One year on: How has GDPR changed the customer data landscape?
It's a year since the EU's General Data Protection Regulation (GDPR) came into force. How has the legislation changed businesses and their customers' approach to data?
The maelstrom caused by last year’s GDPR deadline date was unlike anything the world of business had previously experienced.
Confusion, panic, ignorance, consternation, blitheful bewilderment; these were the range of complex emotions that most business leaders were feeling at any given moment in the build-up to that fateful day.
And then the repermissioning emails started. Thousands of emails. Every brand, both in and out of the EU, taking the safest option with their customer databases: asking customers to re-opt in to their communications; often with cull-like effect and in some cases, simultaneously breaching existing EU data laws in the process.
In the aftermath, there were a few big-name fines, some data breaches revealed early under the new guidelines. Brands scrambled to appoint data protection officers. And then, things settled down. Normal service was seemingly resumed.
What’s changed with customers?
GDPR undoubtedly led to a greater public consciousness about the value of personal data. As stated in a significant RSA study conducted this year, consumers have a more general awareness of data protection, and have started to take action to control how their data is used.
This has of course affected businesses: According to a survey from Airship the average opt-in rate for marketing communications declined from 9.3% to 7.7% worldwide, following last year’s GDPR deadline date. And at the recent Gartner Customer Experience & Technologies Summit in London, analyst Don Scheibenreif revealed that a growing trend is consumers erasing all of their online data altogether.
“By 2025, we predict that one-third of consumers will have effectively ‘disappeared’ as a result of wanting to be anonymous online.
“We are seeing the effects of GDPR in that consumers are, for the first time, starting to choose trust and privacy over convenience.”
The ‘effect’ of this is felt in the fact that businesses are struggling to respond to an increase in requests for erasure – only a third of businesses in a sample study from Macro 4 were compliant with the correct process for those requests.
The RSA study also highlights that there remains a disconnect between consumers and businesses. This is emphasised by a large-scale survey from Ogury, which found that 52% of consumers globally still don't understand how their data is used after reading consent forms and privacy policies. Only 8% of consumers feel they have a better understanding of how companies use their data since GDPR’s introduction.
By 2025, we predict that one-third of consumers will have effectively ‘disappeared’ as a result of wanting to be anonymous online.
“What’s frustrating is that for many businesses, hundreds of hours have been spent redesigning contracts, privacy policies and notices, and understanding how their organisation is using data,” says Kim Smouter, head of public affairs and professionals standards at ESOMAR.
“This is a good thing, an overdue audit that many companies would not have undertaken were it not for GDPR. These companies are talking perhaps for the first time in the organisation’s history about purpose limitation, who has access to it, can we share it, did we get the right permissions. These are the kinds of changes that GDPR sought to instil and for some has successfully done so.
“But one year on, what’s striking is that we don’t seem to have moved that much further than where we were when the GDPR was adopted. Sectors are still all universally struggling to allocated processor and controllership roles as one very concrete example. Despite a lot of guidance issued, the legislation seems to be creating more complexity.”
What’s changed with business?
GDPR was supposed to represent a sea change in how businesses approached the processing, collection and storage of customer data, but a year-on from its official implementation, many businesses have found themselves slipping into old habits.
“From our perspective, the widely-publicised stories about crippling fines associated with data breaches post-GDPR have mostly failed to materialise and, as such, it’s been business as usual for a lot of the organisations we speak to,” says Mike Cohan, the CEO of tech consultancy, Evaris.
“In a survey of 1,021 UK workers carried out by MarketingSignals.com, one-in-three businesses (37%) confessed to not following GDPR, despite the warnings given before the 2018 deadline.
Larry Kotch, a consultant and founder of Brainy Marketing, is frank in his assessment of how his business approached GDPR:
“I run a marketing agency and deliver email marketing campaigns for over 30 B2B clients. I've had several exchanges with the ICO (the UK data regulator) during GDPR, and I can give you god's honest truth: not much has changed.
“Unfortunately, what GDPR seemed to do, above everything, was destroy a lot of company value off European companies who had useful data and probably over-complied with the warnings. At the same time the big internet companies that were really the target of this sort of thing (like Facebook and Google) have easily adapted since they have bottomless pockets. I see the new internet privacy regulations (such as Article 13) and GDPR as sustained movement in this direction, and I believe it will unintentionally harm the companies outside of that monolithic status, more and more.”
This viewpoint is shared by eMarketer’s principle analyst, Bill Fisher:
“Smaller companies have faced significant difficulties and, as such, the regulation actually seems to have benefited the duopoly of Facebook and Google.
"However, there are signs that the various regional agencies are pushing harder than ever to take to task the digital behemoths. Recent data breaches affecting Facebook, for example, are prompting agencies to push for the maximum fine of 4% of worldwide revenue, which equates to around $1.6 billion. Facebook and Google have deep pockets, sure, but there are only so many fines that they’ll be willing to accept.”
Smaller companies have faced significant difficulties and, as such, the regulation actually seems to have benefited the duopoly of Facebook and Google
Data breach fears
Despite the attempts to level the playing field, the true test of any organisation’s approach to customer data may ultimately be decided by their actions in the wake of any serious data breach. SAP research, for instance, estimates that if an organisation does not take adequate steps to secure customer data and loses 50m records, it would cost their business $350m.
“If you approached this as a one-off activity with the goal to meet the legislation, then of course you’re going to slide back into what you were doing before,” says Jim Roberts, founder of Blackler Roberts.
“If, however, this exercise has changed how you approach the use of personal data and you now consider the implications of what, how, when, where and who uses this data you will have gained greatly, as the culture of personal data use will have provided the key benefit of GDPR to businesses: trust.
“Customers and specifically repeat customers build a relationship with your business and trust is key to this, with the use of their personal data having a big impact on this.”
However, William Dummett, chief privacy officer at Genesys believes there are plenty of examples of businesses starting to heed this call:
“A few years ago, it was rare to have a discussion about data privacy early in the sales cycle. Now, it’s almost always one of the initial topics customers want to talk about. Companies in all industries are thinking about the data they control and how it’s protected.
“We’ve also noticed that companies are much more aware of data minimisation. Companies used to want to collect and store as much data as possible, with the idea that it would eventually be useful. Now, companies are asking themselves “do we really need this data?” and deleting personal information as soon as is practicable.”
As many voices in the industry have often explained, GDPR was always meant to be part of a journey for organisations, not simply a box-ticking exercise that ground to a halt after the 25th May 2018.
A year on, what’s clear is that there has been no single route all businesses have taken, despite the best efforts of regulators to make that happen.
Chris is Editor of MyCustomer. He is a practiced editor, having worked as a copywriter for creative agency, Stranger Collective from 2009 to 2011 and subsequently as a journalist covering technology, marketing and customer service from 2011-2014 as editor of Business Cloud News. He joined MyCustomer in 2014.