The official General Data Protection Regulation (GDPR) website deems the consumer measure the most important change in data privacy regulation in 20 years.
That very well may be the case. However, the opinions about this “change” — a full three-plus years after the law went into effect — vary, depending on the who you ask:
- On the one hand, consumers and regulators — not just in the European Union, but worldwide — consider GDPR a big win. Consumers were awarded more control of their personal data. Meanwhile, lawmakers behind the EU measure and abroad can claim victory over companies that improperly secured, stored, sold, and/or misused data.
- On the other hand, organizations that work in the EU bent over backwards to ensure complete GDPR compliance prior to implementation of the divisive data privacy law. Simply put, GDPR requirements — while seemingly laid out clearly for growth-focused professionals and businesses the world over — still proved difficult for many businesses to meet (and on time).
With the data protection law affecting innumerable businesses the world over today, it’s worth examining exactly how GDPR has changed the customer data management landscape to date — and how organizations of all sizes need to maintain a focus on GDPR compliance.
GDPR: A refresher on General Data Protection Regulation for marketers
“What is GDPR?” isn’t exactly a popular question in the business, marketing, and customer experience community anymore. (Who doesn’t know about the data law at this point?)
However, we thought we’d provide a quick refresher on the intricacies of the consumer law that was adopted in April 2016 and ultimately went into effect in May 2018:
- Before — Why GDPR came to be: European parliament wanted organizations who secured consumers’ (a.k.a. data subjects’) information without adequate permissions to cease doing so and give individuals the option to opt out for that data usage. Enter new GDPR consent management obligations, which cover all EU citizens.
- During — Action items for brands: A GDPR compliance window was built in to the regulatory launch plan. However, it took many companies considerable time to ensure compliance and the protection of personal data as well as appointing a Data Protection Officer (DPO) within their organizations. Data cleansing and security, mailing list updates, and form-consent or -field modifications were some tasks brands tackled.
- After — Comply or face penalties:Brands in breach of GDPR face hefty fines from law enforcement. This potential punishment from public authorities lit fires under business leaders to fast-track compliance. As of 2021, though, only a few large-scale companies have been penalized for failing to meet the guidelines.
TL;DR: GDPR mandates companies doing business in the EU (or collecting customer data there) prioritize information security across their organizations and meet the myriad requirements by making the necessary data collection changes or face (financial) wrath.
So far, the vast majority of brands have seemingly passed the test. (Or, at least, avoided penalties). Several barriers to continued GDPR compliance, though, remain for companies regarding the processing of personal data and use of it in their marketing and CX programs.
Biggest GDPR challenges for marketers: Compliance, consent, and more
A Winterberry Group survey of marketers found many challenges impede their marketing success: from the difficulty of proving legitimate ROI to a lack of guidance from leadership.
The top challenge cited in the poll? Government regulation — or the prospect of new regulatory measures. (Data silos came in second, but that’s a topic for another day.)
It’s a little surprising more executives aren’t as fearful of measures like GDPR affecting their businesses’ bottom lines, given the potential negative ramifications of data breaches by EU supervisory authority. (And, now in the U.K. the Information Commissioner’s Office.)
However, there are still hurdles to clear to maintain GDPR compliance.
1. “Forgetting” consumers who want to be forgotten
The “right to be forgotten” is a critical benefit for those who don’t want their customer data stored by brands. The GDPR mandates that consumers who want their data erased can request as much of a given brand(s), who then will have 30 days to comply.
In this instance, GDPR compliance not only requires deleting customer data and getting any third parties with whom you’ve shared customers’ data to do the same, but also alerting the person who made the request shortly after their request and when the task is ultimately done.
2. Managing real-time changes to customer consent
In the same vein as data erasure, brands also need to remain up to speed on how customers engage with their websites, apps, and emails. Why? Because that activity — including and especially new form submits — invariably impact their consent status.
If your organization uses a CDP like BlueConic to handle real-time consent management, though, you need not fret, as the process is automated and streamlined, thus ensuring you can confidently utilize customer data without fear of engaging opted-out individuals.
If you don’t, though, it’s entirely on your company to find another method to track customers’ and leads’ consent changes and to update their various database profiles.
This can be quite the time- and energy-consuming chore. (And a waste of valuable resources).
3. Unifying customer data in a single source of truth
Technically speaking, this is a challenge marketers face regardless of whether GDPR.
All the same, it’s essential for all companies, regardless of database size, to unify customer their data in one, central location so they can easily activate data in lifecycle marketing.
A single source of truth simplifies life for business technology users by unifying a customer’s historical profile information into a sole, dynamic profile that updates in real time.
As business intelligence consultant Rod Welch wrote for TWDI, “Accuracy is no longer a ‘nice-to-have’ feature. The GDPR brings the data quality of personal information into the realm of compliance.”
If you don’t have a single source of truth solution, like a pure-play CDP, your ability to ensure data accuracy for customers and prospects — and, in turn, to ensure ongoing GDPR compliance — becomes that much harder.
How the consent management “evolution” continues today
When GDPR first went into effect, UK Information Commissioner Elizabeth Denham said, “The GDPR is a step change for data protection. It’s still an evolution, not a revolution.”
The EU law was meant to rectify consumer data privacy issues that have lingered since the inception of the internet. Now, other countries — and even some U.S. states — have planned or implemented their own data measures:
- In the U.S., the California Consumer Privacy Act (CCPA) went into effect in January 2020, after lengthy analysis and debate among state legislators and regulators.
- New York has a framework for its own consumer data legislation considered “even more drastic” than the CCPA, as it would give consumers the right to sue for data misuse.
- Nigeria’s National Information Technology Development Agency has issued its own data privacy regulation in 2019 that incorporates many GDPR elements.
It’s only a matter of time before comprehensive data privacy laws are in place everywhere. The specifics of each one will certainly vary. But the central purpose remains the same:
- Ensure companies responsibly gather, store, and disseminate customer data; offer complete transparency to consumers; and delete data upon request (and quickly).
With three full years of GDPR in the books, it’s safe to say companies everywhere are aware they need to be savvier and smarter with customer data collection and utilization.
What remains to be seen is how the continual evolution of consumer privacy laws will play out in the years ahead and impact growth teams and companies at large.
Watch our data privacy laws webinar to learn how you can comply with consumer data measures by investing in a CDP like BlueConic with consent management functionality.