At the end of the movie Finding Nemo, Gil and the Tank Gang manage to escape from the dentist’s office in Sydney when he decides to clean out the messy aquarium in his office. They’ve finally achieved their freedom and cheer their victory – even though they’re still in individual bags. Realizing this, Bloat the Blowfish asks what everyone is thinking: “now what?”
My kids love this movie, and it’s a fantastic metaphor for complying with the General Data Protection Regulation (GDPR). For two years, European and multinational brands have scrambled to change their data collection and storage infrastructure to comply with the GDPR’s rules around customer data privacy, including the right to be forgotten and the right to data portability. The benefits so far have been substantial. Consumers are happier since the launch, with 62 percent expressing greater confidence in sharing their data with brands; brands are now more explicit in their data collection, which has likely contributed to consumer confidence as well.
Those are good things, but it’s been two months now since the GDPR’s rules came into force, and the chances are good that some brands are asking “now what?” after all that effort. This is an understandable question given how long brands have been working to get into compliance. As I see it, there are three things that brands can do in the next 90 days to extend the value of their GDPR compliance:
- Deploy a long-term strategy for collecting consent and customer preferences – Ahead of the GDPR, brands sent out innumerable messages to their existing customer base to ensure that they had collected affirmative consent from as many people as possible. These activities involved clearly communicating what information the brand had, and giving consumers the ability to rectify any errors or revoke consent ahead of the deadline. Now the smoke has cleared and, so far, nothing has gone wrong. Assuming that this consent collection is a one-time action is a recipe for disaster. Brands need to retain their customer’s preferences and manage consent information over the long term. Whether this happens through a landing page, an online preference center, or is something the consumer needs to call a contact center for, the point is that brands need to have a process in place to maintain these activities.
- Operationalize consent to improve engagement – Once consent is collected, it needs to be actioned and operationalized. Brands should be able to notify all their data systems of requests related to GDPR, whether that’s a customer asking to have their data deleted or masked, someone who wants to download a copy of their data, or someone who wants to correct an error. Accomplishing this also requires deploying a data stewardship workflow process where data stewards can make changes and approvals are in place for change requests.
- Deploy a notification process – To maintain consumer trust over time, brands need a way to notify consumers that their data requests are being fulfilled. This is a key component of GDPR compliance; brands must notify data subjects when their request is completed, provide timeframes for completion, and confirm next steps being taken. This could also be a webpage, a push notification, or even an email. The idea here is to maintain customer trust in the long run and to do that brands need a way to communicate with their customers. Facebook accomplishes part of this by allowing customers to download all their data in folders.
Go Forth with Good Intentions
As the Spiderman comic books taught readers, “with great power comes great responsibility.” Holding onto a customer’s personal data is a major responsibility. Brands need to use that data for good purposes, which include delivering personalized experiences and contextually relevant interactions.
Data privacy laws are fundamentally a massive opportunity for marketers to better personalize interactions over time. The clean data that results from compliance ensures that brands understand customer preferences, which leads to richer and more contextually relevant messaging. As brands leverage this deeper insight to personalize experiences, they need to also be wary of where the line is for being too informed about preferences and behavior. For this reason, brands should be thoughtful about how they leverage the new insights they have.
On top of this, U.S. organizations may also have to soon contend with the California Consumer Privacy Act. Recently passed in California, the new privacy law brings a GDPR-style regulation to the United States. It won’t go into effect until 2020, but brands still must consider how to comply ahead of that deadline.
With the GDPR coming into force only two months ago, brands can be forgiven for taking a slight breather after scrambling for two years to bring their operations into compliance. However, the work to make GDPR valuable isn’t even close to being done. Brands now need to ensure that they can maintain their consent collection practices over time, operationalize that consent, and communicate effectively with customers in the long term to make their work valuable.