This weekend marks one year since Europe’s General Data Protection Regulation (GDPR) came into force. And after a soft start, European regulators are now shifting gears.
Privacy advocates continue to launch legal action, investigations are ramping up and the ad industry is bracing for more fines.
- Sign up to Which-50’s Digital Marketing Newsletter
- Read More – Editorial: And Then They Snapped. Consumer Trust Is Broken
- Nominate today for the Which-50 Digital Experience Awards. Simple. Fast. Easy.
Take for example key figures from the French watchdog CNIL, which recorded a 32.5 per cent increase in the number of complaints of privacy violations in 2018 compared to the year prior. It also issued the biggest GDPR fine to date, ordering Google to pay €50 million. (The search giant is now facing a brand new investigation into its advertising practices from Ireland’s Data Protection Commissioner.)
Regulating digital privacy has also spread across the globe. The introduction of the California privacy law in 2020 (CCPA), which could still be preempted by federal legislation means businesses are facing a more complex landscape of privacy regulations.
In fact Gartner’s recent emerging risks monitor identified that risk professionals believed rapidly accelerating privacy laws were a key liability facing organisations.
But first a quick recap. Thanks to the extraterritorial design of GDPR, Australian business that collect or handle the personal data of EU citizens must comply with the law.
While GDPR does have significant overlap with Australia’s existing privacy laws, it goes further by requiring more explicit consent for their data to be used and gives consumers more power to opt out of targeted advertising or request that all data pertaining to them be erased by an organisation.
And the penalties are bigger. Breaches of GDPR can result in up to 4 per cent of annual global revenue, or €20 million (A$30 m) fines, whichever is larger. Compare that to Australia falling foul of the Notifiable Data Breaches scheme will cost you a maximum of A$2.1 million.
But the big divergence, according to Dr. Gero Decker, co-founder and CEO, Signavio, is the significant difference in the perspective underlying the Australian Privacy Act 1988 and the GDPR.
While Australia’s law focuses on securing information, Europe’s laws — and others emerging around the globe — go to the heart of who owns the data and what businesses can do with it.
“We have a situation where Australian organisations are undergoing not only a practical shift in making sure their privacy policies are up-to-date, but also a conceptual shift in their role as data collectors,” Decker said.
“So, Australian organisations are coming around to the view—albeit slowly—that customer data doesn’t belong to them, it actually belongs to the customer, and the business is just processing it for them.”
As part of its services, Signavio performs company-wide audits of all processes to determine which ones are not yet in line with GDPR requirements. A provider of cloud-based process modeling and management systems, the business then helps organisations become GDPR compliant and maintain that compliance over time.
“The Privacy Act is in many ways seen in Australia as a cyber security policy, helping businesses to understand their responsibilities in terms of governance, as well as providing the information they need to avoid penalties for a data breach,” Decker said.
“On the other side, the GDPR is very consumer-focused and rights-based. The emphasis is very much on a pro-consumer regulatory approach to what companies can do with data, as well as obtaining consumer consent, and so on.”
12 months on
GDPR has serious implications for marketers, leading them to rely less of behavioural data to target ads and more on gaining consent for data collection and processing.
Nicki Dewhurst, Marketing Director, APJ of cybersecurity company Sophos admits to being “reasonably terrified” when GDPR came into effect last year.
“The preparations were extensive and included internal education and processes being reviewed and changed,” Dewhurst told Which-50.
“A year on and both marketing and how we go to market at Sophos have changed.”
For example, Dewhurst says Sophos gates fewer assets than it used to, meaning users have fewer forms to fill in. They also strive to make calls to actions instant and action-based.
The regulations have also had an impact on the marketing mix, with a strong focus on social media and public relations to drive meaningful content that resonates with buyers.
“Content that is clear, precise and relevant is king, even more so than it was a year ago,” Dewhurst said.
“Ultimately, how we, as marketers, connect with buyers is becoming more complex, real-time and seriously dynamic. We need to be even more agile than we were a year ago, even though some processes take longer to follow.”
Avanade CMO Stella Goulet says the laws are a continuation of the changes already underway for marketers.
“Over the past few years the CMO and the marketers’ role has become as much data and science as creative with all the technology, tools and analytics. GDPR is just another aspect of that — of being able to manage data, technology and information,” Goulet told Which-50.
A member of Forrester’s CMO Group, Goulet noted there were steps marketers could take to prepare for the introduction of GDPR including, building preference centres, taking actions to encourage consumers to sign up and sign in and deploying marketing automation systems which consolidate data to provide a single view of the customer.
And one year on, the results are “a mixed bag,” she says.
Companies without a relationship with their customers are either struggling or they are ignoring the law.
“I’m still getting as many emails as I used to that are unsolicited.”
On the other hand, the laws are a positive for companies that care about customer experience and are further along the technology maturity curve, Goulet says.
“For those companies that care, particularly the ones that are more mature on customer experience, they see it really as an opportunity to be more targeted to who their real customers are and put the effort into understanding them and their preferences and building permission-based relationships.”
Back to basics
Juliette Rizkallah, CMO of SailPoint, argues marketers should take GDPR as a sign to get back to the fundamentals of marketing, rather than “a kiss of death”.
“What we’ve witnessed is that people are using data to blast users with targeted messages on a daily or even an hourly basis. We are seeing a lot of noise right now, and to be effective, we want to cut through that noise at SailPoint,” she said.
Rizkallah argues marketers need to work harder to make sure a prospect is more inclined to share their personal contact details.
“This is where GDPR has really left its mark – forcing marketers to think differently about how to influence their audience so that they will share their personal data with us. Marketers should consider this sharing of personal data as a precious asset that customers trust them with and communicate at a more intimate level.
“Data privacy regulations like GDPR and CCPA were established in the first place to make companies do what they were not willing to do on their own. And as marketers shift their focus on less mass marketing to more targeted programs, the results will pour in while privacy will be maintained. This has been, by far, the biggest ‘side effect’ of GDPR that we have seen, from a marketing perspective.”