For well over a year in the lead-up to May 2018, we at Filter were advising our clients to start their preparations to mitigate the impact of the incoming GDPR legislation, and ensure that their data collection practices were robust, secure, and met the key criteria demanded by the new laws.
From our perspective, it had many similarities with the introduction of messaging related to cookies that had come in force in 2011. The advice provided by the ICO addressed the key points, but there was little agreement or understanding around edge cases and situations that fell between the gaps.
Clients felt that this was an additional burden on their budgets and weren’t sure how far they would need to go to meet the guidelines. What were the boundaries of ‘legitimate interest’? Would they be bombarded with requests for audit trails of how they had captured, stored and used customer data? How could they link together customer data across multiple digital properties and ensure that it was accurate?
Legal services and consultants also played their part in the confusion. Their interpretation of the new rules helped define the data collection and retention strategies of small, large and enterprise companies – but that interpretation could be too narrow and too pessimistic, leading to major changes in the ability for those companies to talk to and market to their own customers.
Fortunately, a year on, we are now seeing common sense and practical reasoning make a comeback, and in the same way as we saw with cookies messaging, measures are beginning to be implemented that take a holistic and sensible approach to how data is managed for the future.
For clients we work with, this means a period of reflection and re-evaluation of the changes they put into place – and how they might move forward with a more structured approach for the future.
Ensuring that their legal teams are clear on upcoming changes and are working closely with marketing and technology sections to achieve compliancy without making short-term and rushed decisions is paramount.
This may mean realising, as one client has done, that they took a sensible approach to link their data together with the introduction of an SSO product and the development of a single customer view. But with hindsight, the lack of effective RFP and selection process and a rushed implementation has meant that they are now locked into a sub-optimal platform that is limiting their ability to make other changes across their estate.
For others, it means that they are reassessing their marketing campaigns for 2019/20 with the knowledge that many of the standard communications that they had put on hold can now be scheduled and sent.
With this reflection in mind, what can businesses learn from the impact of GDPR over the last 12 months?
Clearly, the introduction of data protection and privacy rules is just the start. We expect more regulation in the future, which will continue to address the problems that have been created through the rise of increased internet access and the advent of social media platforms, and the lack of existing rules in place.
Companies will therefore need to consider their budgets more carefully in future, and not assume that they can rush through changes before new laws come into effect.
Ensuring that their legal teams are clear on upcoming changes and are working closely with marketing and technology sections to achieve compliancy without making short-term and rushed decisions is paramount.
GDPR was ultimately a test of how well companies can adjust to new rules, and whether they can adapt to a regulated digital environment. Further change is coming. Businesses need to be better prepared to gain competitive advantage next time.