Marketing in a post-GDPR world: what's changed?

In the digital age, marketing professionals are not only bound by a code of ethics to uphold their customers’ fundamental right to privacy, but also legally obliged to do so in line with the latest data protection regulations. The landmark General Data Protection Regulation (GDPR) has been in force across the EU since May 2018 – giving birth to a new era of data management practices, as regulators and responsible organisations work hard to keep personal information private and secure, and give customers control over their data.

While the GDPR represents a much-needed shift in mindset, it has also had a substantial impact on the organisations that serve people in both the private and public sector. Beyond shouldering a new compliance burden, many of these organisations have also had to overhaul systems and processes, including their marketing practices.

Let's look at the facts

More than a year has passed since the GDPR was introduced. What has changed?

At a time like this, it’s important to take stock of the challenges experienced as well as the lessons learned during the GDPR’s first year.

Are customers more aware of their rights?

According to the European Data Protection Board (EDPB), most national supervisory authorities report an increase in queries and complaints received during the first year of GDPR compared to the previous year. Over 144,000 queries and complaints and over 89,000 data breaches have been logged by the supervisory authorities in the European Economic Area.

This is more than likely due to an increased awareness among the general population of their data protection rights. During 2019, EU citizens have been polled on the topic through the Eurobarometer. This survey found that 67% of respondents knew about the GDPR; and 57% said they were aware of a public authority in their country responsible for protecting their data privacy rights.⁽¹⁾

Another survey, conducted by Deloitte across consumers and organisations in 11 countries (both inside and outside the EU), reveals that consumers are more aware of data protection issues, with 58% saying that they are now more cautious when sharing personal information online than they were become the GDPR came into force.⁽²⁾

Has there been an increase in customer trust and confidence?

According to the Information Commissioner’s Office (ICO) in the UK, customers have more confidence in the way that organisations store and use their information post-GDPR. Their levels of trust and confidence have increased from 21% in 2017 to 34% in the latest study.⁽³⁾

Reinforcing this finding, the Email Tracker Report published by the Data & Marketing Association (DMA) in the UK found that now, after the introduction of the GDPR, 41% of consumers are more comfortable and confident that brands are handling their data correctly. ⁽⁴⁾

Do customers have more control over their data?

While there has been an increase in customer awareness, trust and confidence, there is still room for improvement, especially when it comes to one of the GDPR’s primary intentions – the transfer of data decision-making power from the organisation to the customer. According to the Deloitte study mentioned earlier, most people do not yet feel that they have gained enough control over their own personal information.

At this point in time, it seems as if many organisations are obeying the letter of the law, but not living up to the spirit of the law. Rather than approaching this as a pure compliance exercise, more companies need to view the GDPR era as a new chapter – and an opportunity to be more customer-centric in their data management practices.

Are customers still receiving spam?

According to the new data laws, any organisation communicating with customers via email or text message must ensure they have explicit consent from each customer to use these marketing channels. However, research charity Nesta found (six months after GDPR implementation) that 60% of UK internet users felt they had no more control over how many marketing emails they were receiving than they had before the rules came into force. And, of the 2,000 people surveyed, around 22% said the number of spam emails they had received had actually increased post-GDPR.⁽⁵⁾

Clearly, there’s still more work to be done by many marketers to ensure they’re not sending unsolicited, indiscriminate and irrelevant messages to their customers.

Are marketers GDPR literate?

Before educating customers on their data protection rights and assuring them that these are being respected, marketers need to fully understand the law. According to DMA research, 90% of marketers say they have a good knowledge of the GDPR and 89% have received formal GDPR training during 2018.⁽⁶⁾

That being said, the new legal environment has been a steep learning curve for some companies. For example, Telecoms company EE was fined £100,000 by ICO for sending around 2.5 million text messages to consumers without their consent. The organisation initially stated that it had sent the texts to provide service information; and they were therefore not required to obtain consent under electronic marketing law. However, the ICO ruled that the texts also included a direct marketing message (relating to a phone upgrade). EE has since accepted ICO’s ruling and apologised to its customers.⁽⁷⁾

This case highlights how important ongoing training and education are, even in companies that believe they have a sound understanding of their compliance obligations.

Challenges that still need to be addressed

Some organisations have worked hard to maintain compliance within the GDPR and implement customer-centric data protection policies. Given the findings discussed above, however, others still seem to be struggling to wrap their heads around the law, let alone embed the principles of the GDPR into their businesses.

During this transitional period, three major challenges have become evident:

1. A lack of clarity

Despite being in force for more than a year, there’s still some uncertainty and confusion when it comes to how the GDPR should be applied day-to-day. This is largely due to the fact that the GDPR is principles-based, which means that every organisation has a duty to conduct a risk assessment in order to determine which activities pose a risk to customers’ privacy rights. These findings must then inform a risk-based approach, where each organisation sets their own appropriate data protection policies and practices.

2. Risks evolve along with technology

Adding to this challenge is the speed at which sales and marketing technologies are developing. These tools may create exciting new data processing opportunities, but they also put customers’ data privacy at risk – and organisations need to understand the legal implications.

For example, the ICO recently raised concerns about adtech organisations relying on “legitimate interest” as a lawful basis for processing data during real-time bidding (RTB) methods. As stated in the ICO report on this topic, “One visit to a website, prompting one auction among advertisers, can result in a person’s personal data being seen by hundreds of organisations, in ways that suggest data protection rules have not been sufficiently considered.”⁽⁸⁾

While case law for the GDPR has begun to emerge and industry bodies will hopefully provide clearer guidance going forward (especially for UK-based businesses who are also navigating Brexit), organisations need to be proactive in gaining a clear understanding of the risks associated with all their data processing activities, online and offline.

3. The pace of enforcement action has been slow

While there have been many threats of enforcement action, authorities have been slow to issue penalties. Despite 10,000 reported breaches in the UK – the ICO has only published 127 enforcement notices in the past 12 months. ⁽⁹⁾

Before organisations become too complacent, however, they must understand that investigations take time. A case in point is the recent announcement that, pending an appeals process against the scale of the penalty, British Airways could face a record £183 million fine for last year’s breach of its security systems, which compromised customer data. This would be the largest penalty that ICO has handed out since the new laws came into effect and first to be made public under the GDPR. ⁽¹⁰⁾

It stands to reason that the future will hold tighter enforcement. Businesses of all sizes must make sure they are fully aware of their compliance obligations and that data protection is at the centre of everything they do, or they could make an expensive mistake.

What’s needed going forward?

Here are some recommendations for best practices as your organisation navigates a more mature GDPR environment.

1. A change of mindset

Rather than focusing on data protection as a tick-box exercise, it can be viewed as a way to show the customer that you care deeply about their right to privacy. This can go beyond reducing compliance risk to increasing trust and confidence in your brand – becoming a competitive advantage.

When individuals trust an organisation, they are more likely to share data more openly with the business. According to the Deloitte study, “The ethical use of data, which can reside in the grey area between regulatory compliance and a higher standard, is seen as an increasingly important driver in this level of trust.” ⁽¹¹⁾

2. A company-wide commitment

Misinterpretation, ignorance and complacency are often responsible for data breaches. This calls for clear and well-communicated data protection policies that gain commitment at every level of the enterprise. Marketing, sales and other functions must work together to ensure that treating customer information responsibly and respectfully becomes an integral part of every business process. Think of it as an enterprise-wide commitment to earning and maintaining the customer trust.

3. Clear communication

The Deloitte study referenced earlier found that many customers are not reading privacy policies. Often, these are treated like fine print, which makes them unappealing and easy to ignore.

Marketers can play a valuable role here by finding more compelling ways to keep customers informed and more effective ways to ask for their explicit consent. This involves clearly explaining why you’re asking for personal data, how this information be used, how this will impact the customer, and so forth. If you communicate this in a user-friendly way, customers are more likely to feel comfortable about sharing their information. Ideally, you could view every piece of GDPR-mandated communication as an opportunity to engage with customers and build the relationship.

4. Expertise

All this considered, you may realise that your data protection practices – and your data itself – could do with some refining and work harder for your business.

If you want to make sure that your data is accurate and compliant, and that you’re only engaging in relevant, consent-based communications with your customers, it may make sense to pull in an expert partner to help address any issues. That might be a consultancy that can give advice and guidance on your processes, or a data-cleansing provider that can make sure you have a clean, accurate database for your sales and marketing communications.

Addressing areas of concern will not only minimise risk of incurring costly fines, it will bring other benefits such as enhancing relationships with your customers and increasing trust and confidence in your brand.

A challenge and an opportunity

While the new regulatory landscape is not without its challenges, it can also be viewed as an opportunity to change the way that you treat your customers. By respecting their right to privacy and being more transparent, you may find that good GDPR practices enable you to improve lead quality, increase conversion rates, reduce churn and build lasting and lucrative customer relationships.

If you need help in creating a clean, accurate and compliant database, our specialist CATI agents provide expert phone-based data services. Used strategically to target a cleansed, profiled database, our telemarketing services can help build relationships with your most valuable clients and prospects, at the same time enriching your data with insight to deepen future relationships.

If you’d like to discuss the ways we can support you, please get in touch.

(1) https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en
(2) https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-risk-gdpr-six-months-on.pdf
(3) https://dma.org.uk/uploads/misc/new-gdpr-one-year-on_v13.pdf
(4) https://dma.org.uk/uploads/misc/new-gdpr-one-year-on_v13.pdf
(5) https://www.telegraph.co.uk/technology/2018/11/24/eu-data-rules-have-not-stopped-spam-emails-nesta-survey-finds/
(6) https://dma.org.uk/uploads/misc/new-gdpr-one-year-on_v13.pdf
(7) www.research-live.com/article/news/ee-fined-for-unlawful-marketing-texts/id/5055452
(8) https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
(9) https://www.b2bmarketing.net/en-gb/resources/articles/gdpr-what-has-happened-one-year-plus-find-out-how-set-data-retention-policy
(10) https://www.bbc.com/news/business-48905907
(11) https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-risk-gdpr-six-months-on.pdf