Channel 4 is renewing its Viewer Promise, while broadcasters in Germany are joining forces to create a universal log-in – but is either enough to accommodate the EU’s stringent new data protection laws? 

“It’s easy for people to forget that each bit of data, whether it’s an email, a post or an IP address, represents a person, and that person has the right to be protected.”

These words, from ITV Director of Online Product and Marketing Steve Forde, are at the heart of the General Data Protection Regulation (GDPR), a new set of standards that have been brought in by the European Parliament, to strengthen the control people have over their personal data.

From 25 May businesses will have a legal requirement to protect the personal data and privacy of EU residents – or face a heavy fine of up to €20 million or 4% of a company’s global annual income (whichever is the larger amount).

While much as been made of the hefty fines, in an industry where businesses are told that ‘data is the new oil’ broadcasters are generally welcoming the opportunity to get their house in order and standardise practices.

“It’s an opportunity to educate and train staff about use of data and to really start to look at efficiencies: purging data where it’s not needed; ensuring you have the right security, the right encryptions and that you are working with right partners,” says Forde.

The new legislation means that users need to ‘opt in’ to allow their personal data to be processed and the tracking of user consent is now compulsory. Companies also need to be specific about what will happen with this data.

Forde says that these key tenents have been designed to “fundamentally change” the way broadcasters view data collection.

“Being transparent, enabling viewers to unsubscribe, giving them control and ensuring that the navigation of this journey and the way that it is communicated is simple, are all key,” he adds.

Viewer transparency

Having a clear and transparent data policy is something that UK commercial PSB Channel 4 has had in place since it actively started gathering it in 2011, when signing into its OTT service All4 (then 40D) became mandatory.

Sarah Rose

Sarah Rose

Comedian Alan Carr fronted a C4 advertising campaign at the time, explaining the broadcaster’s ‘Viewer Promise’ policy, which included pledges to never to sell data onto third parties nor to spam viewers with unnecessary emails.

According to C4 Director of Consumer Insight Sarah Rose, the broadcaster is currently updating its Viewer Promise policy, which it will shortly be communicating to All4’s 15m subscribers via a new ad campaign.

She adds that this is move triggered in part due to GDPR, but also because it the original promise is now already seven years old.

“We want to take it on a step to reassure people about what we are doing, why we are using their data and to remind them of their rights to withdraw it if they change their minds,” she adds.

Consent rules

One challenge companies face with GDPR compliancy is that some aspects of the legislation – key areas around profiling and consent – have not been finalised.

“The GDPR is essentially trying to standardise a patchwork of data laws drawn up by individual territories across the EU,” explains Martin Turner, CEO of Full Frame Technology, whose company trains EMEA media organisations on GDPR and cyber security best practice.

“The new legislation will eventually harmonise these laws but the EU is still trying to nail the consent guidance and this is unlikely to be ready by May,” he adds.

For Rose, the challenge this poses for Channel 4 has been trying to work out the impact of the legislation at a time when it not fully understood.

“At the moment we are working on an assumption. For instance, we don’t think that we need to re-seek the consent of everyone who is registered with us – but it is not altogether impossible that we might need to do that,” she says.

However, the general consensus from the UK regulator, the Information Commissioner’s Office (ICO), is that companies “need to be working to the spirit of the act rather than to the letter of it,” according to Turner.

Rose adds: “It’s about documenting what you are doing as a business and making sure that you have a road map to a final vision.”

German broadcasters unite

Although data protection laws have the interests of the individual in mind, seeking added consent and communicating this can make the user journey more complicated than it needs to be.

TVNow

TVNow

Source: RTL Deutschland

To mitigate this, and to standardise GDPR requirements in Germany, last year rival broadcasters RTL and ProSieben announced an alliance with ISP United Internet and the e-retailer Zalando aimed at creating a unified registration and login service for consumers.

The initiative has been set up as a foundation, which gives it the independence to work with regulators and governments to provide a simple, secure and compliant solution for arranging permissions to use online services.

Users will be able to use their single login to watch content on RTL Deutschland’s TV Now and ProSieben’s streaming service and download emails from Web.de as well as shop on the Zalando website.

The alliance is set to launch with a new name and more members - by the end of the first quarter of this year, and, according to Daniel Pruemers, Prosieben’s SVP of Data, it has benefits beyond consumer ease-of-use.

“Not only can broadcasters be sure that they are part of an organisation that is ensuring GDPR compliancy, the approach of jointly collecting audience is beneficial for maximising e-conversion rates and the number of registered users,” he says.

The foundation’s original partners currently reach a combined 45m monthly unique users – and Pruemers adds that it can begin leveraging this “strength in numbers” against wall gardened tech giants like Facebook, Apple and Google, which already have mass logged-in or registered audiences and massive amounts of login data from users across devices.

Do androids dream of GDPR?

Like other broadcasters, Channel 4 is reassessing its contracts with GDPR in mind and one point that Rose is very clear on is that Channel 4 will only work with vendors which have designed their products with data protection in mind.

“We won’t engage with third party suppliers unless they can demonstrate that they are GDPR compliant,” she says.

Ludo Rubin

Ludo Rubin

Source: Viaccess-Orca

It’s an area that Ludo Rubin, Director of Product Marketing for OTT solutions provider Viaccess- Orca has been working on for the Orange-owned company for over a year now – in particular assessing company’s service delivery platform (SDP) it’s KPI dashboard and its recommendation engine products for GDPR compliance.

“Some of this work has involved encrypting databases where personal data is stored, but the main challenge is not on the technical side, it’s in the process.

“You need to explain and prove how personal data is safe and document it – this is what takes the time. Most of our work is around consent – how you can display a request for consent and how you store and manage it,” he adds.

Rubin has also assessed the work that third party cloud vendors – another processor and keeper of personal data - are doing in this area.

He says that while the main providers such as Amazon AWS, Microsoft Azure, or Google Cloud are working towards GDPR compliancy he warns that there are some third parties “integral to the overall success of the OTT industry” where this is not the case, especially in the marketing space.

Another vulnerability lies in products that have AI and machine learning embedded – recommendation engines, for example, generally fall into this category.

GDPR requires companies to guarantee transparency in the way that their algorithms work and they must be ready to share information with users about the logic involved in the processing.

Says Rubin: “Deep learning algorithms have a problem with this kind of compliance because they automatically generates decisions, they don’t recognise GDPR as such.”

Rose says that Channel 4’s algorithms have now been regulated and are based on recommendations generated by viewing habits, not personal user history.

“We never make suggestions based on assumptions about peoples lifestyles – we do not use uniquely automated algorithms in this area, and I’m not sure that we ever would, ” she adds.

Despite the challenges, Rubin believes that GDPR is an opportunity for vendors to build trust with their customers.

“OTT service providers, broadcasters, and their suppliers can all take the opportunity of GDPR to innovate and differentiate. It can be our industry that develops and deploys new best practises, and becomes truly transparent in the way that it uses data,” he concludes.

Six key points about GDPR:

1. Brexit is no exemption
In fact, the UK was one of the leading drivers of shaping and implementing the legislation and has already committed to bringing this into British law after Brexit has happened. No matter where your company is based if you are going to do business with EU residents (not citizens) then these laws apply

2. Architect your systems with data protection in mind
New services and products need to take data protection risks into account from the design phase through its entire life cycle. GDPR introduces two important rights: The right to erasure (deleting all your data from a service) and the right to move your data elsewhere. The latter is possibly the more challenging; each company needs to think about how they can provide this information in an easily transferable manner.

3. Make consent a user-friendly experience
Be clear from the outset on what viewers are ‘opting-in’ for and how their data will be used. The method of opting in must be made clear. It’s also important to build in a mechanism for your audience to withdraw their consent too.

4. Build in the ability to track, store and retrieve consents easily and securely
The new legislation allows users to request a report of all information that you have on them, which you need to supply free of charge and within a limited time period. In the case of a data breech, companies have just 72 hours to notify the regulator and the individual subjects whose data has been stolen. So in both cases it’s vital that you know where data is stored.

5. Build security into your products
Your services should put in place up-to-date cyber security protection - follow best practice like the DPP Committed to Security approach and control access to the data within your organisation

6. Build data privacy into your company culture
Privacy by default and by design really is something that all staff should be aware of – it should form part on an every day conversation rather than something that happens every now and then. Data is no longer something that can be mined and stockpiled, but something that has an owner who grants consent for it to be used.

With thanks to Andy Wilson, DPP, head of business development and Martin Turner, CEO, Full Frame Technology.