Happy Birthday, GDPR – Here’s Your Report Card!
- The General Data Protection Regulation (GDPR) raised the bar on personal data protection and became enforceable on May 25, 2018
- Companies around the globe adapted data processes to ensure compliance with GDPR, and other jurisdictions are implementing GDPR-like legislation
- The one-year report card on GDPR can be summarized as “good beginning, but we need to see continued follow-through”
Happy birthday, GDPR. Your birth was announced well in advance and was widely anticipated around the globe with a mixture of trepidation and dread, but also excitement and hope. Yes, your arrival caused a significant amount of extra work. We undertook internal assessments of current privacy procedures and practices, fearing that marketing as we know it would cease overnight, but also recognizing that, if handled well, compliance with your articles would lead to improved business. In this day and age, even one-year-olds need to have performance reviews, so, having spoken to hundreds of B2B companies about the implications of GDPR’s arrival and presence in our lives, I present the (subjective) “B2B Marketers’ First Annual GDPR Report Card,” which includes the following performance areas:
Creating a framework for privacy governance: A+. There is no doubt that GDPR is a term recognized throughout the industrialized world and forms the current “gold standard” of data privacy regulations. The regulation effectively formulates the need for the data controller to notify the data subject of the intended purpose of his/her data usage, and requires that the data subject is offered a free choice to accept or reject said purposes and can access to his/her own data for rectification or deletion. Importantly, the increasing element of trust in the brand afforded by compliant data processes is a direct consequence of the GDPR.
Driving more responsible contact data acquisition: B+. GDPR forced organizations to overhaul data governance and management strategies. This has led to an increasing understanding on the part of businesses of the importance of improving both the quality of the data they collect and the processes they use to manage it. Many companies initially reported a drastic decrease in the size of their marketable contact database. Closer inspection revealed that these organizations opted to limit smart segmentation of their database, which drives focused outreach and/or single tactic approaches to gaining contact record compliance. So, in hindsight, a better job could have been done. Successful companies have reported that the regulation acted as an external force to drive better business. Greater sales and marketing alignment with more comprehensive, multi-functional, approaches to contact acquisition has provided better results (145% in one reported case) for post-GDPR numbers than were achieved prior to May 2018.
Improving marketing performance: C+. The picture here is less clear, which probably reflects more on marketers’ reporting approaches than the GDPR itself. A few CMOs have pointed to GDPR as a cause for a drop in the number of “top of the funnel” inquiries. Always a positive bunch, the same CMOs go on to state how much their later-stage Demand Waterfall® conversion figures have improved. A few marketing leaders have reported outstanding successes, with email open rates to an opted-in database reaching 25% to 30% on average and 94% in some cases. Moreover, click-through rates of between 10% and 12.5% have also been recorded. The majority of teams, however, continue to report mixed results. Ongoing frustration with the lack of a common legal interpretation of legitimate interest, added to complications around what constitutes a B2B “customer” continues to allow a mixed implementation of data policies. Overall, however, companies are pointing to a renewed emphasis on good data driving improved results and greater awareness and management of the personal data within their control. On occasion, this has led to fiscal benefits, which is a nice way of saying that money has been saved because “rubbish data” is no longer being stored.
Enforcing regulations: C-. With elements such as privacy by default and the requirement for demonstrable proof, it is clear that the GDPR’s aim has been to drive professional privacy practices more than to hand every organization a stiff fine. However, the seriousness of the consequences of failure to comply is an important part of the equation that needs to be addressed. The strong arguments for more professional marketing practices by following compliant practices can easily get lost in the heat of quarterly business reviews where executives demand to see more market engagement. To continue being perceived with respect, national protection agencies will need to step up enforcement and guidance, if only pour encourager les autres. The absence of continued publicity and monitoring of progress, compounded with further delays and the lack of a clear roadmap for the “eagerly” anticipated ePrivacy regulation, will ultimately lead to backsliding on compliant privacy process adoption.
Fortunately, the arrival of GDPR has spawned so many lookalike babies around the globe. The California Consumer Privacy Act in the U.S. and the LGDP in Brazil are just two examples. The law has been transformative in its approach to setting requirements for data controllers in treating personal data privacy. Hopefully that clarity and guidance will lead to a more consistent implementation of such laws during year two. If you would like to discuss these and other data privacy issues, please reach out to me.