDPR. And really, I guess, going back to you say, "Well, look, why should a business concern itself with GDPR?" Well, there's a perfect example there, there's you and I talking about, you know, large global brands, whose reputation has definitely been impacted by that. It's still a bit, you know, you can still read through what exactly occurred online, and it's not gonna help their consumer trust, and really, that's part of our remit and our role as marketers, we're the voice of the consumer, within our businesses. And really we should be on top of this stuff. Certainly, we should be a voice within the company advocating for that because I think so many of us get... you know, there's a lot of discussion around brand purpose, and, etc, as you and I both know, and I kind of feel that runs a little bit hollow if we haven't kind of looked after the nuts and bolts of what's required under law, and then nothing to do with any specific firms we've we've chatted on, but I just feel more generally that sometimes as marketers, we rush off and look at the next shiny thing. Whereas in actual fact, maybe before we delve into brand purpose, we start to look at well, for the people that have trusted us to give us their data, you know, are we auditing it correctly? Do we have the right procedures in place? Are we storing it effectively? You know, all of those points? I really think we, as a profession, it's useful for us to take some time around that.

Will: Okay, that's really interesting. Well, look, I know our time is running short. What I would love to get out of you, for our listeners is could you give us five or thereabouts practical steps like actionable, hard, practical things that listeners should go and do right now, after listening to this episode, to get their data protection practices and processes in better shape?

Steven: Absolutely. You're putting me on the spot here, Will, no problem, no problem. And I'll try and keep it to five. And, look, listeners will probably say, gosh, I think I've heard Steven say it already and you know, they're right. Some of these, we will have covered but there's a reason first, you know.

Will: That's all right.

Steven: So the first one I would say is audit your data. How can you be compliant, if you don't know what data you hold, and how you process it. So there's just multiple benefits to that, you might actually spot opportunities that come from it, you'll have leaner databases, you will reduce the risk profile of your firm, you will have more confidence in the marketing that you're doing day-to-day. So that's the first thing. Second thing is, you know, look at the processes and procedures. So we talked about things like an access request comes in. So who's gonna respond to that you have 30 days to respond. And it can be extended by a further 60 If it's a particularly complex request, but typically, it won't be. Who's gonna look after that? If you're looking at new procedures, you know, around...sorry, new platforms or ways of data processing, have you data protection impact assessments, have you that template in place as part of your process and procedure? So that's the second key one, take time around that.

The third one, I would say is regular training. We talked about it again, there's a lot of churn in our industry at the moment. I would say training for your existing staff is as important as induction and onboarding training for your new staff. It's got to be... You rightly mentioned Will, we all have quarterly half-yearly annual targets. They're rightly the top-of-mind focus for any marketer. It's through regular training that we also keep in mind that we have, you know, big requirement around data protection, best practice. So I would say that's the third thing.

The fourth one, you know, Rome wasn't built in a day, get the basics, right. Start with the principles and the legal bases, that's not all of GDPR. But it'll certainly start to give you trust and confidence that you're building iteratively towards something. And in fairness, most companies in my experience, and certainly anything I've heard more generally out there, most companies are still building towards, you know, that kind of state of perfection around their data privacy culture. So don't presume that it's beyond you just start like with anything, take one step after another, just build from the basics. And over time, you'll find that you'll get there.

And then the fifth one is really identify champions. First thing is, they should be led from the top, this isn't just a marketing requirement, the board, the executive team, they should be talking about the importance of data protection, and keeping it alive. I definitely think identifying data protection champions within digital marketing teams is hugely helpful. If you've got, you know, multiple locations, no compliance or legal team is gonna be able to keep an eye on every aspect of a business that size. So identify someone who's going to maybe talk about it on the weekly marketing team meeting agenda, or is gonna send around stuff if there's a change in the privacy laws or an update on UK GDPR, for example, they send something round, just sort of, you know, it remains top of mind,

Will: Just so it's someone's job to be thinking about that and be responsible for it within marketing.

Steven: You know, it's everyone's job in one respect because it goes back to that thing of that least-trained staff member, but having somebody that might have a bit of an interest or an enthusiasm for it means it's just there along with all of the other dialogue around zero-party data and whatever else is going on at the moment.

Will: Fantastic. Well, they sound like practical, actionable things that we can go away and do. I think that's really valuable for people. And I would recommend that people do that. I've only got one last question for you, Steven. tell our listeners before you go, where they can find and connect with you online.

Steven: Sure, thanks. Will, yeah, I mean, I probably the handiest is LinkedIn, I'm probably most active there. So stevenroberts-marketing would be where you'd find me there. Twitter @StevenRoberts1. And then obviously, with the book "Data Protection for Marketers," that's available on Amazon. It's in Waterstones, all good bookstores as the saying goes. And yeah, look, I'd be delighted to hear from listeners.

Will: And we'll link to all that in the show notes of the episode as well. So listeners can check out your book and connect with you online. Well, you know what, that was really useful. I have come out of the last 50 minutes smarter and more informed about this stuff. You've got a really nice, simple way of getting it across and I really appreciate that. So yeah, thanks a lot for taking the time with us. Great to chat with you, Steven. And hope to chat to you again soon.

Steven: Thanks. Will, it was a pleasure.

Will: If you enjoyed this episode, subscribe wherever you get your podcasts. And for more information about transforming your marketing career through certified online training, head to Thanks for listening.

Related Articles

Steven Roberts
Steven Roberts

Steven Roberts is Group Head of Marketing at Griffith College with 20 years experience in marketing at senior and director level across the education, tourism, not-for-profit and heritage sectors. He is also a Fellow of the Chartered Institute of Marketing (FCIM) and a Certified Data Protection Officer (CDPO). Member of the Marketing Institute of Ireland, Public Relations Institute and Association of Compliance Officers in Ireland. He has written Data Protection for Marketers.

Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.