At the end of the movie Finding Nemo, Gil and the Tank Gang manage to escape from the dentist’s office in Sydney when he decides to clean out the messy aquarium in his office. They’ve finally achieved their freedom and cheer their victory – even though they’re still in individual bags. Realizing this, Bloat the Blowfish asks what everyone is thinking: “now what?”
My kids love this movie, and it’s a fantastic metaphor for complying with the General Data Protection Regulation (GDPR). For two years, European and multinational brands have scrambled to change their data collection and storage infrastructure to comply with the GDPR’s rules around customer data privacy, including the right to be forgotten and the right to data portability. The benefits so far have been substantial. Consumers are happier since the launch, with 62 percent expressing greater confidence in sharing their data with brands; brands are now more explicit in their data collection, which has likely contributed to consumer confidence as well.
Those are good things, but it’s been two months now since the GDPR’s rules came into force, and the chances are good that some brands are asking “now what?” after all that effort. This is an understandable question given how long brands have been working to get into compliance. As I see it, there are three things that brands can do in the next 90 days to extend the value of their GDPR compliance:
As the Spiderman comic books taught readers, “with great power comes great responsibility.” Holding onto a customer’s personal data is a major responsibility. Brands need to use that data for good purposes, which include delivering personalized experiences and contextually relevant interactions.
Data privacy laws are fundamentally a massive opportunity for marketers to better personalize interactions over time. The clean data that results from compliance ensures that brands understand customer preferences, which leads to richer and more contextually relevant messaging. As brands leverage this deeper insight to personalize experiences, they need to also be wary of where the line is for being too informed about preferences and behavior. For this reason, brands should be thoughtful about how they leverage the new insights they have.
On top of this, U.S. organizations may also have to soon contend with the California Consumer Privacy Act. Recently passed in California, the new privacy law brings a GDPR-style regulation to the United States. It won’t go into effect until 2020, but brands still must consider how to comply ahead of that deadline.
With the GDPR coming into force only two months ago, brands can be forgiven for taking a slight breather after scrambling for two years to bring their operations into compliance. However, the work to make GDPR valuable isn’t even close to being done. Brands now need to ensure that they can maintain their consent collection practices over time, operationalize that consent, and communicate effectively with customers in the long term to make their work valuable.