APRIL 3, 2020

The real solution to the ICO’s Direct Marketing Code

Since the introduction of GDPR, many firms have begun to fear the knock-on effects of tighter privacy controls on customer data. One of the hardest hit industries as a result of the regulation of personal data use for secondary processing is adtech. I believe there are justifiable concerns that strict regulation will stifle industry innovation and ultimately negatively impact the benefits and offerings for consumers.

Recent proposals announced by the Information Commissioner’s Office point toward actions through which direct marketing (in its current form) is almost entirely crushed. Although the final code has yet to drawn up, this could result in far-reaching repercussions across multiple sectors.

The most concerning development is that the ICO appears to suggest that “legitimate interests” may no longer be an appropriate lawful basis for processing personal data for direct marketing purposes.

A recent webinar involving over 700 senior privacy and data innovation professionals from around the globe illustrated the industry’s main concerns:

SOS alert: Direct marketing to customers is being challenged, and innovative data uses are at risk.

Consent, contract and anonymisation are no longer reliable for legally processing personal data under the GDPR. This makes it hard for personal data to be processed with complex algorithms, such as those in the adtech space used to present relevant products to particular consumer groups.

Legitimate interests must be considered as a lawful basis for processing in place of consent, contract and anonymisation. This requires new technical controls that protect data when in use.

Immediate action is required. No one wants to be left behind.

Regulators have been forced to take a firm stance, as technologies used in the processing of data for profiling in direct marketing have moved at unprecedented speed. Alongside this rapid development, numerous privacy and data breaches have taken place on a regular basis.

However, there is a solution that can help the industry to balance innovation and achieve compliance at the same time: pseudonymisation. GDPR-compliant pseudonymisation can support both economic and business growth and the protection of privacy rights. But, what is it, and how can it be achieved?

Pseudonymisation (newly defined at the EU level for the first time in GDPR) has a heightened standard relative to past practice and is repeatedly mentioned as a recommended safeguard for personal data. In more than a dozen places, GDPR links pseudonymisation to express statutory benefits.

The process embeds privacy policies in use-case-specific, privacy-enhanced versions of data to satisfy statutory and contractual requirements necessary to support privacy-respectful and lawful direct marketing.

I believe that only by moving with GDPR (rather than against it) can the adtech industry avoid being crushed by the regulatory impacts such as those proposed by the ICO.

Gary LaFever is CEO and General Counsel at Anonos


This article originally appeared in DecisionMarketing.  All trademarks are the property of their respective owners. All rights reserved by the respective owners.


Are you facing any of these 4 problems with data?

You need a solution that removes the impediments to achieving speed to insight, lawfully & ethically

to Insight
Are you unable to get desired business outcomes from your data within critical time frames? 53% of CDOs cannot achieve their desired uses of data. Are you one of them?
Lack of
Do you have trouble getting access to the third-party data that you need to maximise the value of your data assets? Are third-parties and partners you work with worried about liability, or disruption of their operations?
Inability to
Are you unable to process data due to limitations imposed by internal or external parties? Do they have concerns about your ability to control data use, sharing or combining?
Are you unable to defend the lawfulness of your current data processing activities, or data processing you have done in the past?
Traditional privacy technologies focus on protecting data by putting it in “cages,” “containers,” or limiting use to centralised processing only. This limitation is done without considering the context of what the desired data use will be, including decentralised data sharing and combining. These approaches are based on decades-old, limited-use perspectives on data protection that severely minimise the kinds of data uses that remain available after controls have been applied. On the other hand, many other new data-use technologies focus on delivering desired business outcomes without considering that roadblocks may exist, such as those noted in the four problems above.
Anonos technology allows data to be accessed and processed in line with desired business outcomes (including sharing and combining data) with full awareness of, and the ability to remove, potential roadblocks.