Why GDPR is no longer the wolf at the door
A year since the EU’s General Data Protection Regulation came into force, brands’ worries about its impact have faded, but that doesn’t mean the job is done.
Much was written about the General Data Protection Regulation (GDPR) ahead of it coming into force last May, and while the opportunities were highlighted, the overriding reaction from marketers was confusion, frustration and fear.
One year on, and much of that scepticism has dissipated as marketers realise GDPR need not be the monster many made it out to be.
HSBC’s Simon Kaffel, who is head of data, reporting, information and control, believes brands are better off as a result of GDPR, both in terms of data management and from a training perspective.
“I hear horror stories about some companies using archaic processes to manage data. There are still major concerns about data breaches that need to be addressed, but GDPR has brought in an enforcement of training and also a requirement that data is held in a secure way,” he adds.
“While there are significant penalties for not being data-compliant, so much of GDPR is just good data management practices. This is good from an IT perspective and means the customer will trust [brands] more.”
He believes it has also pushed data up the agenda for marketers, resulting in better collaboration between teams.
“As a result of GDPR, marketing needs to be significantly more aligned to IT, legal and operations departments to ensure the whole supply chain of data, from capture through to storage and ultimately use, is efficient, effective and auditable,” he says. “Data is now a high consideration for marketing, when perhaps it wasn’t before.”
Another benefit, according to Dom Dwight, marketing director at Taylors of Harrogate, is the fact brands are able to take a more considered and selective approach to marketing. He says his team now “probably does fewer things better”, such as sending fewer, more relevant emails. “GDPR challenged a previous, slightly complacent mindset,” he admits.
This is in keeping with recent research from the Data and Marketing Association (DMA), which reveals 56% of marketers are more positive about the effects of GDPR, given they have seen a marked increase in returns on every £1 spent on email, from £32.28 in 2017 to £42.24 today.
The majority of marketers have also seen an increase in email open rates (74%) and click-through rates (75%) over the past 12 months, while a large chunk have reported a reduction in opt-out rates (41%) and spam complaints (55%) over the past year.
A separate study by the DMA shows a greater proportion of marketers now feel the benefits of GDPR outweigh the cost, with the figure rising from 16% prior to 25 May last year to 32% in late 2018.
So while Dwight says this time last year, when the law came into force, was an “intense” period involving the scrutiny of decades of data, that work has now been done and today GDPR compliance is no longer a major undertaking.
Many marketers agree on this point, although they freely admit that a renewed focus on the experience of the end user is still required. Mojo Mortgages’ director of digital, Andrew Gorry, says that an element of mistrust still exists between brands and consumers.
“Marketing can prove a useful tool in rebuilding trust that has been lost, by operating in a transparent manner,” he says. “Explicitly asking for customer consent, clearly stating why and what information is needed as well as how it will be used is the only way consumer trust will be restored.”
READ MORE: Has GDPR improved brand experience? Most consumers aren’t convinced
HSBC’s Kaffel adds: “GDPR has provided a framework for correctly managing customer data, which should be good news for the customer, who will trust the company and for the company, which should be able to maximise the value received from its use.”
However, as the policies do provide “wiggle room” he says alignment with legal teams is vital, while also ensuring data is used in an ethical way.
“Any lawyer worth their salt will look at interpretation while following the letter of the law, so you can ensure you adhere to the guiding principle but also do what’s best for your company,” he says.
Keeping audiences engaged
In order to offer personalised experiences that keep audiences engaged, Aimee Treasure, marketing manager at international recruitment company VHR stresses that marketing teams must be involved in the data acquisition and management processes. She believes that marketers “definitely” have the potential to have more impact as a result of GDPR.
“The new legislation forces them to be creative, and to create the kind of content that will draw people to them. We have seen higher engagement, higher website traffic and higher satisfaction as a direct result,” she claims. On the other hand, she warns that flouting the rules by claiming ‘legitimate interest’ in any and all communications sent out will result only in brand damage.
A focus on actively enticing prospects is echoed by Stuart Kelly, head of data and technology at Reed Exhibitions. He took the lead on the global event organiser’s response to GDPR and says: “It made us accelerate our transition from a push marketing approach to pull. To enable this we are undergoing a restructure of our marketing function, to enable sharper focus on channel and content strategy, driven by analytics and insights.”
The data function has moved away from being seen simply as a support function, he says. While ultimate responsibility for GDPR sits with the data and legal functions, marketers have to spend much more time on devising a considered approach and interaction with customers.
Certainly GDPR compliance was a complex exercise, involving numerous stakeholders across all industries. While aligning a number of teams can be a challenging, Phil Tennant, operations director at estate agent Countrywide, says the changes it has made to its communications approach as a result means marketing has become more strategic.
Countrywide worked with IT services company Technology Blueprint to streamline its communications, allowing customers to select from a variety of preferences, meaning its approach is now much more “conscious”.
Ad veteran Guy Phillipson, chairman elect at JICWEBS, the Joint Industry Committee for Web Standards, however, believes the vast majority of stakeholders left it far too late to prepare. He also believes that the giants like Google and Facebook will find it much easier to get consumer consent, partly by asking “for a whole bunch of services in one go”. As a result, he suggests “the continued growth of the duopoly has arguably been helped by GDPR”.
Phillipson also points to a tangible nervousness around fines, on the part of CMOs. In his opinion, there is now increased emphasis on digital marketing techniques which have no GDPR ramifications, naming search and influencer marketing by way of example.
Nevertheless GDPR was “the right thing to do”, he says. “We don’t know what tech will come in the future. It’s forced us to be clever about first-party data, too, which is gold dust.”
Communications expert Stefano Hesse agrees that it is a very positive thing if technology giants need to think more carefully about the wider impact of their services. Having worked in senior corporate communications roles at both Facebook and Google for many years, he says Facebook’s policy team is now “driving” the business. He is adamant that GDPR will have a positive effect, globally.
Smooth transition
Those who have found the transition to compliance easiest are perhaps unsurprisingly the brands which already took privacy and engagement seriously, even before the new laws came into force.
Nicola Smedley, director of supporter engagement, individual giving and loyalty at Cancer Research UK, says the charity had already taken a lead by asking people to opt in to receive fundraising communications in July 2017. “This meant we were ahead of the game,” she says.
“By putting our supporters’ wishes at the heart of our marketing communications and contacting them only in the way they ask us to, we are achieving a greater level of engagement, loyalty and quality of data.” Nevertheless, she admits that GDPR still required a “substantial” programme of work, across the entire organisation.
READ MORE: How Cancer Research UK is preparing for GDPR
However, businesses with more questionable databases – comprised largely of contacts with whom the business may not have had any recent contact, or individuals who had given details simply to enter a competition – will have found this period particularly challenging.
Gemma Bacon, brand and marketing director at broker Mortgage Advice Bureau, which handles £14bn worth of loans annually, says: “For many businesses GDPR meant their databases diminished overnight, generating a sense that valuable data had been washed down the metaphorical drain. But how valuable was that data really? These were likely to be customers for whom your emails had popped into their inbox and they speedily swiped delete without a second thought.
“Undoubtedly the pond we’re all fishing in now is smaller but the quality and therefore the conversion are likely to be much better,” she adds.
Gracia Amico – who is a non-executive director and board advisor for a variety of retailers and brands, having worked in global ecommerce roles at a number of fashion and ecommerce companies – says: “Often you couldn’t target those on your database and you had to start all over again.”
Nevertheless, she believes GDPR has “sharpened the minds” of marketers, forcing them to “clean up, and to be more effective”.
Viewpoint: Jim Muir, head of marketing, Best Western Hotels GB
“There was a fair bit of work in the run up to GDPR implementation but if you were reasonably consistently applying the principles of the previous Data Protection Act, the key difference was the more severe implications of getting it wrong, and the need for a positive opt-in [by consumers to receiving marketing].
“We had an added complication in that our reservation system is global and hosted in the States. It was our responsibility to find out where all the data was going and to document it.
“The most work for us was around a massive education piece for our hotels. I did a one-hour presentation last January and we ran a series of seminars on topics such as privacy statements and how to capture data.
“It was quite good housekeeping. For instance, we were able to build in a process to delete redundant data and only pass on what’s needed. That’s a really useful approach. Now we only share what we actually need. Some businesses were emailing people they last spoke to 10 years ago and they had no idea whether they are even alive or not. So in this respect it was useful.
“I got lots of good information from the DMA’s legal team. We were always quite cautious anyway. We did not have a huge legacy database. Re-permissioning was probably the biggest annoyance. We had to update a few contracts and it felt like a lot of work at the time. But we’re a lot more transparent than before. That said, a year on, as for whether Joe Public notices or cares, I’m not sure.”
I’m sorry, but that’s a flawed and frankly dangerous approach to GDPR. What we have seen so far is simply the beginning of GDPR and not the end. So I would caution any advertiser who thinks that GDPR compliance is a “one-and-done deal”.
Right now seven European data protection agencies are investigating what can only be described as the core functions of behavioural advertising and real-time bidding. The outcome of these investigations can potentially have profound implications for digital marketers.
GDPR is not a done deal. Advertisers need to closely follow court and regulatory rulings and be ready to swiftly adjust their marketing practices.
Regards,
Holger Wilcks
CEO, Danish Association of Advertisers