• Helen Pritchett

GDPR – Plus Ça Change?!

It’s been seven months since GDPR came into effect; are we in a new era of data protection?

Do we have more control of our personal data? Or has the collection of data just been repurposed from the covert to the overt? Are we still giving away as much data as before, possibly more, but doing so in the explicit knowledge that we are sharing our personal information? Now that data gatherers are more explicit in their data collection, they seem confident in asking for more data and, consequently, we are sharing even more detail about ourselves.

After the initial ‘inbox invasion’ of emails requesting you to agree to continue accepting correspondence from brands, life appears to have settled. However, it won’t have escaped your notice that consent is requested with every new visit to a website. Each time we click we are overtly agreeing to what we had previously tacitly agreed to. Plus ça change, plus c’est la même chose! Do we feel safer? More protected? Do we believe our personal data is better safeguarded? Or is it situation normal? Is data collection simply more obvious?

Each request to accept cookies and provide consent shows that the legislation is working and that organisations are delivering compliance. GDPR seems to be doing its job. Companies are sticking to the letter of the law, but has this made a difference to the way our personal data is collected and shared?

Gary Neal, COO of Smartology, comments on the confusion and complexity of consent: “I would argue that the multiplicity of ways [GDPR] has been implemented across websites makes it hard for users to understand what they are confirming or consenting to for their data usage. As GDPR wants specific consent for specific purposes, I would question whether a user of a website, for example, would understand the difference between functional cookies versus strictly necessary cookies.”

GDPR’s impact should not be under-estimated.

GDPR has had a huge impact on UK industry; businesses have had to become GDPR-compliant and to create pro-GDPR cultures. Consultants have been consulted and processes have been processed. Systems have been updated and policies have been formulated. GDPR has been challenging and a recent report suggested that, worryingly, 27% of companies have yet to begin work on making their organisation GDPR compliant – many months after the May 25th 2018 deadline has passed! (SuperOffice). In fact, research from The Ponemon Institute found that 60% of tech companies weren’t ready either. Those stats are a bit scary when you consider the potential ramifications. There are tough penalties for organisations which don’t comply with GDPR; fines of up to 4% of annual global revenue (or up to 20 million Euros) can be levied.

But it’s not just about IT systems and processes – the whole sales and marketing process is under scrutiny. How you market to and contact prospects is affected by GDPR and the use of personal data. Consent and legitimate interest are key. Citrix’s chief security architect Chris Mayers states “There is still a strong chance that a number of organisations could be struggling with issues around data sprawl, the volume of personal customer information and uncertainty around data ownership, as our research from around a year ago suggested. The poll also found the average large UK business was reliant on 24 systems to manage and store personal data, with one in five (21%) using over 40 systems to do so. Tackling such data sprawl wasn’t easy then and won’t be now, if still the case.”

Is Marketing Automation to Blame for Turning People Off Email?

Believe it or not, it is 40 decades since the first B2B marketing email was sent by Gary Thuerk. The email resulted in $13 million of sales for Mr Thuerk, but he also earnt also the moniker ‘father of spam’. His email provoked an angry response; 40 years on the ‘blast’ emails approach is still being used but have we reached saturation point and will GDPR address this?

Marketing automation is a great tool when used appropriately. However, if used as a method through which to blast broadcast emails it can be an absolute turn off. Customers weren’t born yesterday, and they don’t really believe in personalised messaging. A mix of communication channels is the way forward.

GDPR has forced companies to change their approach. Many went for the opt-in approach and, in so doing, suffered huge opt-outs dramatically reducing the size of their databases. However, some saw this as a positive. After all, what is the point in contacting people who are not engaged? Better to have a small list of people that really want to hear from you rather than a huge list of disinterested people.

We all agree spamming customers is a no-no. As an industry we need to be more creative, more proactive and more responsive to our customers’ needs and wants. Email can still work, when used appropriately, but we need to think laterally and come up with new, handcrafted, relevant ideas to communicate with our target audiences.

Are We Better Off Under GDPR?

In conclusion, I’d like to refer you to a great article in the Financial Times, which recently suggested that no, we’re not better off. Surprised? Yes, so were we, but the article makes a lot of sense. Journalist Izabella Kaminska proposed that despite all the initial hoo-hah, in reality, retailers and service providers still hold all the power in the data relationship. Organisations still harvest data There is no option to use an alternative version of their website if you don’t want your data harvested. You are expected to tick yes if you want to carry on accessing material or services. Does this provide us protection and choice? No!

Data mining and harvesting continues but now it’s done with our consent!

However, there are also many positives:

  • Customers who have chosen to continue interacting with organisations are likely to be more engaged, resulting in more positive sales relationships

  • Over 70% of organisations are (apparently) GDPR compliant

  • The importance of data protection is gaining more global exposure

  • GDPR has improved cyber security measures and organisations are paying closer attention to how they store, transmit, and process personally identifiable information

  • Organisations have no option but to be more responsible and transparent with the way they collect, handle and store personal data

  • GDRP is apparently inspiring (or at least informing) similar laws around the world, from India to China and from California to Brazil

Research shows that industry experts have mixed opinions on the efficacy and success of GDPR thus far. There is a legal case in progress; AggregateIQ (the firm that processed data for Vote Leave) was served by the ICO with the first formal notice under GDPR in September. It has since appealed, and the result is yet to be decided. We await the outcome with interest to assess the real impact of GDPR.

Whether you believe GDPR has ‘worked’ depends how you view the legislation in the first place and this can depend on whether you are in a B2B or B2C environment. We’re in the B2B camp and so are writing from that perspective. As a marketing services agency we contact prospects by telephone, direct mail and email as well as interacting with them on social media. We do this within the letter of the law and on behalf of a range of clients. GDPR hasn’t changed our processes, we were already working to very high standards and within all legislation and regulation, but it has caused us to explain and document our processes for the purposes of clarity and compliance – which is no bad thing!