Shortly after the final vote on the European Union’s General Data Privacy Regulation (GDPR), I advised European marketers that everything would eventually be “okay”—even if getting there would cost more than expected. After reading through the 88-page final regulation, I’m happy to say that I’m still convinced European brands will come out the other side of GDPR compliance in strong position despite reported reservations among European companies.
This optimism also comes on the eve of Martech Europe in London, where Redpoint VP of Product Strategy Patrick Tripp will give a lunchtime presentation tomorrow on how marketers can use data-driven personalization to drive improved customer engagement and “bridge the gap” between strategy and execution.
As I wrote back in December, the primary challenge remains that the balance of power will shift from European marketers to European consumers once the regulation comes into force on May 25, 2018. Customers will need to give affirmative consent to their personal data being collected, or used to create behavioral profiles, and that consent—while able to be given via a checkbox on a website—can’t be assumed. This means no pre-ticked boxes, no silence as consent, and no inactivity as consent. EU consumers will have to approve every use of their customer data, and if the initial collector provides the data to a third party, then the third party has to receive the customer’s consent as well.
This adds a potentially dizzying complexity to the act of customer data collection, and brands both large and small have to improve their side of the bargain if they want to collect, retain, and use consumer data in their marketing and customer engagement efforts. Brands must also err on the side of disclosure for the first time, no matter where they’re located, so consumers have visibility into the precise uses of their data at all times. This even applies to foreign companies that do business in the EU but don’t have physical locations in any of the member states; so long as you sell to Europeans, you must comply with GDPR’s rules.
Beyond the communication/consent requirements, the most substantial challenge is that customers can request their personal data be deleted at any time. This is codified in the “right to be forgotten,” which was given formal regulatory status in the GDPR. What’s troubling is that, in its recent State of European Data Privacy survey, Symantec recently discovered that 90% of European businesses think they’re technologically ill equipped to follow through on this facet of the regulation.
Furthermore, Symantec found out that 74% of businesses don’t think an organization’s privacy track record is a top three consideration for their customers … except that 88% of customers chose it as the top concern in whether they’d do business with a particular brand.
This is a massive disconnect between brands and consumers, which offers an opportunity for retailers to take a customer-focused approach and make data security (alternately called “Privacy by Design”) a centerpiece of their engagement strategy. For the European retailer who takes the GDPR seriously, and becomes one of the 26% of businesses that Symantec found was fully prepared for the new regulation, changing practices and internal controls can be a selling point for customer engagement efforts.
This proactive approach can be especially powerful in the retail marketplace because it shows a commitment to keeping personal data secure instead of risking the administrative fines that the different supervisory bodies can level against brands that don’t comply.
These noncompliance fines can run anywhere from €10 million to €20 million or up to 4% of worldwide revenue depending on the severity of the infraction. Better to spend money over the course of the next 19 months to beef up your data security measures and comply with the new rules, rather than risk the associated fines.
After all, the money that you’d pay in fines could be better spent updating the underlying technology that manages customer data and boost internal capabilities and controls. Your gains from improved data management will allow you to simultaneously bridge the gap between strategy and execution, as well as signal the premium you place on customer concerns and the security of their data.
While I can’t say for certain that there won’t be a substantial amount of pain involved in compliance for European retailers, I can say with certainty that brands will be better off when the initial pain subsides. Control over personal data is a major issue for customers, and brands able to manage to that concern—and still engage through the channels their customers prefer—will come out ahead.