The protection of personal information is front and centre of late as newly introduced regulations in Europe are set to impact the way data is used and collected right across the world.

Like just about everyone else on the planet, you’ll have noticed your inbox straining under the weight of emails from all sorts of businesses addressing their privacy and data collection policies. The rush of brands wanting to let you know how careful they are with your data comes from new regulations signalling a shift in the way data is used.

A 2017 survey in the US by Deloitte found 91% of people click on those ever-present ‘terms and conditions’ notifications without reading them. Most of us are more concerned about unlocking the content behind that checkbox than perusing the (often deliberately) wordy and, frankly, dull conditions therein. Surrendering our data has become little more than an ‘I agree’ formality in our digital lives.

As a consumer, the new regulations signal greater control and transparency around how your information is collected and used. But what do the changes mean for you as a digital marketer?

It’s all thanks to the GDPR

Just to catch you up, the General Data Protection Regulation—GDPR, to you—is a new set of regulations out of the European Union. Although the timing may suggest the laws are a response to recent, high profile data scandals like the Facebook/Cambridge Analytica affair, GDPR actually passed into law in 2016 and finally came into full, enforceable effect on May 25, 2018. Hence the recent scramble from brands to comply.

Because the regulations are intended to better protect the data rights of EU citizens, GDPR compliance isn’t restricted only to companies based in the EU. It affects any brand that wants to do business there and relies on collecting data to do so. Hefty penalties of up to 20 million euros will apply to any company found to be in breach GDPR.

In short, GDPR lays out all sorts of rights around an individual’s ability to know, access, correct or erase the personal data any organisation holds about them.

What does it mean for marketers?
Essentially, the new order for data collection is summed up by CNN as “privacy by default”, shifting the onus on the individual to provide “clear and unambiguous consent” for companies to collect and use their data. This makes the collection of private data an opt-in proposition rather than passively agreeing or even having to opt out.

The key implications of GDPR for marketers with a presence in the EU, as outlined on Moz, include:

  • Providing greater transparency around what data is collected, how it’s collected, what it’s used for and what third parties it is shared with.
  • Using data only for its intended purpose and seeking permission before attempting to use it for another purpose.
  • Ensuring users actively opt-in to provide their data (that means no pre-ticked check boxes). It’s important to note that a company can’t restrict access to content to a person who doesn’t provide consent to use their data.
  • Communicating terms and conditions and privacy policies clearly. The fine print can’t be buried in copious pages of legalese.
  • Effectively responding to customer requests. These requests can include disclosing what personal data is held, to correct any erroneous information or to export their data to another entity.
  • Any customer requests to have information erased also means ensuring it’s deleted anywhere that data was shared.
  • Adhering to GDPR standards about the storage and protection of data that’s collected.
  • Keeping appropriate records to provide evidence of GDPR compliance.
  • Notifying people within 72 hours of becoming aware of a data breach that could compromise their information.

For a deeper dive into the implications of GDPR for brands, scroll down to the infographic below, compiled by Digiday:

You can familiarise yourself with the full 99 pages of the GDPR here.

The impact of GDPR on brands

In the short term, many of the companies who have been emailing their databases in recent weeks will find their mailing lists take a hit. Having to ask people to opt in to a database they’re already on (and, in many cases, forgot about) runs a fairly high risk that they just won’t care enough to do so.

From a numbers perspective, losing subscribers is an alarming prospect for many businesses. Email marketing is still one of the most effective ways to drive revenue. Digital Agency Network reports that email marketing provides a US$44 return on every dollar spent.

But when viewed from the perspective of engagement, it’s not bad news. Marketers have already learned not to judge social media success on pure subscriber numbers. The rise of the micro influencer has shown that it’s desirable to have a smaller, more committed audience than a huge base of apathetic followers.

By trimming the fat from databases, losing people who are likely disengaged from the brand in the first place, open rates and ROI will likely improve—a statistical upside to a database more concentrated on active users. More importantly, marketers will get a clearer picture of their true customer base. As such, they can better target their future email marketing content to this base.

In the longer term there are concerns that big tech and big business will stand to benefit the most. Consider, for instance, the impact of compliance costs on smaller businesses. Bloomberg reports it will cost the world’s 500 biggest businesses in the region of US$7.8 billion to fall in line with GDPR. While the likes of Amazon and PayPal have the financial, legal and tech expertise to interpret and adopt the regulations, for smaller scale companies the imposition is significant, even if their business isn’t as complex.

The new rules and the growing consumer awareness around data and privacy might also mean upstart brands have a tougher time convincing subscribers to part with their personal information. This would serve to entrench the data dominance of the big tech players like Facebook that have spent years building a cache of data on billions of users who have come to rely on their platforms.

The full impact, indeed even the actual meaning, of the regulations is yet to be seen. Where is the line between “consent” and “unambiguous consent”? What precisely qualifies as “legitimate interest”, something a business must prove when collecting data from a person? Now GDPR is enforceable, clarity will come as regulations are inevitably tested and challenged in the courts.

Think you’ve got a grip on GDPR? Test your knowledge here.