GDPR one year on – but still confused?
by Tim Stopher

With the first anniversary of GDPR coming into force, are people still confused about its application and do consumers feel any better off?

May 25th marked the first anniversary since the introduction of the General Data Protection Regulation (GDPR) in Europe. It was intended to evolve the existing Data Protection Act and extend protection for individuals and their data, providing greater transparency and control over where their data is saved and used. It was seen by many brands and retailers as a game-changer.

Has there been an overreaction? Some businesses have thrown the baby out with the bathwater and reduced their customer data pool to such an extent, they have seriously jeopardised the future viability of their business. They may have done so with the right intentions but have read way too much into the legislation and cut too deep.  Now it is time to rebuild that data, safe in the knowledge that you do so legally and with legitimate intent.

GDPR understanding.

A lot was written about GDPR ahead of it coming into force last May, and while the opportunities were highlighted, the overriding reaction from marketers was confusion, frustration and fear.

Certain outcomes were fairly predictable; companies scrambling to get their houses in order and a steep rise in data breaches after the legislation was put in place. Notifications of data breaches to the Information Commissioner’s Office (ICO) have rocketed in first the nine months since the implementation, the ICO received 11,562 notifications. This spike was fuelled by the tight timescales, a lack of detailed guidance and the threat of multi-million pound fines. But 7,771 of the 11,562 notifications the ICO received were closed down requiring no further action.

Marketers have now realised that GDPR is perhaps not the monster it was made out to be.

Impact in the industry.

The ICO makes clear that the new law applies to ‘controllers’ and ‘processors’ of data, and these are largely the same definitions that applied under the Data Protection Act 1998 (DPA). While there are significant penalties for not being data compliant, much of GDPR is just about good data management practices. As a result of GDPR marketing needs to be more aligned to IT, legal and operations departments to ensure the whole supply chain of data from capture through to storage and ultimately use, is efficient, effective and auditable.

Recent research from the DMA (Data and Marketing Association), reveals 56% of marketers are more positive about the effects of GDPR, given they have seen a marked increase in returns on every £1 spent  due to sending fewer and more relevant communications.

For many businesses GDPR meant their databases diminished overnight, with a sense that that valuable data had been washed down the drain. But how valuable was that data really? Was this people truly interested in your product or services? Undoubtedly the pond we’re all fishing in now is smaller but the quality and therefore the conversion rates are likely to be much better.

GDPR doesn’t fully cover ePrivacy – governing permission-based online marketing through channels such as email and cookie-powered internet ads. Updated legislation in the form of ePrivacy Regulation is anticipated but could take another year or more to be finalised.

Creating ways of using it as an advantage.

The legislation forces marketers to be creative – create content that pulls people in rather than a push strategy. By putting customers at the heart your marketing communications and contacting them only in the way they ask to, you can achieve a greater level of engagement, loyalty and quality of data.

Royal Mail brought out a new product ‘Partially Addressed mailing’. This has been designed to identify customers using specialist targeting, and means you’ll be able to continue sending direct marketing communications without using personal data. One of our clients McCarthy and Stone took part in the Partially Addressed Mail trial which has now been shortlisted for a Data IQ award for the Royal Mail.

bitmap146% don't think GDPR has made a difference at all.

Consumer attitude.

According to research conducted by Ipsos Mori, just 31% of consumers think their overall experience with companies has improved. Despite brands best efforts, 46% don’t think GDPR has made a difference at all, while 17% believe things have actually got worse over the past 12 months.

Rather worryingly 40% don’t think companies even care if they are in breach of data laws, perhaps fuelled by the endless headlines of data misuse, breaches and scandals, most notably the Facebook and Cambridge Analytica scandal. This loss of trust by the consumer needs to be addressed by good practice.

Other stats from the research commissioned by Marketing Week revealed;

  • 93% of consumers say they have heard of GDPR, with 39% saying they know a ‘fair amount’ or a ‘great deal’ about the data law.
  • 48% say they understand their rights around how their personal data is used
  • 41% believe companies have become more transparent in how they use consumers personal data.
  • Younger consumers are definitely more positive than older generations, 53% among 16 to 24, and 49% for 25 to 34 age bracket. Decreasing to 31% for 55 to 75 year olds.

bitmap140% don't think companies care if they are in breach of data laws.

The need to improve consumer trust.

Most consumers have seen a difference in the way brands communicate with them, which is most notable on company websites. This is impacting on consumers’ experience with brands, with 59% suggesting many companies don’t let them use their website unless they agree to sharing their personal data.

Consumers are also not convinced email communication has improved as a result. A quarter of consumers say emails from brands have become more relevant over the past 12 months, but 37% say they have seen no change and 34% believe emails have actually become less relevant. However 47% of consumers say they trust companies which let them control how their personal data is used and encouragingly 37% say they tend to spend more money with these brands as a result.

There is still an element of mistrust – but marketing can be used as a tool to rebuild trust by operating in a transparent manner. Explicitly asking for customer consent, clearly stating why and what information is needed as well as how their data will be used.

Major concerns about data breaches still need to be addressed, but GDPR has highlighted the need for training to understand the enforcement requirements to ensure that data is obtained and held in the correct way.

Data protection

Before GDPR, many organisations had never felt forced to look in real detail at how they use data. Good data stewardship was typically the responsibility of security and technology teams, with some input from HR, Marketing and Legal. Now, it needs all these functions to work effectively in union – this means serious cultural change. It will probably be two to three years before most companies are fully up to speed.

By putting customers at the heart your marketing communications and contacting them only in the way they ask to, you can achieve a greater level of engagement, loyalty and quality of data.

Tim Stopher
Tim StopherChief Technical Officer

Get in touch with Tim:

Tim Stopher
Tim StopherChief Technical Officer

Get in touch with Tim:

Our latest insights.

Sign up to our newsletter.

To get our latest insights, essential news and helpful guides straight to your inbox.

Memberships and Accreditations

The Drum