GDPR – 12 months on
Happy first birthday GDPR! One year since the general data protection regulation arrived, Profusion consultant Michael Brennan explores how to make it work for your business.
Cast your mind back 12 months. Remember that blizzard of marketing consent emails that presaged the live date for GDPR enforcement?
Now it’s all feeling very quiet. Perhaps this is the calm after the storm, or the pause before the next phase of EU mandated data privacy regulation.
What? More rules? Yes indeed. The slow progress towards the new Privacy and Electronic Communications Regulation (PECR) continues, with no obvious end in sight.
As those of you involved with GDPR preparedness will know, there are significant areas of overlap between the two regulations. Not least is the fact that both have been upgraded from directives to regulations – easing their consistent application across EU states as part of the commitment to a Digital Single Market.
Privacy regulations need an update
GDPR isn’t about marketing or communications per se. In fact, it’s designed to anticipate and cover the full spectrum of data processing activities. As a result, marketing forms a part of the GDPR remit. In terms of the legal relationship arising, the PECR should be understood as lex specialis to the GDPR:
“That’s a legal principle, in full ‘principe lex specialis derogat legi generali’, which essentially means that the lex specialis, in this case the ePrivacy Regulation, overrides the lex generalis, in this case the GDPR (personal data protection in general), with the ePrivacy Regulation covering the mentioned specific areas.” – The new EU ePrivacy Regulation: what you need to know
Without going into the detail of the PECR here, most will agree there’s a need to update privacy regulations. The original directive was introduced back in 1995, long before much of today’s digital communications ecosystem even existed, let alone the emergence of the Internet of Things.
Data protection around the world
In terms of legislation, and looking beyond Europe, we’ve long talked about the GDPR as setting a new global standard for data protection. Similarly, in the past 12 months we’ve seen new laws emerge in the US states of California (enacted) and Washington (in process).
Meanwhile, the new trade agreement between the EU and Japan includes the principle of equivalence between the respective data protection regimes. The first such deal since GDPR was introduced, it allows for the free flow of personal data between these markets, with the assurance of consistent protections. More alliances will follow, including with South Korea.
Personal data – time for a cultural shift
Even such a brief overview of ongoing regulatory and legislative developments should clarify the direction of travel. It should also confirm that what many organisations need is a cultural shift in their approach to personal data, rather than a narrow and negative focus on legislative compliance. The latter attitude typically precludes an understanding of the opportunities inherent in data protection and personal privacy, amid rising consumer awareness (attributable in part to GDPR itself) and concern.
The winners in the post-GDPR era will not be firms that merely survive by avoiding non-compliance, but rather those that thrive in the new environment by seizing the opportunities for richer, deeper engagement with prospects and customers. – GDPR Guide for Marketers
And yes, it’s fair to say that consumers want it all. They want uber-convenience, hyper-personalisation and seamless cross-channel interactions. Likewise, they want control over who uses their data and how.
Privacy to raise profiles
For certain, the game has changed. Let’s not look at it in isolation, but as part of a deeper, smouldering, disconnect between business and consumers. One that we can understand within the three dimensions of sustainability – social, economic and environmental.
Reflecting this shift in sentiment, Apple launched its new Privacy campaign in March, following its high profile stunt at CES 2019. As many commentators immediately noted, the challenge is to live up to the promise consistently. Indeed, the price of perceived hypocrisy is particularly high these days, as Nike is finding out.
Over the past year, an appreciation of the advantages of the GPDR-mandated focus on data management has emerged. The Cisco Data Protection Benchmark Study (Jan 2019), for example, reported several indirect business benefits arising from GDPR compliance. Of the 3,098 companies surveyed:
- 42% said meeting new standards is improving/broadening their innovation efforts
- 41% cited a fresh competitive advantage
- 41% said procedural efficiencies had increased
- 37% reported reduced sales delays arising from customers’ data privacy concerns
- 36% believe their appeal to investors has improved as a result of GDPR compliance
The benefits of compliance
The study, based on responses from data security professionals across 18 markets, also highlighted the direct, positive benefits of compliance in the face of data breaches. These include fewer records impacted, reduced downtime, and less financial cost arising from a breach.
More broadly, just 59% of those surveyed felt they were fully compliant with GDPR requirements. In addition, 29% expect to conform by the end of 2019. Among UK respondents, the compliance figure rises to 69% (behind Italy, Mexico and Spain) – up from the 63% reported by Marketing Signals in August 2018.
It’s clear that there’s some way to go toward total compliance – and anyone who’s behind the curve has every chance of catching up. In practice, laggards may in fact have an advantage in terms of learning from best practice and incorporating emerging thinking on specific requirements.
Embrace the evolving post-GDPR era
“GDPR wasn’t and has never been a threshold that, once crossed, can be ticked-off a to-do list and forgotten about. For all businesses, implementing the GDPR has to be a continual process.” – Adam Prince, Sage
“GDPR is not a one-off exercise. Instead, it’s an ongoing journey, and as such, it requires continuous data discovery and classification, automated risk assessments (including data protection impact assessments), dynamic due diligence on third parties, etc.” – Enza Iannopollo, Forrester.com
All organisations need to understand this as an ongoing journey. The 25 May 2018 simply marked the beginning of a new phase in the development of data protections and consumer controls.
This brief overview of developments confirms that GDPR compliance is a continuing challenge for global businesses. It isn’t going to go away and it’s something we all need to embrace, with a focus on the positive opportunities.
Richer marketing comms, thinking and engagement
As Iannopollo adds:
“Your biggest potential loss isn’t a large GDPR fine; it will be the lost opportunity to use it as a powerful lever to raise customer trust and drive growth. Firms that were first to embrace GDPR consistently report improvements in their business outcomes, including their customer experience and data strategies. GDPR is also pushing firms to innovate and prepare to deliver the services of the future.”
From our perspective at Profusion, it’s been particularly interesting to see how GDPR-related marketing projects have evolved from data architecture and management towards first or zero-party customer data acquisition. These are derived from direct, transparent surveys and direct digital interactions, rather than inferred from online behaviours. All of this helps develop new insights and audience segments that drive richer marketing communications, thinking and engagement.
In conclusion, we say this: Long may it continue. Here’s to the next 12 months!
Get more of Michael’s market insights in Unlock the door to Gen Z