GDPR and Media Innovation - Digital Catapult

James Leaton Gray:

the GDPR fines have got boardroom attention, when those of us wittering on about data for years has been ignored

The GDPR stopping you using your marketing database without new consent is much more significant than potential fines

Data Protection legislation is principles based - it does not tell you exactly what to do

we are used to asking all sorts of questions and not being sure how we use it - even now vendors are selling databases that can't be updated

GDPR extends the data protection principles - now must be Fair, Lawful and Transparent too. Most systems are not transparent at all.

The other new principle in GDPR over Data Protection is Accountability - you now need to show your working

Transparency means that you need to tell people why you are collecting the data, how long you'll keep it, what you will use it for, and explain it in clear language, not legalese

The data access rights mean that you need to enable people to correct and erase data you hold on them, and export it

if you use the right to erasure, you will also be take off the marketing suppression list, so you will get untargeted marketing

Data Portability is a bit of a red herring - it was there to encourage building a European social network, but network effects mean there will be no-one there

the broadcasters are under pressure from new short form interactions, and we want to keep them in long form

I can see an advantage in being able to move your preferences between iPlayer and ITV

GDPR is still platform neutral, but it is still very mainframe shaped with controllers and processors

Consent is not specifically defined to be 'freely given' meaning it can be withdrawn. It also needs to be affirmative, so no default checked checkboxes

what we need to get to is Privacy by Default - we get there through Privacy by Design, after doing a Data Protection impact assessment

The public sector already has data breach mandatory reporting - this is new for the private sector and needs planning for

There is data everywhere, we are swimming in it and we don't always notice when a bit goes missing. We now need to know that.

The Journalism exemption to GDPR is a bit of a tricky boundary - do comments on articles count?

marketing our programmes is not covered by a journalism exemption

As media we are used to people talking to us - we ask for comments and get them. In the longer term will media want to talk to them more?

as we move from broadcasting to more personalised streams, we need information about them to provide that personalisation

as companies have to send out GDPR marketing reconsent emails, they are having to give consumer s incentives to sign up again

people are realising that they need an intermediary between them and news or information, but it no longer is our media organisations

some media companies are asking "do we need this inaccurate data from adtech? could we do it ourselves?"

what media have to do is Transparenccy: records of processing, where the data is, how it flows, retention schedules, breach notifications

we have seen trust in online services drop over the last 10 years - if we want trust we need to be transparent

very few organisations have data accuracy and quality processes built in - this needs to chain with mandated transparency

we did an experiment with iPlayer to use viewing habits to create recommendations - when we asked viewers about it they assumed it was personalised already, not editorial

Patrick Towell:

5 years ago we looked at what happened if you recommended from video to music or vice versa - we found we need more data to cross media

we worked with an energy company to rewrite terms and conditions into plain English so that people could measurably understand them

this meant rewriting the conditions to narrate the user journey - no longer organised by category

freely given and informed consent is not about plain English, it's about remodelling the user journey so that it is understandable

there are many companies that are accidental publishers - they end up publishing information to customers without haviing a journalism practice

companies have to look at the risks of not being trusted - of taking personalisation too far

if your personalised it wasn't a welcome surprise unless you explained how it happened - we gave a semantic breadcrumb trail

now netflix and amazon say recommending this because you watched that - explaining mitigates this

the gold standard for personalisation is Songkick - we want that delight when we get the email

Johan Naughton at Prospect magazine calls it the Web of Spies:

"Bitcoin Services, formerly known as Tulip BioMed, saw its stock increase by as much as 42,500% last year."

some of the powers the ICO have could stop your business dead if you can no longer process customer data

making data transparent should build trust; you need to redesign services around people so you can explain it to them

in order to fulfil a personal access request you need to join up all your systems that track them - a reason to connect your systems

"Marketing is just joining people up with the stuff they love" - not a broadcast view

thinking of the questions that you want to ask shoudl drive the data that you shoudl collect

personal data and customer relationships are not assets in themselves, only in conjunction with a documented legal basis to use it

you need to convince your customers that they rae in control of their data, you hold it temporarily and they can revoke your access

Nick North:

I want to tlak about the opportunities for the BBC with GDPR, and how we have prepared for it

We need to reinvent the BBC for a new generation - we are looking at automation of almost verything

my job is to understand how audiences are changing - moving from a broadcast model to a public service organisation: targetted universality

moving from The BBC to My BBC needs us to have data to understand our audience and to improve their experience

Our new identity system, the BBC account was launched in September 2016 - we ask for age, postcode and gender for adults, birthdate and town for children

knowing age, postcode and gender helps us with our mission of universality.

there was an argument that we could infer demography from programme watching, but then it is not verified, just assumed

we are very transparent with our audiences about how we use their data and explain why in language they understand

we have bene pushing people towards sign-in - we put iPlayer behind sign-in with 2 no's - now 55% on iPlayer. 13% BBC Sport 11% BBC News

we have about 10 million people signed in a week, with over 25 million accounts

we now have an assumption of sign-in for products, and need a good reason why not

we have a pan-BBC steering group across legal, infosec, production, engineering and marketing to cover GDPR

we now have a data inventory that has allowed us to track where data is used

Data Minimisation is quite a challenge - it's nice to be able to say 'you've been signed in for 10 years, here is what you have seen' - there is user value there


how does the 30 day iplayer limit fit with the full history?

Nick North:

we did have the Box Set approach over Christmas where we showed older series - this is not always true and we are reviewing those windows

we store personal data in lots of different places - bbc news contact forms, audience tickets, iplayer - having to deliver against an access request makes this difficult

some of the larger global suppliers are not gdpr compliant - or they are trying to charge extra for European storage - a lot of contract renegotiation

Data can be hard to explain - people tend to find it boring. If you make it too simple, it looks like your hiding something; if you explain the details it is dull.

GDPR is an opportunity, not a threat: there is a willingness to share data, but also a distrust of storing it

the right ot portability gives a chance for customers to make better use of their data - across media industry or as a public service

we're talking to news media and broadcast media to come together and explore what next steps might be

the principle of the bbc account is the more that we know you better, the better we can serve you. This only works if we collaborate wih hothers

we're looking at the practicalities of building an open API so that we can export data, so we need data standards so that it is understandable, and timeley

our subject access requests are 30 days now - thats not helpful for viewing information

the list of what has been seen is one thing, but if there is descriptive data its more useful - we're looking at format and standards of metadata for this richer data

the other key thing around this is security standards - we want the event level media viewing data to be secured fuly

we're thinking about how people can benefit from their personal data, and personal data stores

we're seeing data donation services and open data exchanges being launched and tarcking them

this opens up questions about digital identity management, privacy and about social exclusion of the less connected

we need to think about a federated identity system, as this may be an inevitable consequence of portability

often we are very reliant on our customer base for a level of quality - how do we know they are who hey say they are

I want to move beyond compliance into opportunity


how can arts councils and so on get involved in knowing the kinds of audiences you have?

Nick North:

If we can enable arts organisations to work with each other to see the value in this - and maybe health organisations too


can we move this beyond media recommendation to active participation?

Nick North:

there was a lot of concern in news management about filter bubbles; I think understanding can be more serendipitous too

we may be able to use broadcast as a huge test and burn program, and deliver related specific content online

Rupert Graves:

Programmatic advertising is all about data - brands by ad media from publishers, but there is a giant mesh of data brokers, media agencies, ad buying and selling tech

thee can be 20 or 30 entities involved in delivering a single ad, which I think is insane

Programmatic advertising is supposed to provide "better performance" of advertising

if the publisher is the data controller, they can segment their audience and sell the higher valued ones, but segmentation reduces scale

If adtech is the data controller, they are buying low from the publisher, then segmenting themselves and selling high to advertisers

because the publisher can't sell direct they end up selling more ads, as they're getting less per ad

the biggest players in the industry own the narrative and don't explain this arbitrage

James Leaton Gray:

if the privacy consent was set in the browser - would that give more control to Google, as they have a browser?

Rupert Graves:

in it's purest form Google is not disrupted by GDPR as core search is not pii requiring


if we sell advertising space to an agency, don't they need data to do the targetting too?

Rupert Graves:

the question is who is the controller, so who is doing the segmentation?

Normally the agency will give you a tag to run in your site, or you set up a deal ID and the ad gets to the users browser, so they still get IP address and cookie

42 billion spent on digital advertising tin the EU

There is a lot of legislation affecting advertising in the EU - the Digital Content Contracts Directive will require data handling be in the contract

3rd aprty cookies on your site makes you a de facto joint profit making enterprise - misuse of personal information is a tort - see Vidal-Hall vs Google

we are advising publishers to work on a contract basis with end users

James Leaton Gray:

does that imply a signed-in experience for the publisher?

Rupert Graves:

this applies to sites where you are making money from selling advertising: you would need to get consent for the ad providers

we think that where you are asking for consent for ad tech players, they will struggle to get it, as no-one wants to be retargeted

under GDPR you need consent for the facebook like button they use to track you

Nick North:

isn't the consent implicit anyway? people are familiar with the ad supported model?

Rupert Graves:

typically people think the publisher is responsible for the ads, not the middleware ad providers - when you give consent is it delegatable?

I think GDPR will help publishers by making these relationships more explicit and less hidden from consumers

GDPR locks down the data that brands have about their customers

we think you can change publishers to connect the publisher as data processor to the brand (who has consent from the customer)

we store an identifier of the consent which is not PII, and combine that with an ad campaign

there are ad providers putting out bogus data processing agreements

because you can now withdraw consent, mistaken consent (someone else in household) can be revoked

James Leaton Gray:

how does this change with true identity verification?

Kathryn Louise Geels:

I'm Kathryn Geels, and work at Catapult on policy and strategy for creative industries

at Digital Catapult we are working on Personal Data Receipts - we email you a receipt when you sign in here to show what date we collect adn store and let you revoke it

we are also working on blockchain and smart contracts in conjunction with Uk Games fund to track projects and valuations

we also are working on a EU project called Content Personalisation Network to bring these ideas to publishers

we have worked with privacy dashboards like Mydex Yoti and meeco and are looking at ethical frameworks in conjunction with the ICO

the ICO is looking into compliance tools around AI and machine learning that combine lots of data without easy auditing

the BSI have standards like BS 10012-2017 which may help move to GDPR compliance

the ICO toolkits for self-assessement are very useful:

Half of web users are faking their data due to security fears

as consumers become more data literate, they will expect companies to narrate their data use to them

lawyers have told me that anyone who says they are 100% GDPR compliant is either lying or doesn't understand the regulations

William Kemble-Clarkson:

the digital economy having dat dispersed across silos was useful at first, but blending data between silos is adding new value now

just as you . need to manage fish stocks and not over deplete it, the UK data economy needs data stocks management too

GDPR was conceived as a way to ensure future data in the economy is useful. 75% is existing models of Data Protection

the new parts are grounds for processing and subject data rights

Users now need to go on new consent journeys to be marketed at - the best we have managed is 34%; one of the most trusted brands in the UK got 17%

it's not the regulations - the regulation is forcing us to have a transparent conversation about marketing, and people don't want to be marketed at

we don't just see this in research, we see it in user behaviour - 35% of users in europe have ad blockers on desktop - this is a huge consumer protest

Keith Weed of Unilever has said that consumers are sick of seeing the same ads over and over, and the role of funding fake news and worse

Ije Nwokone of Wolff Olins says the Internet promised the marketing golden age, but only made us a slave to the funnel and killed customer relationships

traditional industrial work is to make a uniform product and market it to as many different segments as possible

for the last 6 or 7 years, digital advertising promised every cheaper customers, we got hooked on metrics rather than long tail value creation

the opportunity is to rebuild the relationship with customers so that you are creating value for them, so they want to give you more information to help

you need to think about Customer RoI - what they get out of each interaction with you

if you use data to unlock value and build trust, this can be a virtuous spiral

we see a new commercial model- Me2B

GDPR is a bit of a pain, but the upside of the potential is there

we need to think of information as a personal asset, not a coporate asset and build 2 way data flows between customers and businesses

a way to rethink this is brands as information services

our early research is showing that we won't get the customer consent we want until we change our businesses

Don't wait for a class action suit - transform your business to reflect GDPR first

Kevin Marks:

is this what @dsearls has been calling VRM for 10 years?


VRM is very much part of this - it is a political engagement process, we are advising companies to adopt those ideas

Nick North:

you mentioned the MyData initiative from 7 years ago - at the moment we don't have the network effect that we would hope for

what are the indicators that this will work this time?


DCMS has just asked us to help them think about Data Portability there are 4 key challenges:

1. how do you get businesses to want to share data?

2. consumer opinion - awareness levels were lower; there is much more fluency now of how apps manage data

3. regulatory framework is a big one - GDPR brings that

4. technological interoperability - coming up with formats that we can actually exchange data with

James Leaton Gray:

CtrlShift are seeing the companies whoa re thinking about this; once companies see a competitor get an advantage through doing this, they will follow along

you don't need most businesses to be proactive - they are reactive but they will follow others when they see things benefiting

there could be a tipping point now through funding for compliance to GDPR driving data rethinking more broadly

Patrick Towell:

is there a way for media businesses to manage their data and their content really cleverly?

Nick North:

the importance of understanding the behavioural data and the content is there - one of the things that netflix pride themselves on how they have described content

the last piece of the puzzle is the context - we're working on combining classification of content, but we are thinking about media occasions and media missions - what do you want ot get from this viewing event?

that could help us shape what piece of content is most relevant

BBC has been blindsided a bit by multi-screening, where the mobile is your primary locus of attention, but the TV is on in the background

we need to rethink around shared occasions around the screen like this

Patrick Towell:

we were looking a lot at context - are you on the bus? are you somewhere noisy?


what the internet offers is the 1 to 1 opportunity, and we're focused on 1 to everyone marketing, but we can do so much better than that

how much more creative could we be with GDPR to replace broad marketing?

James Leaton Gray:

there was a BBC online drama created out of mocked up interactions with the real world

there are halfway houses - if we get to a truly personalised service that fits into our lives - the thing I wake up to, the thing I listen to on the train, what I watch on the sofa

all our comedies are 30 minutes long - what if we make many different lengths - lets offer the ones that are the right length for their journey

Nick North:

we're doing a journey along the personalisation roadmap - how we need to deliver on public service purposes using personalised data

if we start with bringing together datasets that are within what we do at the moment - say iPlayer history combined with FT reading and spotify playlists - that opens up a way to extend to more informations

Patrick Towell:

in 2009 we ran an event with Unesco on public service media - addressing public purpose with things that aren't content - desiging around affordances

all the big advantages of value creation were adding new functionality, not better quality

James Leaton Gray:

I think it is content rather than functionality - people are going back to household delivery of milk in bottles - the mil tastes nicer because supply chain is shorter

in the end data is part of content, but ts not the only part of content

Patrick Towell:

for cinemas we looked at where people wanted to watch, and in what environments and with what kinds of food - content and technical quality were 6th and 7th

Kevin Marks:

there is a new culture of playlists on spotify etc - to the point where it is reviving payola - how do you bring curation?

James Leaton Gray:

there is a GDPR playlist on spotify

Nick North:

what we found that celebrities curating iPlayer radio really resonated -enabling users to be able to create and share theirs is important

the many to many opportunities are powerful - a lot of brands enable users to share comment and like - broadcast is the antithesis of this

Kevin Marks:

Desert Island Discs is the original spotify playlist maybe


if you look at time-shifted viewing it has hardly moved - it was 15% and is now 17.5% - we flop in front of the TV and don't care what is

Nick North:

BARB is measuring time shift in the way it has done - what is notable is he volume of uncovered viewing in BARB terms - TV on not broadcast - DVD viewing games viewing, non-broadcast viewing - that is 18-20%, p to 40% for younger users

the first choice is EPG on demand or DVR and on demand is often the first choice

it's young but infectious - once people realise they can do this they do more of it

James Leaton Gray:

there was a sit forward or sit back idea, now that is disappearing - more interaction built in

there was the idea that eventually you got old enough to listen to Radio 4, and I never liked that

Patrick Towell:

a lot of our work in arts, culture heritage sector is about a theory of authorship - in other areas it is more fluid and participatory - that fluidity will change this

a lot of arts organisations have a really dramatic cohort problem as they aren't getting new audiences


there's nothing in GDPR that will drive creativity, but it will help burst the adtech as rent-seeking funding existing media companies - I hope ti will find alternative channels

James Leaton Gray:

I'm now rethinking how the intersection of media and data will go - I thought media would get better data, but now I don't know what will prevail


when Reed Hastings realised that streaming was goign to happen, he stopped the DVD part of netflix being in strategic meetings

Nick North:

I worry that we are in a minority - this still feels like a fringe idea that we can overcome adtech, but I remain hopeful but unsure

I hope we don't miss the GDPR opportunity as we drive compliance to remake the organisation

Kathryn Louise Geels:

Thank you all for contributing - what we will do is keep people up to date about future activities - if I can have your consent

we have a forum and showcase on the 4th May here which will be more about the basics of GDPR where people show how they have used GDPR to remake businesses

We have a roundtable on the 19th April bringing in 2 or 3 people from each workshop who may be able to help put recommendations and next steps together