Why GDPR isn’t a compliance challenge – it’s a customer relationship opportunity

Today marks just one year until GDPR - the new EU data protection regulation - comes into force. In the coming months, MyCustomer will be explaining how compliance with the regulation should only be the starting point, and how it can be the catalyst for a wider improvement in customer engagement. In this opening article, expert contributor Will Kemble-Clarkson makes the case for going beyond compliance. 

Up until now, thanks to their customers signing up to lengthy, impenetrable T&Cs that they’ve never read, businesses have been able to use customer data in ways their customers know very little about.

Subsequently, highly profitable business models have been built around access to this data under the assumption that access to this freely available data would not only continue in perpetuity, but that the volume and detail of the data would improve.

That is all about to come to an end.

The EU General Data Protection Regulation (GDPR) is coming into force a year from now for businesses and consumers alike, and it is easily the most important, impactful regulation in recent times. Rooted in harmonising consumer rights across Europe, it strengthens consumer rights around how data is collected, used and shared as well as introducing a raft of new regulations that put consumers in control of their data.  

But the businesses that see this as purely a costly compliance matter are missing the wider, strategic point: this is a catalyst for a fundamental shift in the digital economy. The dynamic of power is moving increasingly into the hands of the individual, and the businesses that recognise that contextual change are using GDPR as an opportunity to fundamentally rethink their customer relationships.

At present, many organisations have designated responsibility for tackling GDPR with their compliance teams. Whilst compliance will focus on (the very important work of) ensuring that the business will meet minimum viable GDPR (MVGDPR) compliance by the May 25th 2018 deadline, they won’t be looking at the impact compliance will have on the customer experience or the product. Oher key business functions - such as product, marketing and customer experience – should also be thinking about the implications for how they operate. 

Businesses that fail to grasp this wider point when designing their GDPR response, risk a far worse consequence to their business than a whopping regulatory fine – they risk hemorrhaging their customer base.

Here are five parts of the regulation that we see as critical for the wider business to get to grips with:

1. Consent: This is the beating heart of the regulation – the obligation for businesses to ensure that their customers understand what data is being collected, how it’s being used and get their affirmative, unambiguous consent to use it. No more pre-ticked boxes, bundled permissions and suchlike will be allowed, businesses are going to have to think carefully about how they present their case for access to customer data. GDPR also requires that businesses make it as easy to withdraw consent as it is to give it, so the permission will need to be earned and maintained.

2. Profiling: Customers will have the right to opt out of any form of automated profiling, which impacts everything from CRM and direct marketing to customised pricing. This will push businesses to be transparent about how customers’ data is being used and, critically, whether the value being created is balanced in the favour of the customer or the businesses.

3. The right to opt out of marketing: Once this is requested, all marketing must stop immediately. Consumer research has indicated that over 60% of customers will refuse permission for marketing which means, with the right to be forgotten (see below), businesses will permanently lose access to the majority of customer data which will kill growth and costs will go up, especially acquisition costs, hammering margins.

4. The right to be forgotten: Once a customer has decided to leave, they can request that all of their data is erased. The technical implications of deleting data from a multiplicity of databases aside, this will also impact systems that rely on the data to power CRM, pricing and other core resources management function. Plus, from a marketing perspective, it also means retargeting past customers will be impossible. 

5. Data portability: Customers will be able to ask for a copy of their personal data in a machine-readable format. Whilst we’re still awaiting regulator guidance on the volumes of data and format (e.g. API versus CSV file), this is going to drive competition. Sectors that have become complacent in the face of consumer inertia (financial services, for example) could find GDPR increases the chances of disintermediation. Customers will be able to give competitors access to their data to create a new value layer around the customer; possibly leaving the incumbent business with all the costs and the new service with all the margin.

If you’re reading this as someone responsible for any part of the customer experience and it comes as, if not a surprise then much more than you’d expected, then you have some hard yards to travel over the next 12 months. However, providing you follow some core principles in your response, then you should be fine.  

• Step one: Move, because the deadline won’t. As the old saying goes, the best time to plant a tree is 50 years ago, the second best is yesterday and the third best is today. Whether you need to start from scratch, or build on an existing plan, in order to use GDPR as an opportunity for growth, you’ll need to start planning today.
• Step two: Build a foundation of knowledge around the data. Run a data audit to identify areas of risk - where data is being used in a non-compliant way. Once you have mapped out the risk areas, then cross-reference this with how becoming compliant will impact your business area if no action is taken other than the steps required by GDPR, i.e. asking customers to consent for profiling without being clear about how that profiling improves their experience will likely result in a firm “no”.
• Step three: Agree your ‘GDPR for Growth’ strategy, with constraints of time and resources, focus on the hotspots, the core business functions like marketing and CRM that will be negatively impacted by MVGDPR, where will you aim to achieve minimal viable compliance and where will you drive to improve the customer relationship.
• Step four: Test, learn and iterate. Apply the same practices you use to develop new products and services: understand what your customers think of how you use their data, and explore design options for consent journeys. You are operating in uncharted waters so make sure you’re able to adapt to what you learn.

At all times, ask yourself what would the customer want? GDPR is complicated and there are still areas where the guidance is not clear. If you can keep the customer at the centre of your decision-making process then you will at least be compliant with the spirit of GDPR, even if not the letter – which the regulator and, more importantly, the customer may forgive you for.