GDPR, a Year In

By Margaret Franco, senior vice president EMEA Marketing, Dell Technologies

During the month of May 2018, the term “GDPR” was searched more often on Google than American celebrities Beyoncé and Kim Kardashian. Needless to say, the European Union’s (E.U.) General Data Protection Regulation has been a hot topic among business leaders and marketers all over the world.

That’s because the new regulations, which came into force on May 25 of last year, have big impact (and big consequences) for any business dealing with individuals within the E.U.—regardless of where it’s headquartered. Under GDPR, these organizations must have permission to collect, manage, and store personal data—and importantly, if asked, must be able to retrieve and remove all information held about an individual. In addition, organizations are required to report the exposure of personal data to both regulators and the affected individuals within 72 hours after they become aware of any such breach.

So, how are organizations faring under these new rules? As of January 2019, E.U. organizations have reported around 41,000 breaches since GDPR came into force, according to the European Data Protection Board. Law firm DLA Piper reports that, also as of January, fewer than 100 fines—91 in fact—have been issued as regulators perhaps use other penalties, such as warnings, reprimands, or temporary or permanent bans on data processing. 2019, however, is predicted to be a year where the regulators get tougher. We’re already seeing this prediction come true.

On January 21 of this year, French regulator CNIL fined google Google $57 million when it found the company had a lack of transparency for how its users’ data is processed, and a lack of valid lawful basis for targeted advertising. This is a phenomenal sum, but well below the upper limit for GDPR breaches: four percent of annual global turnover. For a company the size of Google, which has reported annual sales of more than $100 billion, the penalty could have been much harsher. Even still, the fine has sparked a lot of discussion globally that if a company as large as Google can get it wrong, then what about the rest of today’s companies?

Burden or Opportunity? A Marketer’s Perspective

GDPR’s ripple effect is reaching far beyond business in the E.U. In addition to new privacy laws in the U.S., including the California Consumer Privacy Law and proposed Washington Privacy Law, lawmakers in Australia, Brazil, Canada, India, and Japan, among others, are all revisiting their countries’ privacy laws to mirror GDPR.

GDPR’s ripple effect is reaching far beyond business in the E.U.

The burden GDPR and privacy laws place on businesses to make significant and often costly changes to the methods they use to acquire, store, analyze, and use personal data has been well debated and documented. Halfway into the first year of GDPR, a Deloitte report found that 70 percent of the organizations from 11 countries surveyed had increased headcount in roles focused on GDPR compliance, and more than 70 percent said that they were using internal or external tools, such as technical discovery tooling, redaction tooling, and AI, to support GDPR compliance activities.

Further complicating compliance is the fact that the situation around data privacy is not static but rather constantly evolving, emphasizing the need for marketers and leadership teams to remain vigilant and responsive. For example, one area to watch is public blockchain and its impact on privacy. Calls for the E.U. to relax GDPR compliance in order not to stifle innovation in this new technology are unlikely to succeed, and blockchain currently has no way of meeting the regulation’s requirement of an individual’s right to be forgotten.

“Today, our customers have more choice than ever before on how they share their personal data with us. When we are transparent and respectful, we have the opportunity to serve them better.”—Margaret Franco, senior vice president EMEA Marketing, Dell Technologies

But GDPR is not only about how we extract the data itself or what we must do to avoid penalties. Rather, it’s about how we communicate with our customers to earn their trust. As a marketer, I see this communication as an opportunity to connect with customers on a personal level. After all, privacy is personal. Today, our customers have more choice than ever before on how they share their personal data with us. When we are transparent and respectful, we have the opportunity to serve them better.

I’m not alone in this more positive outlook. A February survey of U.K. businesses conducted by the Data & Marketing Association (DMA) revealed that marketers increasingly believe their businesses will experience long-term benefits from GDPR. The percentage of respondents who stated the regulations will negatively impact their organization fell considerably from 56 percent in the previous survey 12 months earlier to 41 percent since the regulation came into force. Moreover, an increasing number (26 percent) of organizations believe the regulation has actually helped them serve customers better by enabling them to build sustainable relationships through transparency and honesty.

This positivity around GDPR is not intended to downplay the complexity of meeting the regulations, and the robust processes and checks a company must introduce to ensure compliance by all its teams that deal in personal data. Yet, GDPR could be a driver for positive differentiation and signal a move away from generalized communication strategies, such as mass-mailing, to ones that are more personalized or offer an opportunity to engage directly via social platforms. This means more of a two-way exchange with customers, which may deliver valuable insights and feedback. In this way, GDPR turns from regulatory nightmare into stellar opportunity for customer engagement.