Ever since GDPR came into force in 2018, it’s served as a wake-up call for many marketers to re-examine internal procedures and processes.
GDPR takes a wide view of what constitutes personal identification information. Companies now need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address, and national ID number. Businesses are required to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Meanwhile, the GDPR also regulates the exportation of personal data outside the EU.
Since its implementation, marketers are still not clear on how it is enforced, what the penalties are, and how best to tackle compliance for those small and medium size businesses without an internal legal team, but they need to learn – and soon – since big fines are being handed out. Since going into effect, other regions are also refocusing their efforts on privacy and consumer data rights.
So is GDPR taking time from other priorities, like cybersecurity or data protection policy, or does it bring a benefit to better engaging the customer? Or are the two related?
According to a recent Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe. Even more (85 percent) see the GDPR putting them at a competitive disadvantage with European companies.
That last figure is puzzling, but culturally telling, as I believe from my experience that U.S. companies view customer and prospect data differently than in other regions of the world. So how can data handling be transparent and create a climate of trust in the business ecosystem?
GDPR and marketing: The burning questions and answers
How did consumers react to the GDPR?
Confused about how to reach out to prospects and customers in their data systems, many marketers sent mass mailings, notifying consumers that they held their data, and asking permission to continue communicating with them. This provided a terrific opportunity to cement a closer relationship with prospects and customers.
But many marketers blew it, instead giving a reason for people on their mailing lists to opt-out with pleasure. Why? Because instead of telling people how important they are, and how they planned to interact with them going forward, these mails just reminded customers that they were signed up to a mailing list that was no longer relevant to them.
Have we seen a business impact?
Let’s face it, data privacy is a business issue with strong implications on customer experience, brand reputation, and personalization.
Trust, transparency, and reputation are all on the line every time we engage with a prospect or customer. Those that took GDPR as an opportunity worked on addressing this as a benefit to the relationship by pointing out how they handled data, why they collected it, and how it was used, as well as how they plan to use it going forward.
Were there any early adopter benefits?
Firms that were first to embrace GDPR consistently report improvements in their business outcomes, including their customer experience and data strategies.
GDPR has also been pushing firms to innovate and prepare to deliver services of the future, in line with compliance and transparency. GDPR can be an opportunity to more clearly engage the prospect or customer as a trusted provider of service.
Where is data protection and privacy headed next?
Tech companies cannot require that you must give up your data to receive value from their products and services. If you want to ask for data, there should be a reason for it and there must be an option to revoke the information if requested.
To be precise: Consent must stand out, be clear, and include the reasons for collection.
Where should we focus our data protection efforts?
Decide the purpose for collecting the data, and the manner in which it is collected. Make the necessary process investments, supported by good tools, to know the state of your data protection efforts beyond a dashboard.
Data protection policies (DPP) should include internal data protection awareness workshops, privacy impact assessments (PIAs), managed breach detection and response, and breach notification policy. Get the necessary tools for a data audit, as data discovery, mapping, and protection technologies are all key aspects to protecting consumer data and privacy.
Cybersecurity monitoring, threat detection, and alerting systems are also necessary to ensure GDPR compliance, because under current GDPR requirements, organizations have to report a breach within 72 hours of discovery.
What can I do to proactively make this an opportunity for our marketing team?
Privacy protection compliance should be enforced through not only business processes and strategies, but also investment in technologies and incident response management. Data breaches are not only expensive, but erode trust in the brand.