The official General Data Protection Regulation (GDPR) website deems the consumer measure “the most important change in data privacy regulation in 20 years.”
That very well may be the case. However, the opinions about this “change” — a full two-plus years after the law went into effect — vary, depending on the who you ask:
- On the one hand, consumers and regulators — not just in the European Union, but worldwide — consider GDPR a big win. Consumers were awarded more control of their personal data. Meanwhile, lawmakers behind the EU measure and abroad can claim victory over companies that improperly secured, stored, sold, and/or misused data.
- On the other hand, organizations that work in the EU bent over backwards to ensure complete GDPR compliance prior to implementation of the divisive data privacy law. Simply put, GDPR requirements — while seemingly laid out clearly for marketers and brands the world over — still proved difficult for many businesses to meet (and on time).
With the data protection law affecting innumerable businesses the world over today, it’s worth examining exactly how GDPR has changed the customer data management landscape to date — and how organizations of all sizes need to maintain a focus on GDPR compliance.
GDPR: A refresher on General Data Protection Regulation for marketers
“What is GDPR?” isn’t exactly a popular question in the business and marketing community anymore. (Who doesn’t know the data law at this point, of course?)
However, we thought we’d provide a quick refresher on the intricacies of the law that was adopted in April 2016 and ultimately went into effect in May 2018.
With that in mind, here’s our oversimplified version of “GDPR for dummies” — a rundown of the measure before, during, and after its enforcement.
- Before — Why GDPR came to be: European parliament wanted organizations who secured consumers’ (a.k.a. data subjects’) information without adequate permissions to cease doing so and give individuals the option to opt out for that data usage. Enter new GDPR consent management obligations, which cover all EU citizens.
- During — Action items for brands: A GDPR compliance window was built in to the regulatory launch plan. However, it took many companies considerable time to ensure compliance and the protection of personal data as well as appointing a Data Protection Officer (DPO) within their organizations. Data cleansing and security, mailing list updates, and form-consent or -field modifications were some tasks brands tackled.
- After — Comply or face penalties: Brands in breach of GDPR face hefty fines from law enforcement. This potential punishment from public authorities lit fires under business leaders to fast-track compliance. As of the end of 2020, though, only a few large-scale companies have been penalized for failing to meet the guidelines.
TL;DR: GDPR mandates companies doing business in the EU (or collecting customer data there) prioritize information security across their organizations and meet the myriad requirements by making the necessary data collection changes or face (financial) wrath.
So far, the vast majority of brands have seemingly passed the test. (Or, at least, avoided penalties). Several barriers to continued GDPR compliance, though, remain for companies regarding the processing of personal data and use of it in their marketing programs.
Biggest GDPR challenges for marketers: Compliance, consent, and more
A Winterberry Group survey of marketers found many challenges impede their marketing success: from the difficulty of proving legitimate ROI to a lack of guidance from leadership.
The top challenge cited in the poll? Government regulation, or the prospect of such regulation. (Data silos came in second, but that’s a topic for another day.)
It’s a little surprising more executives aren’t as fearful of measures like GDPR affecting their businesses’ bottom lines, given the potential negative ramifications of data breaches by EU supervisory authority. (And, now in the U.K. the Information Commissioner’s Office.)
However, there are still hurdles to clear to maintain GDPR compliance:
#1: “Forgetting” consumers who want to be forgotten
The “right to be forgotten” is a critical benefit for those who don’t want their customer data stored by brands. The GDPR mandates that consumers who want their data erased can request as much of a given brand(s), who then will have 30 days to comply.
What this means for you: In this instance, GDPR compliance not only requires deleting customer data and getting any third parties with whom you’ve shared customers’ data to do the same, but also alerting the person who made the request shortly after their request and when the task is ultimately done.
#2: Managing real-time changes to customer consent
In the same vein as data erasure, brands also need to remain up to speed on how customers engage with their websites, apps, and emails. Why? Because that activity — including and especially new form submits — invariably impact their consent status.
What this means for you: If your organization uses a customer data platform like BlueConic (see below) to handle real-time consent management, you need not fret.
If you don’t, though, it’s entirely on you and your marketing/IT teams to find another method to track customers’ and leads’ consent changes and to update their various database profiles. This can be quite the time- and energy-consuming chore (and, honestly, a waste of valuable resources).
#3: Unifying customer data in a single source of truth
Technically speaking, this is a challenge marketers face regardless of whether GDPR.
All the same, it’s essential for all companies, regardless of database size, to unify customer their data in one, central location so they can easily activate data in lifecycle marketing.
A single source of truth simplifies life for marketers by unifying a customer’s historical profile information into a sole, dynamic profile that updates in real time.
As business intelligence consultant Rod Welch wrote for TWDI, “Accuracy is no longer a ‘nice-to-have’ feature. The GDPR brings the data quality of personal information into the realm of compliance.”
What this means for you: If you don’t have a single source of truth solution, like a pure-play CDP, your ability to ensure data accuracy for customers and prospects — and, in turn, to ensure ongoing GDPR compliance — becomes that much harder.
How the consent management “evolution” continues today
When GDPR first went into effect, UK Information Commissioner Elizabeth Denham said, “The GDPR is a step change for data protection. It’s still an evolution, not a revolution.”
The EU law was meant to rectify customer data privacy issues that have lingered since the inception of the internet. Now, other countries and some U.S. states have planned their own data privacy measures:
- In the U.S., the California Consumer Privacy Act (CCPA) went into effect in January 2020, after lengthy analysis and debate among state legislators and regulators.
- New York has a framework for its own consumer data legislation considered “even more drastic” than the CCPA, as it would give consumers the right to sue for data misuse.
- Nigeria’s National Information Technology Development Agency has issued its own data privacy regulation in 2019 that incorporates many GDPR elements.
It’s only a matter of time before comprehensive data privacy laws are in place everywhere. The specifics of each one will certainly vary. But the central purpose remains the same:
Ensure companies responsibly gather, store, and disseminate customer data; offer complete transparency to consumers; and delete data upon request (and in a timely fashion).
With two full years of GDPR in the books, it’s safe to say the brands everywhere are aware they need to be savvier and smarter with customer data collection.
What remains to be seen is how the continual evolution of consumer privacy laws will play out in the year — and years — ahead and impact marketers.
Watch our data privacy laws webinar to get a thorough breakdown on how brands can comply with consumer regulations like GDPR with consent management functionality.