Predictions 2018: What tighter European GDPR will mean for marketers
- 02 January, 2018 07:21
The forthcoming EU General Data Protection Regulation (GDPR) is set to become one of the biggest data privacy reforms to disrupt the northern hemisphere’s digital marketing sector in the industry’s history.
But what are the ramifications for Australian marketers and their data efforts? Will they need to do anything? And what lessons can be learnt from the changes being enacted?
What GDPR means to data privacy
One of the most significant data privacy reforms in years, GDPR is being put into place to create a uniform data security law for all EU members and give individuals more rights to their data. It contains new data protection requirements that extend the scope of EU data protection law to all foreign companies processing personal data about EU residents, including the UK.
Importantly, the 200-plus pages of regulation set to come into force in May 2018 will formalise concepts like the ‘right to be forgotten’, data breach accountability and data portability
And with hefty fines for breaches coming into play of up to $24 million or 4 per cent turnover, the new regulations are set to affect all individuals, brands and companies looking to reach the EU’s 500 million-plus citizens.
Requirements include requiring consent for data processing, anonymising collected data to protect privacy, compulsory data breach notification, safely handling the transfer of data across borders and requiring certain companies to have a data protection officer to oversee GDPR compliance.
Association of Market and Social Research Organisations chair, Terry Aulish, said the new legislation strengthens privacy protection for consumers, and encourages businesses to start making changes to be better prepared.
“The new EU legislation strengthens privacy protection in significant areas such as the right to be forgotten, stronger consent provisions, data breach notification and the right for citizens to access and correct their personal data once collected by marketing or other bodies,” he said.
Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
Once a business determines whether they need to comply with the GDPR, they will need to take steps to ensure their personal data handling practices comply with the GDPR before commencement in May 2018.
Levels of preparedness
Industry commentators agree: The potential impact of the legislation on marketers could be drastic and far-reaching, especially given the contemporary profession’s reliance on data-driven tactics.
According to Forrester, a consumer brand could lose 20 per cent of its revenue due to a privacy ethics violation. But this will just be one of many issues businesses will face due to Europe’s GDPR privacy laws causing conflicts between government, companies and consumers. Forrester also anticipates GDPR restrictions on behavioural targeting, predictive modeling and cross-device recognition will lead to public investigations and record-breaking fines for ad giants Google and Facebook.
Forrester predicts GDPR could also stifle marketers' artificial intelligence (AI) initiatives in Europe and beyond. In 2018, the analyst firm further predicts Fortune 1000 firms will face regulatory action from its identity resolution tactics.
The threat of companies will lose 20 per cent of revenue for privacy violation is a game-changer, managing director of sponsorship and inventory at software company SponServe, Mark Thompson, told CMO. “Even more interesting is that companies can report each other, which could open the door for a whole lot of under-handed competitive tactics.”
According to Thompson, awareness and preparation is key. The company has already engaged legal professionals to analyse how data is managed, stored and hosted.
“We have also implemented protocols around localised hosting within the UK,” he said. “As a result, our terms of business include the mandatory provisions required by the GDPR and information that is held for EEA clients is stored in servers located in the UK, and not exported outside the EEA.
“And although SponServe does not store or manage highly confidential data, we are taking the GDPR very seriously. The introduction of such rules will provide significant challenges, particularly to SaaS businesses which have multiple offices and service points around the world. We are lucky that we have the ability to pivot our service offering relatively easily to comply. However, others may not be so lucky and the loss of revenue is therefore not the only consideration. The upfront cost to change business practice is a more immediate and costly exercise.”
The Leading Edge managing director, Lee Naylor, also sees the potential to uncover huge ethical violations on the horizon, and suggested companies be more proactive and prepared when looking at the privacy changes and the impact on consumer trust.
“We have already instigated a Privacy code in the market research industry because data collection inherently has to be a trust-based exchange,” he said. “Trust has always been a currency in business and I predict that in 2018, this will become the currency that drives business success. Companies that abuse that trust will come under closer scrutiny as consumers start to understand the level of data being collected and adverse effects get more media coverage.”
Experts agreed tighter regulations will continue to be a wake-up call for marketers to take consumer data more seriously to prevent data ‘brain damage’ in 2018.
“The largest consumer damaging compromise of recent years was the 2015 Ashley Madison hack, which did cause the company to lose upwards of 25 per cent of its revenue in the year following the incident, propelling the business to rebrand, refocus and recover,” CQR sales and marketing director, Mark Telkes, said. CQRprovides cybersecurity consulting services.
“Meanwhile, during the first half of 2017, there were 918 data breaches worldwide. Consumers are suffering from breach fatigue. GDPR is an excellent attempt to shift the focus back to the consumer and its penalty regime might be enough to make companies take their responsibilities seriously.”
LogRhythm APAC senior regional marketing director, Joanne Wong, stressed GDPR is an eventuality that all businesses will need to face as consumers grow more concern on data privacy.
“Organisations will need to make privacy and data protection a fundamental part of their technological and organisational set-up,” she said. “They need to start looking at their current infrastructures and analyse the gap between where they are now and where they need to be.”
While tighter regulations may impact the bottom line in the short term, Wong said it will pay off to make some serious changes to data and privacy infrastructure in the long run.
“By ensuring that the business is compliant to one of the tightest regulation on privacy available today, we build the trust with our customers,” she said. “Not only that, businesses will be prepared for the eventuality that such regulations become commonplace across any countries or region they operate in.
“Some might argue that it will now cost more to build that personalised experience for customer, but they must understand that the cost associated with the loss of trust and confidence in the event of a breach or data being misused is far greater.”
A more consistent approach to data privacy will ensure the rights of consumers are upheld, MediaMath A/NZ country manager, Yun Yip, said. The adtech vendor MediaMath is part of IAB Europe's GDPR Implementation Working Group, working closely with other industry leaders to develop effective compliance solutions for the online advertising industry.
“It is imperative consistent standards are kept in place to ensure that the rights of consumers are upheld,” she said. “Advertisers, publishers, and technology vendors are working closely to behave responsibly and harness data for the benefit of a better consumer experience. “And while data collected and analysed is often benign and anonymised, embracing responsible practices in advertising, including GDPR, will only mean a more pleasant marketing experience across channels, formats, and devices.”