The 25th of May 2018 will see the EU's latest rewrite of its data privacy laws, the General Data Protection Regulation (GDPR), come into full effect after years of fine-tuning. It has been designed to regulate the use of all personal data for all EU residents, and will apply regardless of whether the data has been processed in member states or not.
The primary objective of GDPR is to give people control over their data, allowing them to choose who can use it while also forcing companies to be transparent around what they are doing with it. Its definition of personal data includes personally identifiable information collected through cookies and advertising IDs, as well as what the EU terms 'sensitive information', such as that pertaining to racial or ethnic origin, health, finances, political opinions, and sexual preferences. GDPR requires companies to erase personal data on request unless there's a legitimate reason to retain it, that those affected by data breaches are alerted, and that data protection is designed into their products and services. The fines for failing to abide by these rules are considerable, amounting to either 4% of global annual turnover or €20 million, depending on which is higher.
This is no easy task and for the majority of organizations requires a significant culture shift. As such, many are behind where they should be in their GDPR preparations. In a survey conducted last year by the Direct Marketing Association (DMA), just 54% of businesses said they expect to be compliant by the deadline, while nearly a quarter of companies have not even started preparing yet, despite the new law being first announced more than five years ago. Another recent survey of security chiefs at FTSE 350 and Fortune 500 companies by international law firm Paul Hastings found that over half of companies across the UK and US will not be ready for the new regulations by the deadline.
However, while this laissez-faire approach may be concerning, GDPR should not be looked at purely as a compliance issue. It is not just a costly administrative burden devised by faceless bureaucrats to stifle business. Rather, GDPR should be seen as an opportunity, empowering companies to use their data better and improve their marketing efforts. We've looked at 3 of the reasons why.
Higher Quality Data
One of the most important benefits of GDPR is that it provides - or rather, forces companies to put in place - a framework for improving data management. Emmanuelle Brun Neckebrock, CFO for SAP France, recently noted in an interview with us that, 'Data is one of your company’s most valued resources, yet it is also one of the most poorly managed. It’s the golden thread that runs through the entire organization, and in most instances, it’s managed casually and inconsistently, depending on individual employees and departments. You wouldn’t let your revenue, products, or equipment assets be handled that way, so data (given its inherent value) shouldn’t be any different. It warrants the same due care and attention.'
Bad data is a cancer in an organization's data efforts, but too few are currently doing anything about it. At any given time, as much as 70% of data sets are outdated. People's lives are constantly changing - they move house, they switch job, they change phone number, and so forth. As a result, email addresses change at a rate of about 23% a year, 20% of all postal addresses do the same, and roughly 18% of all telephone numbers. These need to be removed promptly. The quality of data you have determines how much you can rely on the data to make good decisions, which impacts every facet of the organization. Indeed, IBM estimates that bad data is costing organizations some $3.1 billion a year in the US alone, while in Experian’s Data Quality survey, 83% of companies said their revenue is affected by inaccurate and incomplete customer or prospect data.
GDPR is already having an impact here. Jonathan Wood of security company C2 Cyber, for one, told ComputerWorld that, 'We work with a number of online retailers and one company had a CRM [customer relationship management] database of 30 million customers, five million of whom turned out to be deceased. Having cleaned up its database and introduced processes to keep it up-to-date, not only can the company now ensure it is GDPR compliant, it’s also saving a small fortune in direct marketing costs such as printing, design and communications.' By forcing better data management, GDPR also means less data, which means lower spending on storing and processing data that couldn't benefit you anyway - indeed, it's not just that it can't benefit you, it's likely it will even taint your insights.
This issue is particularly pressing because of the impact bad data has on machine learning. Machine learning algorithms depend on having high-quality data to train them. Indeed, the majority of machine learning practitioners actually consider the data to be more important than the algorithms themselves. In Crowdflower’s 2017 Data Scientist report, when asked to identify the biggest bottleneck in successfully completing AI projects, over half the respondents cited getting good quality training data or improving the training dataset. Mistakes in the training data infect a system like urine in a swimming pool, polluting all the results and rendering any insights untrustworthy. This is going to become an even more important issue in future as machine learning adoption increases, and those who have taken GDPR to heart and really cleaned up their data quality will be in the best position to exploit it.
For marketers, the most important consideration with GDPR will be that marketing lists will need to be opt-in. Databases will need to be cleansed and reviewed to ensure that it can be proven that every name on the list opted-in willingly, whether the name is being used for legitimate purposes, and that the information is accurate. As a result, many marketing teams will need to fundamentally reconsider how it is they attract potential customers onto their sites.
This should mean an end to the 'throw-spaghetti-at-the-wall-and-see-if-it-sticks' approach we have seen marketers take since the dawn of the internet. The idea that customers will sign up to clutter their inbox with your ads is at best delusional, at worst dangerous. Marketers will have to provide something in return, namely superior content. This should provide a particular boon to content marketers, who will be able to focus on creativity rather than pumping out as much guff as possible in the hope someone listens.
A greater emphasis on content will not necessarily mean the end of a data-driven approach to marketing, though. If anything, it should lead to better data analytics. With a clean database filled with email addresses who have actually demonstrated that they want to hear what from you, you have a small, but far more captivated market. This provides far great opportunity to do hyper-personalization, micro-segmentation, and attribution modelling. Marketers are able to better understand whether what they are doing is working, as when it's not, their customers will just modify their consent.
According to estimates by the Ponemon Institute, the average cost of a data breach in 2017 was $3.5 million, while they put the probability that a US company will experience a breach in the next 24 months at a terrifying 27%.
GDPR should, hopefully, have at least some impact on these numbers. Under GDPR, businesses will have to prioritize the security of the data they hold, clearly communicate privacy terms, and inform customers if there are any breaches. This should, for one, provide some semblance of consistency to the hitherto messy world of cybersecurity law, making it at least somewhat easier for organizations to understand what best practices should be. Furthermore, it forces them to face up to the issue. Benjamin Wright, attorney and SANS Institute instructor of law of data security and investigations, recently told Inside Counsel that, 'Now, when an organization in EU suffers a breach, it must give notice. This notice will trigger a cascade of hostile investigations, likely concluding with fines. This requirement to give notice motivates organizations to improve their security so they do not suffer a breach.'
The regulation also encourages the kind of holistic approach necessary for adequate data security, forcing everyone, from junior to board level, to take responsibility for reporting any potential data breaches and ensuring they carry out the correct protocols. The holistic approach is not just an internal boon, though. The abundance of mobile and connected devices in the supply chain has created an opening for hackers to target operations, according to Supply Chain Brain, and doing business with an insufficiently protected supplier puts the whole chain at risk. GDPR means companies have to vet external parties, such as supply chain partners, more carefully than before, because the data controller is liable for any leak throughout the chain. This also means there is a far greater incentive to encourage greater collaboration between partners and ensure that there are no holes in the ship, so to speak.
This is also already having an impact. According to Okta’s Businesses at Work research, which analyzes the most popular and fastest growing apps in the enterprise, adoption of security apps is increasing as we approach GDPR deadline day. Email and cloud security software Mimecast, for one, has grown 141% across Okta’s EMEA customers in the past year, with adoption increasing 34.5% in the UK over the past six months alone, suggesting, at least to some degree, that GDPR has finally made organizations across Europe take the cybersecurity threat seriously.
Ultimately, all this is important because it leads to the most important currency in business: Trust. People only give their personal information to companies they feel they can trust with it, and with greater transparency and the knowledge that companies are following a set of standards, they will be more likely to give it to them.