GDPR is top-of-mind for all businesses today. With the deadline for compliance in the rear-view mirror, companies now face a new reality: Data privacy is a part of everyday business. And it’s good for business.
So where are we as an industry? And what does the future hold? To answer those questions and more, CMO.com chatted with Andrew Frank, VP and distinguished analyst at Gartner.
CMO.com: Why should GDPR be viewed as an opportunity versus a challenge?
Frank: It’s going to clean up a lot of bad behavior in the marketplace. And I think for companies that are already sensitive about protecting privacy and data security, this is an opportunity for them to have less competition that is not as committed to those kinds of values and policies. In some sense, it rewards companies that are already focused on ethical data collection and consumer empowerment.
CMO.com: Let’s talk about third-party data. Does GDPR mean that companies shouldn’t use it anymore?
Frank: It certainly does force companies to scrutinize the sources of data they use. That includes first-party data, second-party data, and third-party data. The point is, if it’s personal data, then it now falls under this new category, and it needs to be examined, documented, and proved compliant with this list of legal basis for processing.
It forces companies to do what they probably should be doing anyway, which is to review their data-processing policies and make sure that they are fully compliant with both their internal policies as well as the law in the regions where they operate.
The movement away from third-party data toward first-party data is somewhat driven by concerns about third-party data provenance, as well as accuracy and precision. This is part of a realization that marketers are having: Maybe there is a lot more value in looking at the customers they have rather than focusing so much on customers that they don’t have or might be able to reach.
CMO.com: Would it be difficult for marketers to make the switch from third-party to first-party data?
Frank: It’s a lot easier for retailers, banks, and companies that have direct relationships with consumers to make that switch and leverage their first-party data than it is for companies that are still selling through a retail channel or through some kind of a distributor channel. In those cases, often it’s necessary to find data from partners.
CMO.com: Now that GDPR’s deadline for compliance has passed, what should organizations be focusing on?
Frank: A lot of companies in the weeks leading up to the implementation of the law found that they had run out of time to do a lot of the things that they wanted to do. They were instead required to take more drastic actions, including deleting some data that they didn’t feel was legal to use under the GDPR, or possibly putting in some very restrictive measures, like refusing service to EU citizens or people originating from the EU.
Right now many companies are working to address how to restore some of those services in a compliant way. They are thinking about how to go about getting consent so that they can collect the kind of data they need for personalization or better targeting. It’s like starting from a clean slate in terms of a legal basis that’s clear and hopefully transparent to users.
CMO.com: What about customer experiences of the future? How will GDPR impact that, and are tactics like personalization still possible in a GDPR world?
Frank: That’s a big active area of research, I would say. There are a lot of companies and innovators that are looking at the relationship between GDPR and blockchain, for example. There’s a whole movement called “self-sovereign identity,” which aims to decentralize the management of personal data and provide consumers with controls around things like consent that could be shared or accessed by companies that are trying to manage these things.
GDPR gives responsibility for determining who customers want to trust with personal data to the consumers themselves, and that can be rather burdensome when it involves hundreds of companies that you do business with. And so the idea of a better solution for how consumers manage their personal preferences and their personal data, so they don’t have to deal with it in a piecemeal basis across hundreds or dozens of brands, that’s the bright spot on the horizon. But there are quite a lot of technical challenges to implementing a future like that.
CMO.com: Do you believe the rest of the world is going to follow GDPR?
Frank: We certainly are seeing some indications of that in Brazil, in certain states in the U.S. like California, and in other regions that are setting up GDPR-like laws, either on a regional or a national basis. Right now it looks like the tide is moving in a GDPR direction. As the business and consumer impacts become clearer, I think we’ll see some pushback and refinements.