The General Data Protection Regulation (GDPR) has been covered by the IT, HR, legal, and marketing press for some time and is increasingly getting exposure in the mainstream press. It’s not something many of us can ignore however, so for those not yet suffering GDPR nausea here’s a roundup of the top 5 things we learned this month:
1. It’s time to love and embrace GDPR…
While there may be a downside in terms of time, effort and quite possibly money, this MyCustomer feature reminds us of the joys of GDPR, outlining all the improvements we’ll see in the quality of the data marketers will be working with, and ultimately what this could mean for our budgets.
In this post, particular attention is drawn to the relationship between transparency and trust. “If the consumer understands that by giving their data to a brand they will achieve a certain benefit, whether it’s personalised offerings or discounts, then they’re more likely to be open and willing to share their data in the future.” This transparency is something the GDPR was very much set out to achieve. It should provide an opportunity to overcome any damage or suspicion consumers have, and ultimately lead to improved data quality and, in most cases, to a far more relevant user experience.
As the MyCustomer team point out, the impending GDPR means this is the ideal time for marketers to request investment in the strengthening of their customer data toolset and skills.
2. … even if we’re currently sticking our heads in the sand about it.
Over on NetImperative this month was a study that suggested that 100% of business leaders know that they need to comply with the regulation. Great, if somewhat predictable, news. More worrying was the detailed level of understanding about what they actually needed to do. For instance, 56% of businesses don’t realise that email marketing databases constitute as personal information. While eight in ten (79%) were unaware that a customer’s date of birth is classed as personal data. It seems there’s a distinct lack of knowledge around data and what is relevant to the GDPR, but equally there’s a lack of knowledge around the consequences of not adhering to the impending rules.
56% of businesses don’t realise that email marketing databases constitute as personal information.
The fact that only a quarter of people realise that organisation could be fined between 2-4% of annual global turnover may also be why only a tenth of businesses (10%) have a board level or management member involved in managing the transition to GDPR!
3. But don’t worry. There’s a major discrepancy between GDPR and the ePrivacy directive anyway.
One of the conditions of meeting the GDPR accountability standards will be to provide an opt-out link. But as this AdExchanger post points out, the current draft of the ePrivacy Regulation (a sector-specific law of GDPR) says that you can’t simply provide the opportunity to opt-out of communication, but instead people should proactively opt-in first.This rule has not yet passed, and some believe that if it does come into play there will be a reasonable transition period after GDPR comes into effect.
For some marketers, this has the potential to prove perhaps the greatest challenge as it goes beyond simply being transparent and fair about how the business intends using data and becomes about requiring an opt-in at the point of collection. The focus will move from explaining what you’ll be doing with the data to asking them for the data in the first place.
4. …and then there’s the problem of data sprawl…
Another interesting article this month (over on Computing.co.uk) revealed that large British businesses have named data sprawl as one of the most significant challenges facing them as they prepare for the GDPR. It seems that one in five firms claim to use over 40 different systems to handle their customers’ personal data. That may be an eye-watering number, but what’s more, 47 per cent of respondents to the Citrix study being referred to, admit to sharing that data with other companies (48 on average). It’s amazing how normal this level of data sprawl has become. And it’s enough to cause a GDPR migraine!
Regardless of whether they actually do anything with the data or not (and surprisingly there are plenty which claim they don’t), around 60 per cent of businesses were found to store personal data for more than a year; with 25 per cent storing it for over five years! A clear understanding of where that data is, and being able to access it, will be a key requirement for GDPR compliance.
5. Still, it’d be worse if we were outside the EU (oh, hold on a minute…)
To close out our top 5 things we learned about GDPR this month, we should acknowledge that confusion is even more widespread outside EU countries. As this feature on Digiday points out, “It won’t matter whether a company’s servers are held in Israel, India or the U.S. — if it is storing the data of an EU citizen, it must abide by the General Data Protection Regulation or face fines.”
When you consider there are 99 articles and 173 recitals regarding something that is widely considered a regional matter, it’s hardly surprising those outside the EU are slow to take notice. Even those of us in the UK who have had endless exposure to GDPR are still not entirely prepared. The reality however is that even if you are based on the other side of the world, if you have even a single user inside the European Union and your company is not GDPR-compliant you may be putting 2-4 percent of your global revenues at risk.