Data Protection Bill: The new Y2K for marketers

At a recent marketing fraternity event, the chief technology officer of an up and coming e-commerce portal declared: “We store all the data we can! Whether that be a click of a mouse, a hover over an image, or details entered by the consumer on the platform. We store all of it, even if we don’t know what to do with it right now.” Another marketer recounted an incident of a renowned Mumbai realtor purchasing databases from banks and storing it simply as XYXBank_Database. 

This careless handling of consumer data will need to change when the landmark Personal Data Protection Bill is enforced in India. The Indian business community, which has been working on the premise of 'if the consumer is mine, so is her data', will need to rethink all its consumer data practices and rewire those processes. 

The Srikrishna Committee Draft Bill states, in no uncertain terms, that individuals are the owners of their data. It also stipulates that companies can collect data only after explicitly declaring the purpose of the data being collected and upon obtaining permission from the consumer, the data can be used for that purpose only. And the data collected cannot be transferred to another entity for any reason. And so, the CTO of the e-commerce firm and the banks and the Mumbai realtor are all in violation of the Draft Data Protection Bill currently. 

The Bill is expected to be tabled in the Winter Session of the Parliament. It is unclear if the Bill will get passed before the 2019 General Elections. That said, the biggest media agency conglomerate - WPP - is taking the Personal Data Protection Bill very seriously and is urging marketers and its partners to start preparing for the day when the law is implemented. 

“Treat this Bill the same way that companies treated Y2K,” warns Anand Siva, Principal Consultant, Kantar Analytics. He says companies have time to prepare for the day the law is enforced and they should use the time available to audit their legacy practices and “clean up their act.” The key attitudinal change that is required, he says, is not to look at data as something that only “helps the company.” 

But not everyone is listening to Siva. He says that brands are still waiting for the government to put the final law in place before actually reviewing processes. “There are two types of organisations today: one that is saying we are very well covered, not realising that they aren’t; the other is the type that’s saying 'I will take a look at it when the time comes'.” 

Baldeep Singh, Country Manager, WPP’s Data Alliance, has also noticed this complacency and lethargy that Siva sees in brands. “The ground reality is that it is still new and fresh. People are still grappling with data privacy and security,” he says. But Singh is also positive that this is an opportunity. “As we try to understand data, how to use it, keep it private,and put in place Data Protection Officers, we have an opportunity to start fresh from ground up. We are at a great catalysing stage in India,” he adds. 

Despite these factors, Siva and Singh believe that soon data protection will become a hygiene habit for companies. “The law says that the possibilities of what consumers can choose from must be spelt out explicitly. The consent forms will no longer be one check box,” says Siva. 

Siva says compliance with the Data Protection laws can only help the brand have a healthy relationship with consumers. “Honesty and trust has to be implicit, it cannot be an afterthought. If a brand has a purpose for the data and is able to give value to a customer, there is no reason why a customer would not want to share their data.” Currently, only around 2-3 per cent of total retail sale takes place online and conversion rates are not as good as they can be. Therefore, Siva feels that if anything, companies will be able to target better and sharper when they enforce the Data Protection laws. 

The greatest challenge in the way of businesses complying with the law is intent, says Siva. He estimates the cost of audits and rewiring processes to become compliant to be anywhere around Rs 25-40 lakh. “Most companies might wonder if this is going to be a required expense at all since the law is yet to be enforced.” The other bigger challenge that Singh points out is that of finding people who understand this space. “There’s not too many out there,” he says. 

Companies should recruit a Data Protection Officer (DPO) and not made do with the legal team, Singh points out. “A DPO needs to be a person who can understand the technology, processes, the compulsions and needs of the marketing team. You do not need a specialist in tech, but someone who speaks all the three languages,” Siva adds. 

The biggest criticism of the Draft Bill is that it tackles the issue of privacy by replacing it with consent. So, will the Indian consumer take charge of her rights and not fall prey to the companies? “It might take a while, we might need some consumer education. We could have a data governing authority like we have for mutual funds. There will be a little learning curve for the first 6-9 months, and then it will settle down to be the norm,” says Siva. 

Singh strongly wishes for people to be aware of the risk of misuse of consumer data. “People need to start realising that their data can hold a lot of information about them which can be used to target them or even clone them.” The question people need to ask themselves is “what am I doing to safeguard my data?” Sigh says that the government needs to educate its citizenry about what constitutes data, the relevance of utilisation of data, and how it can be misused.   

And Siva says that consumer behaviour toward data protection is already changing. “Earlier the number of consumers who would sign up for the DND service with their telecom operators was around 30 per cent, now that number is 50 per cent. This number is increasing dynamically and very consistently.” 

As consumers become more conscious about their rights and the implications of misuse of data, it will be imperative for businesses to prepare for the day when the draft bill becomes a law. 

Finally, what’s the roadmap ahead for becoming compliant? Siva gives exchange4media readers the complete low down, read on: 

Before companies understand what processes to change, they need to understand what processes they have. Most organisations are working on legacy models. People who bring in these processes do not last long enough in these organisations, so processes that are put in place years ago are carrying on without any knowledge of why those processes were implemented. 
So companies first need to evaluate all their current process and figure out what was done, why, and with what compliance measures. Once that is done, they need to know what they plan to do over the next few years. For example, if they plan to launch new products, then it is important to know that a customer who buys a product today is likely to buy the next product as well. So the data consents need to be in line with what the marketing needs of the company are; not in isolation. 

The consent obtained cannot be very short-sighted, it needs to have a 2-3 year window so that the company is well covered when the new plans start coming into place. Once companies know what they want to do with the data, they need to find the gaps and fill those gaps. 

The other key point is to understand how efficient are the tools and technologies to manage these needs. We are moving into a Big Data space where there will be a lot of on/off switches for consent and this is possible to be implemented only when processes are automated. For example, if a consumer calls into a call center to have their data deleted, then someone there must authorised to expunge the data. Which means the technology has to allow that, the database has to be accessible to someone in the call center and there has to be evidence of the customer having asked to delete the data. 

The final aspect is the legal angle. When a company collects data from multiple sources, the consumer is the Data Principal and the company - Data Fiduciary. The company cannot place the blame on the intermediary who collected the data for any misuse of data - they are agents of the company, and the actions of the agents are binding on the Data Fiduciary. The company will need to ensure its agents and partners are also compliant before working with them.