GDPR. Just five years ago, those four letters were enough to give most marketers a nasty bout of the heebie-jeebies. Not that they didn’t see it coming; the biggest shake-up of European data protection legislation in a generation had been seven years in the making and even when passed there was a 12-month grace period.
Even so, the scare stories were so widespread that the UK Information Commissioner’s Office was forced to run a major “myth-busting” initiative and stress that it would be using the carrot not the stick approach on enforcement.
Meanwhile, industry chiefs were keen to stress that implementation D-Day was the “beginning, not the end”, and that complying with the regulation would be a work in progress.
Of course, five years to the day since GDPR came into force, the market has moved on, with the rise of artificial intelligence, digital transformation and the metaverse now seemingly dominating the headlines.
The UK has also moved on. Following Brexit, the Government is now in the process of drawing up its own data protection laws, under the Data Protection & Digital Information (No.2) Bill. But, interestingly, despite the anti-EU bluster and tub-thumping, many of the original GDPR measures are set to remain.
Industry body the DMA has been one of the key supporters of the new legislation, but chief executive Chris Combemale is in little doubt about GDPR’s legacy.
He said: “GDPR has reshaped the global data privacy ecosystem for the better, benefitting both consumers and businesses – with consumers increasingly willing to share their data as trust levels rise.
“But there are still important improvements to be made through the Government’s data protection reforms. With additional clarity in key areas of the legislative text, particularly around the use of legitimate interests for marketing, and less administrative burdens on smaller businesses the UK can supercharge data-driven innovation and economic growth, while maintaining GDPR’s robust privacy protections across the UK.”
Others are yet to be convinced, however. Nano Interactive chief revenue officer Niall Moody commented: “GDPR was designed to give consumers more control over their personal data and to protect their privacy, but it is clear that five years later there is still huge concern around how data is being used.
“In fact, according to our research, 70% of UK consumers are regularly taking steps to hide their personal data online to protect their privacy, such as using VPNs or private browsing. Ad tracking was cited as the number one reason for this behaviour.
“This goes to show that despite GDPR, brands and advertisers are still relying far too heavily on personal data, and they will be increasingly left behind if they continue to do so.
“The rules are set to change again when GDPR is replaced by the new Data Protection & Digital Information Bill, and Google has now confirmed it will begin disabling third-party cookies in Chrome next year. Businesses and advertisers need to do more to respect consumer privacy, embracing longer term alternatives that will be more palatable to online audiences than outdated people-based targeting.”
For The Thread Team’s co-founder, Carolyn Bondi, the past five years have been a compliance rollercoaster for brands; navigating the twists and turns of what is and is not acceptable under the legislation.
She added: “Much of the scaremongering prior to 2018 proved unfounded and as a result brands have built stronger relationships with their customers. Being made to be more responsible is a good thing.
“Lazy marketing has been replaced by more considered and clever marketing, whereby technology, compliance, imagination and insight come together to deliver integrated, effective campaigns. Is 2023 a marketing nirvana? Not by a long shot, but the influence of GDPR has certainly been a positive force. The key, however, is that regulators and industry work together to ensure that data protection moving forwards achieves the right balance.”
Analytic Partners associate vice president Kevin O’Farrell reckons that the introduction of GDPR, much like phasing out third party cookies, increased the level of difficulty when it came to marketers targeting consumers.
He continued: “Five years on from the implementation of tighter data regulations, businesses are only just embracing a holistic omnichannel marketing strategy. The power of a marketing strategy lies in the use of aggregate data to inform decisions – relying on cookies alone to make major decisions about spend and effectiveness was never a good idea.
“It’s vital to continuously experiment with, test and validate measurement strategies while incorporating an adaptive methodology. By combining a valid methodology with a continuous assessment of the type of data needed to improve the desired outcome, companies can drive their business forward.
“Marketers need to move towards a future-facing decision-making process where we understand all potential scenarios, with risks and benefits, so businesses can make better decisions as a result. This will ensure brands continue adapting and evolving as first-party data increasingly grows in importance.”
Meanwhile, Software Bureau managing director Martin Rides insists GDPR has been hugely beneficial to the data-driven marketing industry. He explained: “Direct mail is now the most trusted form of advertising. Moreover, the latest industry stats show that engagement and effectiveness rates are higher than ever. Compare this to 2018 when GDPR came into force and the same could not be said.
“Undoubtedly, the legislation has had a positive impact on the mail industry because brands have become more mindful about the underlying data, which in turn has led to more relevant and better mail. But, for this trend to continue it is vital that organisations see the ramification of non-compliance.”
Rides cites a study his consultancy carried out last year which showed that there were only 28 enforcements and just five fines in the 12-month period and this sends the tacit message that the likelihood of being fined is remote. Add to this that there are zero enforcements relating to data accuracy means that one of the key reasons that GDPR was established is largely being ignored.
He continued: “While GDPR will undoubtedly be in existence in another five years, whether the UK will have different governance remains unclear, but whatever the case it is critical that data accuracy is taken seriously, or we risk the re-emergence of the junk mail moniker that plagued the sector for so long.”
Sagacity chief commercial officer Scott Logie concurs. He said: “In the run up to GDPR, there was a lot of worry, fear even, in terms of what the implications would be and the impact on brands’ ability to carry out data based marketing, particularly around acquisition. Five years, four prime ministers, a pandemic and a cost of living crisis later, GDPR might feel like a long time ago but in reality it is really still bedding in.
“There have been some great successes – many dodgy data providers just shut up shop for example. And businesses are much more rigorous in their checking and usage of data and information.
“There are still areas that could be improved: the number of fines and censures are lower than we would have thought, and the clarity on what is law and what is guidance has taken a long time to be clarified.
“Will GDPR be judged as a success? In my view it will for two main reasons. First of all from a business point of view it has, without doubt, cleaned up an industry. More or less all data providers now are trustworthy, inboxes are way less cluttered with junk, and intrusive phone calls have been reduced significantly. But perhaps even more importantly, the understanding of personal data, of consumer rights and about how to manage and secure your own information has been raised with consumers. And the world is a better and safer place as a result.”
Nevertheless, Paul Alexander, group CEO of Beyond: Putting Data to Work, believes there is still plenty of work to be done.
He said: “Since GDPR was enforced, technology has moved on significantly and, according to Moore’s law, it’ll be 32 times more advanced than it was back in 2018.
“Edge computing, AI, digital twinning, 5G etc, were in their infancy or not even twinkles in eyes but, as a result, what brands can now do when it comes to data transformation far, far exceeds the capabilities five years ago; not least because of the impact of the pandemic and digital transformation.
“As we implement new and more innovative solutions to business problems using data, it’s critical that they’re done so through the lens of GDPR compliance, but with the ever-increasing speed of change, data protection regulation needs to move with the times or risk becoming an ageing barrier, rather than the protector that it was set up to be.”
Tribal Worldwide London analytics manager Bradley Williamson added: “GDPR has undoubtedly made significant strides in enhancing data privacy and protection – it has enabled and acted as a poking stick for organisations to prioritise data security and develop robust frameworks for how they govern their consumers data. Additionally, the adoption and discussion of GDPR has helped raise data privacy as a valid consumer issue – to a point now where having bad data governance may impact your bottom line from a sales perspective.
“The changes that GDPR brought were positive changes, however they need to adapt to deal with an ever-changing data landscape. New challenges, such as the development of artificial intelligence and machine learning, raise new issues that need to have more regulation brought in to ensure individuals privacy rights are adhered to.”
Even so, legislators have always struggled to keep up with the rapid rise of technology and, given that ChatGPT has come out of nowhere over the past few months, who knows what will emerge? Whether we will still be talking about GDPR in another five years, however, remains to be seen.
GDPR four years on: €1.6bn in fines but issues remain
Data regulators wield big stick as GDPR fines top €1bn
Decision Marketing at 10: How GDPR changed the world
GDPR three years on: ‘The aperitif to a cookieless world’
GDPR two years on: EU chiefs finally admit funding issue
GDPR one year on: Data is now a major boardroom issue
GDPR zero hour: Now the hard work begins say experts