The real solution to the ICO’s Direct Marketing Code

Gary LaFever_1Since the introduction of GDPR, many firms have begun to fear the knock-on effects of tighter privacy controls on customer data. One of the hardest hit industries as a result of the regulation of personal data use for secondary processing is adtech. I believe there are justifiable concerns that strict regulation will stifle industry innovation and ultimately negatively impact the benefits and offerings for consumers.

Recent proposals announced by the Information Commissioner’s Office point toward actions through which direct marketing (in its current form) is almost entirely crushed. Although the final code has yet to drawn up, this could result in far-reaching repercussions across multiple sectors.

The most concerning development is that the ICO appears to suggest that “legitimate interests” may no longer be an appropriate lawful basis for processing personal data for direct marketing purposes.

A recent webinar involving over 700 senior privacy and data innovation professionals from around the globe illustrated the industry’s main concerns:

SOS alert: Direct marketing to customers is being challenged, and innovative data uses are at risk.

Consent, contract and anonymisation are no longer reliable for legally processing personal data under the GDPR. This makes it hard for personal data to be processed with complex algorithms, such as those in the adtech space used to present relevant products to particular consumer groups.

Legitimate interests must be considered as a lawful basis for processing in place of consent, contract and anonymisation. This requires new technical controls that protect data when in use.

Immediate action is required. No one wants to be left behind.

Regulators have been forced to take a firm stance, as technologies used in the processing of data for profiling in direct marketing have moved at unprecedented speed. Alongside this rapid development, numerous privacy and data breaches have taken place on a regular basis.

However, there is a solution that can help the industry to balance innovation and achieve compliance at the same time: pseudonymisation. GDPR-compliant pseudonymisation can support both economic and business growth and the protection of privacy rights. But, what is it, and how can it be achieved?

Pseudonymisation (newly defined at the EU level for the first time in GDPR) has a heightened standard relative to past practice and is repeatedly mentioned as a recommended safeguard for personal data. In more than a dozen places, GDPR links pseudonymisation to express statutory benefits.

The process embeds privacy policies in use-case-specific, privacy-enhanced versions of data to satisfy statutory and contractual requirements necessary to support privacy-respectful and lawful direct marketing.

I believe that only by moving with GDPR (rather than against it) can the adtech industry avoid being crushed by the regulatory impacts such as those proposed by the ICO.

Gary LaFever is CEO and General Counsel at Anonos

Print Friendly