Sponsored by: Signal
Authored by: Tim Walters, Ph.D., co-founder and principal analyst at Digital Clarity Group

Executive Summary

Despite its name, the General Data Protection Regulation (GDPR) is not something that will be taken care of by the lawyers in the compliance department and the data security pros in IT. The GDPR – which takes effect May 25, 2018, and applies to every company that touches the personal data of people who live in the European Union (EU) – requires a company-wide and systematic response, ranging from senior executives and the board to HR, alliances, and front-line staff. In particular, however, the burden will be felt by those that have come to rely most heavily on the collection and processing of personal data – namely marketers and related customer engagement roles.

To be sure, the GDPR does pose significant challenges for data security and legal compliance, but these are largely extensions of existing practices (especially for EU-based companies). For marketers, in contrast, the GDPR represents a genuine revolution, where freely collecting “data exhaust” is replaced by the need to get informed consent (or other forms of permission), and where the prevailing practice of acquiring the maximum possible amount of data is inverted into a regulatory requirement for “data minimization.”

The data processing restrictions introduced by the GDPR will incent marketers to fundamentally rethink and redesign their strategies, processes, and day-to-day activities. But as it disrupts business as usual, the GDPR also creates the opportunity for marketers to build new and better interactions with consumers and to nurture relationships built on trust, active engagement, and mutual benefit.

In this report, we explore the most essential elements of the GDPR for marketers and show how and why the winners in the post-GDPR era will not be firms that merely survive by avoiding non-compliance, but rather those that thrive in the new environment by seizing the opportunities for richer, deeper engagement with prospects and customers. Beyond compliance – and armed with key tools such as a unified data layer – marketers will be on the front lines of the battle for precious consumer data.

Introducing the GDPR

From the North American perspective in particular, it’s tempting to see a new EU regulation as just another layer of red tape dreamt up by some bureaucrats in Brussels. But the GDPR has deep roots in European history.

In particular, given the extreme surveillance, data collection, and subsequent prosecution of individuals both before and after World War II, it is unsurprising that privacy and the protection of personal data are embraced by some of the founding documents of the nascent EU in the 1950s, culminating in the Charter of Fundamental Rights of the European Union.3 In defense of these rights, the GDPR seeks to ensure that EU residents “should have control of their own personal data.”

From a Directive to a Regulation: Data Protection for the Digital Age

The GDPR replaces the EU Data Protection Directive, better known as Directive 95. As the name indicates, this directive was adopted in 1995 – before the commercial World Wide Web, email, mobile devices, always-on connectivity, and the digitization and monetization of personal data on a massive scale. One of the primary motivations for the GDPR was the acknowledgement that digitization poses different and more numerous threats to the fundamental rights guaranteed by the EU charter and that the directive required updating for the digital age. This means, for example, that “digital fingerprints” such as device IDs, IP addresses, and many browser cookie settings are explicitly counted as personal data under the GDPR.

At the same time, however, the GDPR recognizes the business value of digitization and the processing of personal data, and aims to remove some of the barriers that have constrained companies operating across the EU. For example, Directive 95 required that each EU member state pass instituting legislation to achieve its aims. The predictable result was a hodgepodge of data protection requirements across the EU, creating a significant headache for international business. In contrast, a regulation such as the GDPR allows relatively little variation at the member-state level. In this sense, it serves the EU’s goal to create a “digital single market” (DSM), relieving the burden on businesses that operate throughout the region. (Of course, there may be some disparity in how the member-state data protection authorities interpret and enforce the GDPR, but this is something they are aggressively working to avoid – precisely in light of the DSM.)

Also, unlike Directive 95, the GDPR is extraterritorial: it applies to any company that either offers goods and services to, or “monitors the behavior” of, EU residents – regardless of where the company is located or conducts its data-processing operations. This has the effect of “leveling the playing field” between EU- and non-EU-based companies when competing for business in Europe.

A Big Stick – But an Even Bigger Carrot

The remaining major difference between Directive 95 and the GDPR is the one that gets all of the attention – namely, the massive and, according to some, “life-threatening” monetary fines that may be imposed for non-compliance.

Under the national laws that were adopted to implement the directive, penalties varied widely. In the UK, for example, the current maximum fine is £500,000.8 In contrast, the GDPR states that fines should be “dissuasive” – that is, they should be painful enough to convince violators to permanently change their behavior. Specifically, maximum fines for a single violation can reach up to €20 million or 4% of a company’s global gross revenue, whichever is greater. For the largest companies, this could amount to fines of billions of euros.

But according to EU data protection regulators, the talk about massive fines and “crippling financial punishment” is mostly “fake news” and scaremongering.9 The UK’s chief data protection authority, Elizabeth Denham, has stated clearly, “The law is not about fines. It is about putting the consumer and citizens first.” Regulators, she adds, will continue to prefer “the carrot to the stick.”

Seizing the GDPR carrot will not be simple; Denham allows that it may require “a change to the culture of an organization.” But “the benefit for organizations is not just compliance but also . . . an opportunity to develop the trust of consumers in a sustained way.”

Developing the trust of consumers – this is the vital task posed by the GDPR. Data may be the new oil, but the GDPR will make it impossible to extract and exploit this resource without establishing, nurturing, and sustaining consumer trust.

For marketers, the GDPR challenge is to use the regulatory restrictions as new possibilities for relevance and engagement and to see the core principles and provisions of the GDPR not as barriers to established practices but as building blocks for trust-based relationships that put consumers at the center.

Core Principles and Provisions That Matter to Marketing

The central philosophy of the GDPR is that personal data belongs to the person it identifies and that people should remain in control of their data. As a result, companies that collect and process the personal data of EU residents are always only borrowing it for temporary use.

The commitment to maintain consumers’ control over their data necessarily implies a set of principles that govern data processing activities (see Figure 1), and an associated set of consumer rights over the use of their data (so-called subject access rights, or SARs; see Figure 2).

The text of the GDPR effectively lays out the implications of these principles and rights for day-to-day business activities. For example, the accountability principle dictates that companies must keep careful records of all data processing activities, while the subject access rights mean that companies should respond to consumer requests about personal data within one month and at no cost, in most cases.

For marketers, the most important provisions of the GDPR are covered in the following four sections.

1. Consent: New Requirements for Data Collection

The GDPR provides six legal grounds for the processing of personal data; one of these must be designated for every processing activity. For marketers, the most important grounds are consent and legitimate interest.

According to the latest available 2016 global survey by the Centre for Information Policy Leadership (CIPL), obtaining consent is by far the most popular basis for data processing, with over 90% of respondents using it to some extent.15 However, only about one-third of organizations were at that time able to meet the enhanced requirements for consent dictated by the GDPR. These include:

• Clear and concise consent requests
• A separate request for each processing activity
• An affirmative and “unambiguous” expression of consent that is “freely given”
• The ability to demonstrate the precise conditions and context of consent
• Comprehensive and detailed consent notifications

Asking for and receiving consent clearly serves the goal of putting consumers in control of how their data is used. The question, however, is how this philosophy will actually work in practice while preserving the user experience. Without careful management it is easy to imagine that consumers will be plagued with endless consent requests and notifications, leading to what some have called “consent fatigue.”

For example: by definition, consent requests can be presented only by “first-party” sites or devices that have a direct interaction with the consumer. What, then, of the numerous third-party players that contribute to a customized digital experience with, say, analytic and personalization insights? One response, from the Interactive Advertising Bureau (IAB), is a proposed mechanism to obtain and distribute user consent among multiple participants in a customer experience ecosystem.

Or again, consider the tension, if not contradiction, between the requirement for “clear and concise” consent requests and that for “comprehensive and detailed” notification, which should include the identity of the data controller, the processing purpose, the length of time the data will be held, third parties with whom it might be shared, whether it will be transferred outside of the EU, and much more. The proposed solution to this dilemma (endorsed by data protection authorities including the UK’s ICO) is a so-called “layered” or “just-in-time” consent request, with the key information provided concisely in the top layer and additional information in drill-down links or scroll-over pop-up windows.

Numerous vendors now offer “consent management solutions” to help companies meet the GDPR requirements. For example, Evidon’s solution exposes and tracks both first-party and third-party requests while avoiding information overload with layered notifications. (See Figure 3.)

What it means for marketers: When using consent as the legal ground under the GDPR, the consent request will be the key to the personal data treasure chest – perhaps the one shot that the organization has to convince a consumer to provide the desired information. Instead of legal boilerplate, the consent request will be potentially the single most important communication between the company and the prospect. With this much on the line, marketers – the customer engagement experts – should be intimately involved with formulating, managing, and optimizing consent requests and notifications.

2. Legitimate Interest: A Balance Test of Competing Interests

In the context of the GDPR, a legitimate interest is simply a benefit that accrues to a company from the lawful processing of personal data. The regulation states that “the legitimate interest of a controller . . . may provide a legal basis for processing . . . .”20 However, it continues, “. . . provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.”

In other words, appealing to legitimate interest (LI) imposes an obligation on the controller to perform a rigorous “balancing test” that weighs the LI of the business against both the interests and the “rights and freedoms” of the consumer. Practical use of LI – and the extent to which it can shield current marketing practices under the GDPR – comes down entirely to the question of how this balancing test should be conducted and, for the business, what counts as tipping the scale in its favor.

Further clarification and guidance on such questions is expected from the EU data protection regulators near the beginning of 2018. However, existing EU guidance on legitimate interest states clearly that it may not be used to “unduly monitor” customers, to “combine vast amounts of data about them from different sources” or to “create complex profiles” of their “personalities and preferences” – precisely the sort of practices that drive many of today’s data-intensive marketing strategies

What it means for marketers: It is entirely appropriate for organizations to consider legitimate interest as the legal ground for some data processing activities. EU regulators have stressed that LI is not a “last resort” to be used only when consent is impractical or unfeasible.23 Still, while additional guidance is pending, there is no evidence to suggest that the regulators will break with their previous opinions and now allow LI to justify practices they have so far held to be “intrusive” and “unreasonable.” When legitimate interest is used, marketers should actively participate in – if not conduct – the balancing test, in order to provide crucial insights into the benefits that result for both the business and the consumer. Finally, note that data processing under legitimate interest still requires firms to, among other things, observe all of the principles and consumer rights, including data minimization and the ability to object to processing.

3. Dealing With Existing Data: No Grandfather Clause

The stricter requirements for data processing after the GDPR takes effect in late May 2018 raise an obvious question: What about all of our existing data? Is there a “grandfather clause” that allows previously collected data to be used under the new regulation? Evidently, the answer is . . . yes and no. Yes, you may continue to use personal data that you currently hold – but only if it was acquired under conditions that meet the enhanced standards for consent dictated by the GDPR. The ICO acknowledges the burden this will place on many firms, but has so far refused to soften the restrictions on existing data:

“We appreciate that in some cases there may be a job to do in seeking new consent to comply with the GDPR standard. However, where existing consent falls short, this by definition is a necessary step in improving individuals’ trust, understanding and control over use of their data (assuming there is not a more appropriate lawful basis).”

As a result, most organizations should immediately initiate a thorough data inventory and audit with these goals in mind:

• Discover and expose all existing personal data: Merely storing personal data qualifies as “processing” under the GDPR, even if you’re not actively using it.26 As a result, firms must expose the personal data that is held anywhere and everywhere in the organization – active systems, backups, employee PCs, thumb drives, etc. – as well as data that has been shared with partners or other third parties.
• Determine the value of the business outcomes supported by the data: With the advent of the GDPR, the risks associated with holding and using personal data increase significantly. The benefits derived from particular data sets must be weighed against these risks in order to determine whether they should be retained. (This data audit is also a great opportunity to clean house: Veritas Technologies estimates that 52% of all stored data is “dark” – collected and stored during normal business operations but otherwise unused – and another 33% is “ROT” – redundant, obsolete, or trivial.)
• Understand the conditions and contexts in which the data was collected: Does the data you wish to continue using require renewed, GDPR-compliant permissions? (In all likelihood, yes.)
• Seek renewed consent from consumers: Whenever possible, do so before the GDPR comes into effect and further complicates contacting consumers without prior permission.

What it means for marketers: An organization-wide data inventory certainly requires IT expertise. (Several vendors offer tools to help expose personal data in enterprise systems.) Still, only marketers can properly judge the value of a particular type of data to marketing outcomes and determine what legacy data the organization should seek to retain with re-consent campaigns. The request for renewed consent – essentially, “We have a bunch of your personal data and would like to keep using it” – unavoidably invites the consumer to reconsider the benefits of sharing her data and to potentially withhold permission. Small differences in wording, graphical design, and context could make a significant difference in the consent rate. Marketers should formulate, test, and optimize the requests for renewed consent for every desirable data set.

4. Data Portability: A New Battleground for Customer Data Allegiance

The GDPR introduces a new right to data portability. In short, this means that under certain conditions, a consumer may order that all of his personal data held by one data controller – say, a social network or a financial institution – should be bundled up and transmitted to a competing service or other data controller. Specifically, the right applies only to personal data that an individual “has provided to a controller,” and is restricted to data collected under the legal grounds of consent or performance of a contract. However, EU guidelines state that this extends to data “provided by” an individual by virtue of the use of a service or device – for example, purchase histories and browsing behaviors.

Portability is one of the most opaque provisions of the GDPR. As one commentator has noted, the general concept seems “purely theoretical,” since it “can’t be easily applied and doesn’t really correspond to any expressed or latent consumer’s needs.”

Still, EU regulators declare that portability is intended to avoid “lock-in” effects and switching barriers that could occur if consumers are unable to reproduce or transfer their data from one data controller to another. In this regard, the regulators hope to “support the free flow of data in the EU and foster competition between controllers.” (They specifically describe how the ability to shift all of one’s existing data could help a new social network gain momentum.)

In short, while responding to a portability request will likely be difficult and disruptive for most firms, the provision undeniably opens a new front for innovation and competition. Henceforth, firms can and should compete not only for customers, conversions, and “share of wallet” but equally for the customer’s data – which is potentially even more valuable than a conversion, due to the insights and enhanced offers that can be derived from it.

What it means for marketers: Data portability further empowers consumers, who can now offer sellers their data as well as their purchase power – and can “shop around” for the best offer from suppliers. It is likely that consumers will not be generous with their data – one recent study shows that 70% of surveyed adults over 55, 51% of those aged 35 to 54, and 27% of 18-to-34-year olds currently provide consent less than 20% of the time.32 Marketers should strive to constantly craft and optimize campaigns and offers that go after competitors’ most valuable (e.g., data-rich) customers, while simultaneously strengthening the “data allegiance” of existing customers.

Conclusion: Marketing in the Personal Data Economy

The GDPR’s avowed aim of putting consumers (back) in control of their personal data appears to resonate with consumers. As early as 2010, just one-quarter (26%) of social network users and less than one-fifth (18%) of online shoppers in the EU said they felt “in complete control” of their data online. Moreover, 70% said they feared their data was used for purposes beyond those stated when it was collected.

Most tellingly, Accenture’s 2017 global survey revealed that consumers simultaneously crave more personalized services and express deep concerns about personal data privacy. For example, while 25% of those who abandoned a business did so due to poor personalization, 79% are frustrated that they feel they cannot trust companies with their personal information. (See Figure 4.) Accenture concluded that this “significant digital trust deficit” must be addressed before firms can deliver the personalized and customized experiences that consumers seek and will reward.

In this context, the GDPR can be seen as a welcome impetus for organizations to ensure that their strategic use of personal data is understood and embraced by consumers. Despite the undeniable burdens it imposes, the GDPR’s insistence on consent (or related forms of permission), transparency, and accountability manifestly puts consumers in control of the collection and use of personal data. The regulation effectively makes customer-centricity a requirement for doing business in the EU. Rob Luke of the Information Commissioner’s Office has said:

“Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law. Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong.” (Emphasis added.)

Thriving – not merely surviving – after the GDPR means not only adapting to new restrictions but also acknowledging consumers’ concerns, embracing the core principles of consumer control, and committing the organization to, as Elizabeth Denham says, “managing data sensitively and ethically.”

While the GDPR erects new hurdles to collecting and processing personal data, it is by no means hostile to data-driven marketing and wider business practices. On the contrary, marketers that get it right will have access to data from prospects and customers that have granted permission and have become active, engaged participants in the relationship.

After May 2018, the personal data of EU residents will become more scarce, but also immensely more valuable. Managing the available data will become even more critical, even as the task shifts from volume to quality and a single view of the engagement lifecycle. In a global survey by the World Federation of Advertisers, marketers named “connecting the dots between data stored across the organization” as one of the primary challenges presented by the GDPR. A unified data layer will become virtually indispensable in order to respond to consumer rights such as data portability and the right to be forgotten, in order to improve security, and – above all – in order to understand and respond to consumers’ desires and concerns about data sharing and usage. Come the GDPR, the commitment – and the ability – to manage data “sensitively and ethically” suddenly and unavoidably becomes the key to business success.

Key GDPR Terminology and Acronyms

Adapted from eugdpr.org

Article 29 Working Party (Art 29 WP)
An advisory body made up of a representative from each EU member state, the European Data Protection Supervisor, and the European Commission. The Art 29 WP regularly issues documents (“Opinions”) that provide guidance on EU data protection law.

DPA
Data protection authority. National authorities tasked with protecting data and privacy as well as monitoring and enforcing the data protection regulations within the European Union.

Data controller
The entity that determines the purpose(s), conditions, and means of processing personal data.

Data processor
The entity that processes data on behalf of the data controller. (Does not include the controller’s own employees.)

Data protection by design
A principle that calls for including data protection from the onset of designing systems (technical or otherwise), rather than as an addition or afterthought. The GDPR requires data controllers to practice data protection by design.

Data subject
A natural person whose personal data is processed by a controller or processor. In a commercial relationship, the consumer.

ICO
The Information Commissioner’s Office, the data protection authority for the UK.

Personal data
Any information related to a natural person (“data subject”) that can be used to directly or indirectly identify the person.

Processing
Any operation performed on personal data, whether or not by automated means, including collection, use, storage, transmission, etc.

The ePrivacy Regulation

In conjunction with the GDPR, the EU has undertaken a revision of the current ePrivacy Directive. Like the GDPR, the new ePrivacy law will be issued as a regulation – binding on all EU member states – in order to provide a consistent standard of privacy across the Union.

Whereas the GDPR is primarily concerned with protecting personal data (for example, by ensuring that consumers remain in control of how their data is used), the ePrivacy Regulation (ePR) addresses the confidentiality of communications. For marketers, this covers mail, telemarketing, and email, as well as so-called “over the top” (OTT) messaging services such as SMS, WhatsApp, and Facebook Messenger. The ePR also regulates the placement of browser cookies. (Hence it is sometimes known as the “cookie law.”)

As of this writing (late 2017), the proposed ePR has been accepted by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) and sent to the EU Parliament and the Council of Ministers, where the final text will be determined in negotiations among the three bodies. It is not clear when the regulation will be implemented (the original ambition to introduce it in line with the GDPR in May of 2018 now seems unlikely), nor whether advertising industry and other business interests will be successful in loosening what they consider to be excessive restrictions on cookie use and consent for marketing communications.