GDPR and Media Innovation - Digital Catapult
the GDPR fines have got boardroom attention, when those of us wittering on about data for years has been ignored
The GDPR stopping you using your marketing database without new consent is much more significant than potential fines
Data Protection legislation is principles based - it does not tell you exactly what to do
we are used to asking all sorts of questions and not being sure how we use it - even now vendors are selling databases that can't be updated
GDPR extends the data protection principles - now must be Fair, Lawful and Transparent too. Most systems are not transparent at all.
The other new principle in GDPR over Data Protection is Accountability - you now need to show your working
Transparency means that you need to tell people why you are collecting the data, how long you'll keep it, what you will use it for, and explain it in clear language, not legalese
The data access rights mean that you need to enable people to correct and erase data you hold on them, and export it
if you use the right to erasure, you will also be take off the marketing suppression list, so you will get untargeted marketing
Data Portability is a bit of a red herring - it was there to encourage building a European social network, but network effects mean there will be no-one there
the broadcasters are under pressure from new short form interactions, and we want to keep them in long form
I can see an advantage in being able to move your preferences between iPlayer and ITV
GDPR is still platform neutral, but it is still very mainframe shaped with controllers and processors
Consent is not specifically defined to be 'freely given' meaning it can be withdrawn. It also needs to be affirmative, so no default checked checkboxes
what we need to get to is Privacy by Default - we get there through Privacy by Design, after doing a Data Protection impact assessment
The public sector already has data breach mandatory reporting - this is new for the private sector and needs planning for
There is data everywhere, we are swimming in it and we don't always notice when a bit goes missing. We now need to know that.
The Journalism exemption to GDPR is a bit of a tricky boundary - do comments on articles count?
marketing our programmes is not covered by a journalism exemption
As media we are used to people talking to us - we ask for comments and get them. In the longer term will media want to talk to them more?
as we move from broadcasting to more personalised streams, we need information about them to provide that personalisation
as companies have to send out GDPR marketing reconsent emails, they are having to give consumer s incentives to sign up again
people are realising that they need an intermediary between them and news or information, but it no longer is our media organisations
some media companies are asking "do we need this inaccurate data from adtech? could we do it ourselves?"
what media have to do is Transparenccy: records of processing, where the data is, how it flows, retention schedules, breach notifications
we have seen trust in online services drop over the last 10 years - if we want trust we need to be transparent
very few organisations have data accuracy and quality processes built in - this needs to chain with mandated transparency
we did an experiment with iPlayer to use viewing habits to create recommendations - when we asked viewers about it they assumed it was personalised already, not editorial
5 years ago we looked at what happened if you recommended from video to music or vice versa - we found we need more data to cross media
we worked with an energy company to rewrite terms and conditions into plain English so that people could measurably understand them
this meant rewriting the conditions to narrate the user journey - no longer organised by category
freely given and informed consent is not about plain English, it's about remodelling the user journey so that it is understandable
there are many companies that are accidental publishers - they end up publishing information to customers without haviing a journalism practice
companies have to look at the risks of not being trusted - of taking personalisation too far
if your personalised it wasn't a welcome surprise unless you explained how it happened - we gave a semantic breadcrumb trail
now netflix and amazon say recommending this because you watched that - explaining mitigates this
the gold standard for personalisation is Songkick - we want that delight when we get the email
Johan Naughton at Prospect magazine calls it the Web of Spies: https://pocketmags.com/prospect-magazine/feb-18/articles/302763/web-of-spies
"Bitcoin Services, formerly known as Tulip BioMed, saw its stock increase by as much as 42,500% last year." https://qz.com/1175701/putting-bitcoin-or-blockchain-in-a-company-name-is-sometimes-enough-for-a-pop-on-the-stock-market/
some of the powers the ICO have could stop your business dead if you can no longer process customer data
making data transparent should build trust; you need to redesign services around people so you can explain it to them
in order to fulfil a personal access request you need to join up all your systems that track them - a reason to connect your systems
"Marketing is just joining people up with the stuff they love" - not a broadcast view
thinking of the questions that you want to ask shoudl drive the data that you shoudl collect
personal data and customer relationships are not assets in themselves, only in conjunction with a documented legal basis to use it
you need to convince your customers that they rae in control of their data, you hold it temporarily and they can revoke your access
I want to tlak about the opportunities for the BBC with GDPR, and how we have prepared for it
We need to reinvent the BBC for a new generation - we are looking at automation of almost verything
my job is to understand how audiences are changing - moving from a broadcast model to a public service organisation: targetted universality
moving from The BBC to My BBC needs us to have data to understand our audience and to improve their experience
Our new identity system, the BBC account was launched in September 2016 - we ask for age, postcode and gender for adults, birthdate and town for children
knowing age, postcode and gender helps us with our mission of universality.
there was an argument that we could infer demography from programme watching, but then it is not verified, just assumed
we are very transparent with our audiences about how we use their data and explain why in language they understand
we have bene pushing people towards sign-in - we put iPlayer behind sign-in with 2 no's - now 55% on iPlayer. 13% BBC Sport 11% BBC News
we have about 10 million people signed in a week, with over 25 million accounts
we now have an assumption of sign-in for products, and need a good reason why not
we have a pan-BBC steering group across legal, infosec, production, engineering and marketing to cover GDPR
we now have a data inventory that has allowed us to track where data is used
Data Minimisation is quite a challenge - it's nice to be able to say 'you've been signed in for 10 years, here is what you have seen' - there is user value there
how does the 30 day iplayer limit fit with the full history?
we did have the Box Set approach over Christmas where we showed older series - this is not always true and we are reviewing those windows
we store personal data in lots of different places - bbc news contact forms, audience tickets, iplayer - having to deliver against an access request makes this difficult
some of the larger global suppliers are not gdpr compliant - or they are trying to charge extra for European storage - a lot of contract renegotiation
Data can be hard to explain - people tend to find it boring. If you make it too simple, it looks like your hiding something; if you explain the details it is dull.
GDPR is an opportunity, not a threat: there is a willingness to share data, but also a distrust of storing it
the right ot portability gives a chance for customers to make better use of their data - across media industry or as a public service
we're talking to news media and broadcast media to come together and explore what next steps might be
the principle of the bbc account is the more that we know you better, the better we can serve you. This only works if we collaborate wih hothers
we're looking at the practicalities of building an open API so that we can export data, so we need data standards so that it is understandable, and timeley
our subject access requests are 30 days now - thats not helpful for viewing information
the list of what has been seen is one thing, but if there is descriptive data its more useful - we're looking at format and standards of metadata for this richer data
the other key thing around this is security standards - we want the event level media viewing data to be secured fuly
we're thinking about how people can benefit from their personal data, and personal data stores
we're seeing data donation services and open data exchanges being launched and tarcking them
this opens up questions about digital identity management, privacy and about social exclusion of the less connected
we need to think about a federated identity system, as this may be an inevitable consequence of portability
often we are very reliant on our customer base for a level of quality - how do we know they are who hey say they are
I want to move beyond compliance into opportunity
how can arts councils and so on get involved in knowing the kinds of audiences you have?
If we can enable arts organisations to work with each other to see the value in this - and maybe health organisations too
can we move this beyond media recommendation to active participation?
there was a lot of concern in news management about filter bubbles; I think understanding can be more serendipitous too
we may be able to use broadcast as a huge test and burn program, and deliver related specific content online
Programmatic advertising is all about data - brands by ad media from publishers, but there is a giant mesh of data brokers, media agencies, ad buying and selling tech
thee can be 20 or 30 entities involved in delivering a single ad, which I think is insane
Programmatic advertising is supposed to provide "better performance" of advertising
if the publisher is the data controller, they can segment their audience and sell the higher valued ones, but segmentation reduces scale
If adtech is the data controller, they are buying low from the publisher, then segmenting themselves and selling high to advertisers
because the publisher can't sell direct they end up selling more ads, as they're getting less per ad
the biggest players in the industry own the narrative and don't explain this arbitrage
if the privacy consent was set in the browser - would that give more control to Google, as they have a browser?
in it's purest form Google is not disrupted by GDPR as core search is not pii requiring
if we sell advertising space to an agency, don't they need data to do the targetting too?
the question is who is the controller, so who is doing the segmentation?
Normally the agency will give you a tag to run in your site, or you set up a deal ID and the ad gets to the users browser, so they still get IP address and cookie
42 billion spent on digital advertising tin the EU
There is a lot of legislation affecting advertising in the EU - the Digital Content Contracts Directive will require data handling be in the contract
3rd aprty cookies on your site makes you a de facto joint profit making enterprise - misuse of personal information is a tort - see Vidal-Hall vs Google
we are advising publishers to work on a contract basis with end users
does that imply a signed-in experience for the publisher?
this applies to sites where you are making money from selling advertising: you would need to get consent for the ad providers
we think that where you are asking for consent for ad tech players, they will struggle to get it, as no-one wants to be retargeted
under GDPR you need consent for the facebook like button they use to track you
isn't the consent implicit anyway? people are familiar with the ad supported model?
typically people think the publisher is responsible for the ads, not the middleware ad providers - when you give consent is it delegatable?
I think GDPR will help publishers by making these relationships more explicit and less hidden from consumers
GDPR locks down the data that brands have about their customers
we think you can change publishers to connect the publisher as data processor to the brand (who has consent from the customer)
we store an identifier of the consent which is not PII, and combine that with an ad campaign
there are ad providers putting out bogus data processing agreements
because you can now withdraw consent, mistaken consent (someone else in household) can be revoked
how does this change with true identity verification?
I'm Kathryn Geels, and work at Catapult on policy and strategy for creative industries
at Digital Catapult we are working on Personal Data Receipts - we email you a receipt when you sign in here to show what date we collect adn store and let you revoke it
we are also working on blockchain and smart contracts in conjunction with Uk Games fund to track projects and valuations
we also are working on a EU project called Content Personalisation Network to bring these ideas to publishers
we have worked with privacy dashboards like Mydex digi.me Yoti and meeco and are looking at ethical frameworks in conjunction with the ICO
the ICO is looking into compliance tools around AI and machine learning that combine lots of data without easy auditing
the BSI have standards like BS 10012-2017 which may help move to GDPR compliance
the ICO toolkits for self-assessement are very useful: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
Half of web users are faking their data due to security fears
as consumers become more data literate, they will expect companies to narrate their data use to them
lawyers have told me that anyone who says they are 100% GDPR compliant is either lying or doesn't understand the regulations
the digital economy having dat dispersed across silos was useful at first, but blending data between silos is adding new value now
just as you . need to manage fish stocks and not over deplete it, the UK data economy needs data stocks management too
GDPR was conceived as a way to ensure future data in the economy is useful. 75% is existing models of Data Protection
the new parts are grounds for processing and subject data rights
Users now need to go on new consent journeys to be marketed at - the best we have managed is 34%; one of the most trusted brands in the UK got 17%
it's not the regulations - the regulation is forcing us to have a transparent conversation about marketing, and people don't want to be marketed at
we don't just see this in research, we see it in user behaviour - 35% of users in europe have ad blockers on desktop - this is a huge consumer protest
Keith Weed of Unilever has said that consumers are sick of seeing the same ads over and over, and the role of funding fake news and worse
Ije Nwokone of Wolff Olins says the Internet promised the marketing golden age, but only made us a slave to the funnel and killed customer relationships
traditional industrial work is to make a uniform product and market it to as many different segments as possible
for the last 6 or 7 years, digital advertising promised every cheaper customers, we got hooked on metrics rather than long tail value creation
the opportunity is to rebuild the relationship with customers so that you are creating value for them, so they want to give you more information to help
you need to think about Customer RoI - what they get out of each interaction with you
if you use data to unlock value and build trust, this can be a virtuous spiral
we see a new commercial model- Me2B
GDPR is a bit of a pain, but the upside of the potential is there
we need to think of information as a personal asset, not a coporate asset and build 2 way data flows between customers and businesses
a way to rethink this is brands as information services
our early research is showing that we won't get the customer consent we want until we change our businesses
Don't wait for a class action suit - transform your business to reflect GDPR first
VRM is very much part of this - it is a political engagement process, we are advising companies to adopt those ideas
you mentioned the MyData initiative from 7 years ago - at the moment we don't have the network effect that we would hope for
what are the indicators that this will work this time?
DCMS has just asked us to help them think about Data Portability there are 4 key challenges:
1. how do you get businesses to want to share data?
2. consumer opinion - awareness levels were lower; there is much more fluency now of how apps manage data
3. regulatory framework is a big one - GDPR brings that
4. technological interoperability - coming up with formats that we can actually exchange data with
CtrlShift are seeing the companies whoa re thinking about this; once companies see a competitor get an advantage through doing this, they will follow along
you don't need most businesses to be proactive - they are reactive but they will follow others when they see things benefiting
there could be a tipping point now through funding for compliance to GDPR driving data rethinking more broadly
is there a way for media businesses to manage their data and their content really cleverly?
the importance of understanding the behavioural data and the content is there - one of the things that netflix pride themselves on how they have described content
the last piece of the puzzle is the context - we're working on combining classification of content, but we are thinking about media occasions and media missions - what do you want ot get from this viewing event?
that could help us shape what piece of content is most relevant
BBC has been blindsided a bit by multi-screening, where the mobile is your primary locus of attention, but the TV is on in the background
we need to rethink around shared occasions around the screen like this
we were looking a lot at context - are you on the bus? are you somewhere noisy?
what the internet offers is the 1 to 1 opportunity, and we're focused on 1 to everyone marketing, but we can do so much better than that
how much more creative could we be with GDPR to replace broad marketing?
there was a BBC online drama created out of mocked up interactions with the real world http://www.bbc.co.uk/writersroom/successes/the-last-hours-of-laura-k
there are halfway houses - if we get to a truly personalised service that fits into our lives - the thing I wake up to, the thing I listen to on the train, what I watch on the sofa
all our comedies are 30 minutes long - what if we make many different lengths - lets offer the ones that are the right length for their journey
we're doing a journey along the personalisation roadmap - how we need to deliver on public service purposes using personalised data
if we start with bringing together datasets that are within what we do at the moment - say iPlayer history combined with FT reading and spotify playlists - that opens up a way to extend to more informations
in 2009 we ran an event with Unesco on public service media - addressing public purpose with things that aren't content - desiging around affordances
all the big advantages of value creation were adding new functionality, not better quality
I think it is content rather than functionality - people are going back to household delivery of milk in bottles - the mil tastes nicer because supply chain is shorter
in the end data is part of content, but ts not the only part of content
for cinemas we looked at where people wanted to watch, and in what environments and with what kinds of food - content and technical quality were 6th and 7th
there is a new culture of playlists on spotify etc - to the point where it is reviving payola - how do you bring curation?
there is a GDPR playlist on spotify
what we found that celebrities curating iPlayer radio really resonated -enabling users to be able to create and share theirs is important
the many to many opportunities are powerful - a lot of brands enable users to share comment and like - broadcast is the antithesis of this
Desert Island Discs is the original spotify playlist maybe
if you look at time-shifted viewing it has hardly moved - it was 15% and is now 17.5% - we flop in front of the TV and don't care what is
BARB is measuring time shift in the way it has done - what is notable is he volume of uncovered viewing in BARB terms - TV on not broadcast - DVD viewing games viewing, non-broadcast viewing - that is 18-20%, p to 40% for younger users
the first choice is EPG on demand or DVR and on demand is often the first choice
it's young but infectious - once people realise they can do this they do more of it
there was a sit forward or sit back idea, now that is disappearing - more interaction built in
there was the idea that eventually you got old enough to listen to Radio 4, and I never liked that
a lot of our work in arts, culture heritage sector is about a theory of authorship - in other areas it is more fluid and participatory - that fluidity will change this
a lot of arts organisations have a really dramatic cohort problem as they aren't getting new audiences
there's nothing in GDPR that will drive creativity, but it will help burst the adtech as rent-seeking funding existing media companies - I hope ti will find alternative channels
I'm now rethinking how the intersection of media and data will go - I thought media would get better data, but now I don't know what will prevail
when Reed Hastings realised that streaming was goign to happen, he stopped the DVD part of netflix being in strategic meetings
I worry that we are in a minority - this still feels like a fringe idea that we can overcome adtech, but I remain hopeful but unsure
I hope we don't miss the GDPR opportunity as we drive compliance to remake the organisation
Thank you all for contributing - what we will do is keep people up to date about future activities - if I can have your consent
we have a forum and showcase on the 4th May here which will be more about the basics of GDPR where people show how they have used GDPR to remake businesses
We have a roundtable on the 19th April bringing in 2 or 3 people from each workshop who may be able to help put recommendations and next steps together