The official General Data Protection Regulation (GDPR) website deems it “the most important change in data privacy regulation in 20 years.” That very well may be the case. However, the opinions about this “change” — a full year after it went into effect — vary, depending on who you ask.
On the one hand, consumers and regulators — not just in the EU, but also worldwide — consider GDPR a big win. Consumers were awarded more control of their personal data. Meanwhile, regulators can claim victory over businesses who stored and took advantage of customer data in ways deemed irresponsible.
On the other hand, organizations that work in the EU bent over backwards to ensure GDPR compliance prior to implementation. Simply put, GDPR requirements — while seemingly laid out clearly — still proved difficult for many brands to meet (and on time).
With its first anniversary come and gone, let’s examine how the GDPR privacy law has changed the customer data management landscape to date — and what comes next.
A quick refresher for marketers: What is GDPR?
You have a rough idea of the GDPR definition. (Who doesn’t at this point?) Having said that, we thought we’d provide a quick refresher on the finer intricacies of the law.
Below you’ll find our version of “GDPR for dummies” — a rundown of the measure before, during, and after its enforcement.
- Before — Why GDPR came to be: EU lawmakers wanted organizations who secured lead and customer data without adequate permissions to cease doing so and give consumers the option to opt out for that data usage. Enter new GDPR consent management obligations.
- During — Action items for brands: A GDPR compliance window was built in to the regulatory launch plan. However, it still took (arguably, is still taking) many companies considerable time to comply. Data cleansing and security, mailing list updates, and form consent or field modifications were some tasks brands tackled. (Here’s a more in-depth GDPR checklist.)
- After — Comply or face penalties: Brands in breach of GDPR face hefty fines. This potential punishment lit fires under business leaders globally to force compliance. As of mid-2019, though, only a few companies have been penalized for failing to meet the guidelines.
TL;DR: GDPR mandates companies doing business in the EU (or collecting customer data there) meet the myriad requirements by making the necessary data collection changes or face its (financial) wrath.
So far, the vast majority of brands have seemingly passed the test (or at least avoided the penalty). Several barriers to continued GDPR compliance, though, remain for brands — and, more specifically, for marketing professionals.
The GDPR challenges still facing marketers
A Winterberry Group survey of digital marketers found numerous challenges impede their marketing success: from the difficulty of proving legitimate ROI to a lack of guidance from leadership.
The top challenge cited in the poll? Government regulation, or the prospect of such regulation.
(Data silos came in second, but that’s a topic for another day.)
It’s a little surprising more marketers aren’t as fearful of measures like GDPR affecting their day-to-day and businesses’ bottom lines. The EU regulation may not instill panic in the hearts of marketing pros as much as it used to. However, there are still hurdles to clear to maintain GDPR compliance:
Challenge #1: “Forgetting” consumers who want to be forgotten
The “right to be forgotten” is a critical benefit for those who don’t want their customer data stored by brands. The GDPR mandates that consumers who want their data erased can request as much of a given brand(s), who then will have 30 days to comply.
What this means for you: In this instance, GDPR compliance not only requires deleting customer data and getting any third parties with whom you’ve shared customers’ data to do the same, but also alerting the person who made the request shortly after their request and when the task is ultimately done.
Challenge #2: Managing real-time changes to customer consent
In the same vein as data erasure, brands also need to remain up to speed on how customers engage with their websites, apps, and emails. Why? Because that activity — including and especially new form submits — invariably impact their consent status.
What this means for you: If your organization uses a customer data platform like BlueConic (see below) to handle real-time consent management, you need not fret.
If you don’t, though, it’s entirely on you and your marketing/IT teams to find another method to track customers’ and leads’ consent changes and to update their various database profiles. This can be quite the time- and energy-consuming chore (and, honestly, a waste of valuable resources).
Challenge #3: Unifying customer data in a single source of truth
Technically speaking, this is a challenge marketers face regardless of whether GDPR. All the same, it’s essential for all companies today, regardless of database size, to unify customer their data in one, central location so they can easily activate said data in targeted campaigns.
A single source of truth simplifies life for marketers by unifying a customer’s historical profile information into a sole, dynamic profile that updates in real time.
As business intelligence consultant Rod Welch wrote for TWDI, “Accuracy is no longer a ‘nice-to-have’ feature. The GDPR brings the data quality of personal information into the realm of compliance.”
What this means for you: If you don’t have a single source of truth data management and activation solution, like a CDP, your ability to ensure data accuracy for customers and prospects — and, in turn, to ensure ongoing GDPR compliance — becomes that much harder.
How the consent management “evolution” continues
When GDPR first went into effect, UK Information Commissioner Elizabeth Denham said, “The GDPR is a step change for data protection. It’s still an evolution, not a revolution.”
The EU law was meant to rectify customer data privacy issues that have lingered since the inception of the Internet. Now, other countries and some U.S. states plan to implement their own data privacy measures:
- In the U.S., the California Consumer Privacy Act (CCPA) is slated to go into effect in January 2020, pending further analysis and debate among state legislators and regulators.
- New York has a framework for its own consumer data legislation considered “even more drastic” than the CCPA, as it would give consumers the right to sue brands for data misuse.
- Nigeria’s National Information Technology Development Agency has issued its own data privacy regulation in 2019 that incorporates many GDPR elements.
We believe it’s only a matter of time before comprehensive data privacy laws are in place everywhere. The specifics of each regulation will certainly vary, but the central purpose remains the same:
- Ensure brands responsibly gather, store, and disseminate customer data; offer complete transparency to consumers; and delete data upon request (and in a timely fashion).
With one year of GDPR in the books, it’s safe to say the brands everywhere are aware they need to be savvier and smarter with customer data collection. What remains to be seen is how the continual evolution of consumer privacy laws will play out in the year ahead and beyond.