Why GDPR Matters More Than You Think
GDPR is here, and yet the world still spins. For some all is well, for others all is not well. Nonetheless, let me take this opportunity to share with you a story.
Fresh out of graduate school I was on a mission to prove myself capable in the business world. I took a position as number two at a privately held accounting firm. This was the halcyon days of Sarbanes–Oxley. Google was not yet the dominant species and your personal information was as likely to be in a file cabinet as it would be on a server. Back then, protecting customers' digital information was a certain form of alchemy. An alchemy I was able to practice during my first tax season.
For the uninitiated, tax season is a non-stop cavalcade of social security numbers, W2s, receipts, and bank routing numbers. We were a midsize firm, hosting our own servers, with twenty thousand or so clients. We looked like a tasty (and easy to acquire) target for the nefarious sort. In the middle of my first tax season, we became a target.
Our founder came crashing into my office, and of course, I was with a client. He yelled in a panic, "We're being hacked! What do we do?" As I calmed our client's nerves, assuring them their information was safe; I walked into our server room, and turned off the power. I then calmly turned to our founder and said, "Now they are not hacking us anymore."
We had an off-switch.
A way to protect our data by simply removing our system from the source of the problem: connectivity. In a lot of ways, that is the spirit behind the European Union's (EU) new data privacy law, the General Data Protection Regulation (GDPR). The GDPR grants EU citizens explicit power over their information and the right to decide what companies keep, how it is used, and whom it can be shared with. It also grants the right for EU citizens to take their information back (and in essence removed from a company’s servers). For a fantastic primer on GDPR compliance for marketers, check out Heather Fletcher's guide.
It is an off-switch for the storing and use of personal information.
More Control for Consumers
The GDPR is not just about protecting privacy. It is about shifting control of personal information into the hands of consumers and away from businesses. A strangely anti-libertarian move that introduces conflict between data retention laws in regulated industries (such as banking and securities in the U.S.) and the individual rights it grants to consumers (something the inevitable case law to sort out). The intent is clear; consumers should have control over their personal data, not corporations.
While the implications for marketing are not yet be fully known, the GDPR requires (massive) changes to systems. Especially niche ones that specialize in consumer data and analytics. Entire industries may vanish and new ones are already emerging. The impact of the requirements, and how they are enforced, effects marketing technology as it is now, and how it is developed. Not to mention the impact on the development of AI, machine learning, and other emerging marketing technologies.
This is not conjecture, the GDPR text specifically calls this tension out. In the provision on Legitimate Interest one section reads, "Abiding by all this likely drastically reduces the amount of personal data a controller or processor is able to freely process both due to subjects not opting in and the loss of prior collected data." The framers of the GDPR expect a sizeable decrease in the personal information that can be used in marketing. Opening the door for a new set of regulations FinServ marketers need to manage.
More Regulations for Marketers
Ahh yes, the fiery ritual of regulatory compliance. The ebb and flow of pushing boundaries and finding leverage points in regulations. Teetering on that fine edge marks the life of a marketer in the FinServ industry.
Raise your hand if you have had an excellent marketing piece rejected because it did not pass regulatory muster.
While the job for marketers is to find creative and engaging ways to generate interest in products and services, for many in the FinServ industry, it is their compliance officers job to make sure it is within the legal boundaries of what is acceptable. GDPR may make the relationship between marketing and compliance more crucial.
Up until now, all FinServ marketers had to worry about was regulators liking what we say about our products and services. With the introduction of stricter consent rules, comes the introduction of more regulations.
Organizations impacted by the GDPR, will now have to demonstrate compliance in new areas, including audit trails for how data is acquired and consent was earned. The costs associated with this are enormous. As much of the data that is collected and processed, exist on disparate systems. For some companies, it may be cheaper to pay the fines, then to do the work to come into compliance.
More Gray Areas for Litigators to Sort Out
I take a great amount of joy in using data to solve organizational problems, especially in marketing. There is something about eradicating opinions with a well-executed A/B test. Better yet, using historical customer behavioral trends to build predictive models and forecasting tools. For those who do business in the EU, however, those scenarios are now a bit more difficult.
While gray areas are found in most of the GDPR, a couple of provisions introduce gray areas for common marketing practices. The two provisions that may yet reek havoc on marketing are the profiling and processing provisions.
While it is uncertain how the inevitable lawsuits and regulatory challenges will shape these areas, what is clear is that the GDPR was designed to force change. This means that EU citizens can say no to being part of marketing automation, and no to their information being augmented by third party services. Both common practices in digital marketing.
You need not be clairvoyant to see the litany of litigation that will challenge these provisions. Especially when business start shutting down or are fined for doing legitimate activities with consumer data. At the very least, many of us will need to start keeping an audit trail of where, how, and why we obtained information about our customers. Just in case.
A New World of Marketing Possibilities
To my boss at the accounting firm, my solution to our hacking problem was unorthodox and revolutionary. It was something that he would never have thought of. A course of action that was as creative as it was pragmatic.
It was literally an off-switch that changed the way we dealt with hackers.
And what do marketers do best? We take constraints and limitations and exploit them, find the leverage points and go. While the GDPR introduces new limitations, it also opens up a whole new world of marketing possibilities we do not know yet. There GDPR is here and make no mistake, while the US may not adopt all of what the GDPR is, similar controls will make their way across the pond.
Consumers will be given an off-switch for their data and that changes the game.
So Why Does GDPR Matter More Than You Think?
Whoever figures out the leverage points within the GDPR and how to use them as an advantage in marketing gets to define how our game will be played.