Data security and the protection of personal information has long been a hot topic in the marketing industry. With data protection regulations such as GDPR spearheading many changes to data management and information security in the EU and beyond, we’re answering the question: What is GDPR and why is it important?
If you process personal data of EU citizens, then your organization is affected by GDPR. Customer data is essential for marketers to deliver targeted ad campaigns, but with the increased enforcement of privacy regulations, industry players can’t afford to get it wrong. Not only do they risk significant fines, but they may also lose valuable customer relationships that have been built over a lifetime, and suffer reputational damage
In an era where privacy and trust are paramount and consumers are unforgiving, the penalties are high. Indeed, 65% of consumers said they would stop using brands if they breached their personal data.
In this article, we will define GDPR, explore why it matters to marketers and examine the consequences of non-compliance.
What is GDPR?
With the rapid acceleration of digital growth, we all spend vast amounts of time online. This means our personal information is scattered across the internet — valuable breadcrumbs that marketers can use to tailor their communications to us. Because customer data is in such high demand and poses great value, it’s also at risk of misuse, which is why data protection regulations had to be implemented.
The European Parliament actually introduced the GDPR back in April 2016, but it wasn’t enforceable until 25th May 2018 — the period in which we all got spammed with panic-stricken emails asking for us to consent to personal data use!
GDPR is a digital privacy law that stands for General Data Protection Regulation. It has established blanket security legislation across the European Union so that all countries operate to the same standards. Organizations within the EU must comply with GDPR requirements by incorporating online privacy settings and keeping them switched on at all times.
Why is GDPR so important?
Well, one of the reasons is that it’s probably the toughest data protection regulation in the world. That means severe consequences for non-compliance, burning a huge hole in lax businesses’ pockets.
Enforcement authorities can issue fines of up to a whopping €20 million euros under the GDPR laws, or 4% of a business’ global annual turnover if that’s a higher amount. Already, over 900 fines have been issued since GDPR regulations were first enforced, the largest of which was $877 million.
How has GDPR affected marketing?
Marketers are now at the front line of gathering, handling, and activating data, particularly data that gives them vital insights into consumer behavior. So, it follows that the biggest impact of GDPR on marketing is that it places limits on the collection and processing of personal data.
GDPR has meant that marketers have had to start asking for permission to collate any information that could make individuals personally identifiable, such as their name, email address, and IP address — and not just any kind of permission, consent had to be active and unambiguous, so pre-ticked boxes were out.
These stipulations brought sizeable changes to almost every kind of communication, from email marketing to multi-channel advertising campaigns. In particular, targeted activities based on data about specific users were heavily affected by the need to gain consent before collecting and using data for marketing purposes. Much the same was true for the main tool that had previously been used to track user behavior: third-party cookies.
Third-party cookies and GDPR
Types of cookies used to collect information that could identify users also now require consent, including those marketers had long deployed for keeping track of online audiences and performance; think measuring actions driven by online ad campaigns. This meant that pop-up boxes also needed to include requests for clearly defined areas of third-party cookie use.
Coming as part of a broader wave of limitations on third-party cookies — including restrictions from Safari, Firefox, and later, Chrome — the bottom line for marketers was a significant drop in access to audience data, as many users chose to opt-out.
The overall result for marketing, however, has ultimately been positive. The reduced value of standard third-party trackers led to greater use of first-party data, with marketers and other businesses directly requesting information from audiences, and often getting better quality data.
Additionally, the emphasis this fuelled on personal relationships forged stronger ties between consumers, publishers, and companies, as well as reinforcing the foundations of the data value exchange. Users who knew exactly what they were being asked for, and why, had greater trust in businesses; and they could see the benefits of sharing that data too.
How does GDPR affect the US and other regions?
Although it was designed to protect EU citizens from data breaches, GDPR affects marketers around the world. Any companies that communicate with European consumers will have to meet GDPR requirements or risk hefty fines.
That said, over 120 countries around the world also have their own data protection regulations. These laws generally align with five main privacy principles, including allowing data subjects to choose whether or not they share their personal data and how it is stored or used, and implementing tough security measures to protect personal information.
In the US, for example, the California Consumer Privacy Act (CCPA) allows Californian citizens to control whether or not their data is collected and how it’s used. Other states across the US with similar privacy regulations include Texas, Connecticut, Alabama, and Florida.
Brazil’s General Data Protection Law unifies over 40 data protection regulations and brings them into one unified document that outlines the legislation and consequences of data breaches. It has also led to the installation of Data Protection Officers (DPO) in Brazilian companies to oversee compliance with the law.
In the Middle East, Bahrain’s Data Protection Law was the first of its kind to be introduced, giving consumers the right to decide how their data is processed, while in the Philippines, the Data Privacy Act of 2012 enforces greater protection of personal information by businesses.
What does Brexit mean for GDPR?
Despite no longer being in the European Union, the provisions of GDPR have been incorporated into UK law, which means practices remain fundamentally the same. In the UK, the Information Commissioner’s Office (ICO) checks that companies are complying with data protection legislation. They examine data breaches within organizations and issue necessary fines, while also investigating how companies collect and store data. The ICO can fine non-compliant organizations, and some eye-watering penalties have already been issued to big-name companies.
(For more on Brexit and GDPR, check out our blog: Why Bending EU Data Regulation Could Lead the UK Into Wild West Chaos)
Why is this a good opportunity for marketers?
Although GDPR requirements have presented many challenges for companies around the world, the tightening of data protection regulations has forced marketers to find innovative solutions to gain rich insights from data in a privacy-compliant way.
By focusing on ensuring best practices in data management, making sure they have the right systems and processes in place to track data better, and ensuring the correct permissions are sought, and always followed, GDPR actually presents a great opportunity.
With better data and better processes, marketing analytics can help marketers more than ever to optimize campaigns, measure, and increase ROI, while also ensuring GDPR compliance.
As an industry, and four years on since GDPR was implemented, we have a better understanding of what the regulation means, and we have the tools available to ensure both compliance and excellent levels of customer service.