GDPR’s First 100 Days: What’s Next for the Industry?

On 2nd September, GDPR legislation passed the 100-day mark. You’d be forgiven for missing the occasion; nestled surreptitiously amongst the noise of ‘Back to School’, the first three months of compliance have passed largely without note. In this piece for ExchangeWire, Nick McCarthy, SVP data solutions, Merkle EMEA, looks at what has happened since the GDPR was implemented and what the industry should expect next.

As brands and marketers return to their desks, they would benefit from taking stock of the subtle shifts in the landscape that have been taking place. Whilst it’s true no landmark fines have been handed out yet under the new regulation, in the UK alone data protection complaints to the watchdog have more than doubled since 25 May, and large-scale data breaches (British Airways being the latest) are increasingly in the public eye, with companies legally required to come clean to the ICO quickly. Couple this with the fragility of consumer trust in brands, and the fact that nearly a third of organisations do not feel compliant, and it is clear that GDPR could be a double-edged sword, if handled incorrectly.

So, how can marketers ensure that GDPR creates an opportunity and not a cliff-edge?

Firstly, they must understand the biggest changes that have taken place thus far, even if they have been largely under the radar. Despite the fact no one has been slapped with a huge fine under GDPR just yet, there have already been a number of hidden casualties. Non-compliant suppliers, either knowingly at the time of GDPR being implemented or those who have taken no further action even after warnings have been issued after the fact, are now facing the consequences.

In a process that began in the weeks before GDPR-day, we’re continuing to see non-complaint players slope off outside Europe, or close divisions that could run the risk of falling foul of GDPR. As more guidance emerges, suppliers will need to remain flexible and open to making further changes in order to remain compliant. In addition, advertisers will need to ensure they have strong auditing processes and be ready to be audited themselves.

Ostensibly unsettling for those already spooked by the legislation, this correction in the market will nonetheless prove beneficial for the entire industry in the months and years ahead. Flushing out bad players, so to speak, will lead to a higher quality data system for all – ultimately creating a virtuous cycle of more relevant marketing and improved customer trust.

The other hidden casualty – closely guarded by those brands that have suffered the deepest wounds – are customer databases. Indeed, since the onset of GDPR, many brands have found their databases whittled down from bursting at the seams to positively anaemic. Some brands have had the number of opted-in consumers decrease from millions to hundreds of thousands. This may seem like a substantial blow on the surface, but the streamlining of databases presents brands with the valuable opportunity to create a new dataset of customers they know are receptive to their marketing and, most importantly, trust the brand.

In order to meet both these challenges, brands and marketers will need to adopt a people-based approach to marketing. Post-GDPR, customers are finally in the driving seat and marketing success will be determined by brands’ ability to gain and retain access to consumer data on an ongoing basis.

Success will only be achievable if brands ensure that wherever the customer appears – whether that be online in the digital ecosystem, over the phone, email, or in person – they are treated with respect and transparency, and not merely viewed as a number. This requires taking a single-view of the customer, based on multiple data points, in order to create a consistent and relevant brand experience across a number of touchpoints. In the industry, we know that leveraging identity management to enable this consistency will be key. Doing so will build trust and transparency and will foster a much more robust relationship between brands and consumers in the long term.

It’s worth bearing in mind, however, that GDPR is just the first step in a bigger shakeup of the marketing industry. The House of Lords report into marketing last year had a strong focus on the digital marketing ecosystem and with further recommendations for reviews by the ICO and the CMA, and the consumer body Which? monitoring the situation closely, we can all expect more change.

Moreover, whilst the ePrivacy Directive may be delayed, we’re likely to see an increasing pace of legislation in this area in the coming months, not only in Europe as more enforcement cases come to light, but also as GDPR standards permeate other geographies across the globe. Already, we’re seeing other locales adopt GDPR-esque legislation; California’s Consumer Privacy Act was signed into law in June this year, closely following a similar bill in the State of Vermont.

A similar pace of change will also be seen in the technology available to manage the regulation – both for marketers and consumers, whose control over their own data is only set to increase; privacy-tech is becoming a 'thing'. Adopting a people-based marketing approach – putting consumers before clicks – is the only surefire way to stay ahead of the curve.