There were varying degrees of readiness in the marketplace for the introduction of GDPR on 25 May. Larger businesses are typically further forward, given their ability to allocate resources and create specific project teams. Smaller companies are either bringing in outsourced partners or more often having to absorb the requirements into ‘business as usual’, which was always going to make meeting deadlines more challenging.
That said there was always an acknowledgement from the Information Commissioners Officer (ICO) that all companies may not be 100% compliant by the 25 May 2018 deadline, however, as long as there is work on going and plans in place, this is a good start.
Larger organisations face additional challenges with governance and might simply have lost track of access privileges. For example, do internal analysis teams really need access to customers’ names and addresses? There is a blind assumption that big data analysis and data science requires access to personal data. It doesn’t.
One of the major hurdles is that some of the legislation is very technical. Depending on whether organisations and team members have had to deal with similar requests previously will depend on how easily GDPR changes can be translated into day-to-day working practices.
The GDPR data reforms are designed to reflect the world we're living in now so all businesses have a responsibility to address their data ownership and use. There has also been a two-year transition period so there is a reasonable expectation for businesses to have organised themselves to be ready.
The issue of ‘marketing consents’ is the number one challenge facing brands post-GDPR. Consumers have been receiving an extreme number of emails asking them to opt in to marketing communications. It is reasonable to expect the size of marketing databases to reduce but perhaps the silver lining will be improved marketing campaign efficiencies. Brands can also use the legitimate interest clause for communications and providing they have created a number of scenarios as to who can fall under this category and what they can do with these eventualities. Customer service via social channels, competition and promotional prizewinner liaisons are examples of these.
Consultants and analysts who have well-designed data management processes are likely to be at a significant advantage – for example they may already operate on the basis of data minimisation and anonymisation, while at the same time having no system access to any of a client’s personal data.
Any new situation can seem daunting and there is a real danger that many teams will experience uncertainty and perhaps even a certain amount of ‘marketing paralysis’ as a result. No brand wants to be on the receiving end of an ICO complaint/enforcement action. The maximum fines of €20 million or 4% of annual turnover will be a significant amount for any company to have to pay.
It is important to note that there is a range of actions other than fines that the ICO can take that are more likely, certainly when a business has made a concerted effort to be compliant. These include warnings, reprimands, ordering specific compliance requests and communicating data breaches.
Marketing teams are undoubtedly one of the most impacted departments by GDPR due to the amount of consumer information and data used in marketing campaigns. However, stay calm and do what marketers do best - focus, target and creatively execute. Targeted campaigns might be reaching a smaller circulation but they will be reaching people who are engaged in your brand and want to hear from you and the rewards will be reaped in results and cost efficiencies.
Now is not the time to panic! Well thought out brand strategies, hyper-targeted campaigns and strong insight-led creative will continue to drive success post GDPR.
Peter Harris is data science director at If Agency