In the five months that have passed since GDPR went into effect, the main question surfacing among commercial entities that collect customer data seems to be “so, how did we do?”
While some progress has been made in these months and should be recognized, we still have some work to do as a collective unit.
Since the enactment of the GDPR back in May, we’ve seen U.S. companies inch closer to compliance and invest somewhat significantly in GDPR-related initiatives. Talks of national legislation that would govern our use of data, domestically, are also starting to intensify — perhaps partially to protect themselves from European customers and regulatory bodies who might pursue data-related misconduct of U.S. brands.
Nonetheless, as global data privacy complaints have mounted, U.S. businesses have taken notice and are getting more serious and more committed about data privacy.
GDPR: Has Progress Been Made in the U.S.?
During the earliest rumblings of GDPR going into effect (a year ago and further back), no one really knew what to expect or what to actually do. But since then, industry rhetoric has prompted a groundswell of data-related undertakings in order to get acquainted — and compliant — with the new law.
And, at least in America, we’re making some progress. 3x times as many companies are now GDPR-compliant than in 2017 (from 4% to 12%), according to research from TrustArc. By the end of 2018, 74% of companies expect to be compliant, and nearly all brands (93%) project full compliance by the end of 2019.
Somewhat surprisingly, the main motivator for compliance isn’t the avoidance of fines. Across the globe, it’s where it should be: to meet customer expectations.
A greater percentage of American businesses are also spending significantly more on GDPR than other regions.
More research also shows that Fortune 500 companies have spent $7.8 billion on GDPR up to May 2018, with 40% of them spending more than $10 million. Additionally, the majority (65%) of companies that were surveyed said GDPR was well worth it and had a positive impact on their business.
“The majority of U.S. brands feel positively about #GDPR — investing more than other regions, & using it as an opportunity to meet #customerexpectations” CLICK TO TWEET
Not everything is hunky dory, though. There is, of course, still some feelings of hesitation and uncertainty, as more than 50% of U.S. companies are “struggling” to comply fully. Without question, work remains.
As a byproduct of some of the roadblocks toward compliance, some companies are literally ceasing to do business in Europe rather than deal with GDPR. As Dr. Tim Walters wrote, “Business leaders have every right to determine in what markets they want to offer their products or services. But storming off the playground simply because you don’t like the (data) rules will increasingly prove to be a financially dubious strategy.”
Should a similar law be enacted in the States, the unfortunate reality is that we’d see some companies opting to dissolve rather than adjust and adapt their marketing strategy, intake systems/database architecture, and UX to become compliant. The prospect of a national law is a possibility, too.
Does the U.S. Need Its Own Data Protection Law?
Data governance is a touchy topic across the world right now. GDPR has inspired other countries to push their own data protection regulations towards adoption (China’s Internet Security Law and Brazil’s Data Protection Bill of Law, for example). Debates run rampant around the implications — moral and ethical, professional and personal — about identifiable information of data subjects.
Potential for a U.S. federal law and its implications
California recently passed its own privacy law, the CCPA. And at the end of September, data privacy leaders from well-established U.S. companies including Google, Amazon, Apple, Twitter, and Charter Communications testified during a Senate committee to discuss potential safeguards for data privacy. Delegates gave their input for what a to-be-created federal privacy law could look like based on GDPR and CCPA.
Should the U.S. adopt its own data protection law(s), following suit from the EU? Would it be in our best interest to regulate and monitor data — and if so, to what extent?
It may depend on your perspective. American consumers would likely favor greater protective measures to keep their personal information at bay and would jump at the chance to know who hacked their data (and who was responsible for any breach).
Brands, on the other hand, would have to relinquish control of data ownership and allow consumers to vaporize all their data if desired. They’d have decidedly greater opposition to such a “U.S. Bill of Rights” about customer data. Since such data is the lifeblood of their existence, it might seem that added stipulations and monitoring would inhibit the ability to collect and leverage data per the status quo.
The status quo, though, is changing, and it’s time to adapt.
It’s time for a new mindset
While the U.S. has yet to enact the same laws as the EU, it’s clear that a mind-shift still needs to happen among U.S. brands if we are to meet and exceed customer expectations.
The data environment is shifting, and we simply must adjust. “Beg data” — data accessed through incentives by earning permission from customers — is now the reality we should all welcome with open arms. Data abundance will dwindle, and there’s now a prime focus on quality, ethically collected data… not quantity.
Securing personal data from customers that want to register, sign up, or buy is the shift that must be made if you plan on surviving the post-GDPR environment. The best way to get there is with permission marketing. The problem is that this is such a tough mindset to cultivate, especially in evolving from the age of “big data” where we freely collected as much as we could.
"The biggest adjustments U.S. companies have had to make are the two that they aren’t making: ● (1) Treating the GDPR not as a compliance exercise but as something that requires a fundamental shift in company culture — moving away from viewing the law as a “box ticking” exercise. ● (2) Adapting to, analyzing, and understanding the changes the GDPR requires for marketing and CX/CEM. Companies should (but for the most part do not) see the GDPR not as a cost to be managed and evaded, but as a revenue opportunity to be embraced. View GDPR not as new requirements for processing (collecting, storing, sharing) data, but as a new era of new kinds of value partnerships with customers.”
Tim Walters, Ph.D. • Privacy Lead, The Content Advisory & GDPR Expert • @tim_walters
“The biggest adjustment U.S. co’s need to make w/ #GDPR is to NOT treat it as a ‘box checking’ exercise & instead embrace it as a revenue-generating partnership w/ #customers” says @tim_walters CLICK TO TWEET
In lieu of an added domestic regulation, opt-in data collection and use needs to become the “unofficial” law of the land and new marketing standard. Regardless of whether you do business in Europe or not, this is by far the best policy.
Getting up to Speed: GDPR Compliance in the U.S.
Even the notably anti-establishment rock band Rage Against the Machine is working with the regulation by adding a GDPR compliance form to their site.
Not every brand has embraced GDPR in as endearing a way as RATM, though.
➤ Pro Tip: There’s a “double bind of customer experience in 2018” and it’s the main issue we’re all wrestling with — consumers demand better experiences (which requires more of their personal data that they’re increasingly hesitant to give up), and marketers want to create it (but can’t without data). This tricky matrix is the playing field upon which GDPR, marketing, CX, and data management ebbs and flows, and it all must come into balance.
Here are three ways U.S. companies can get up to speed with GDPR:
1. Document compliance and provide evidence.
Work on evidence that you’re taking GDPR seriously by documenting progress. In order to avoid sanctions, focus on your ability to demonstrate privacy obligations/measures.
2. Improve and monitor internal tracking and database systems.
Improve data housekeeping since data retention is a huge part of the law. This involves all internal compliance, proper record keeping, and easy access for regulators or data subjects.
3. Understand the reality of GDPR.
Know the rules! Affirmative consent is only one of six legal justifications to qualify holding onto data. If you’re uncertain about the legitimacy of your data, the best bet is to just re-permission.
There’s been a marked bump in re-permissioning efforts and a stern refocus on gaining clear consent, both beneficial endeavors (not just because GDPR says so).
➤ Pro Tip: Ad-tech vendors that process data and claim to be compliant based on legitimate interest or affirmative consent do so at great risk. For now, they can get away with controlling data that’s not theirs because it’s related to their commercial stability, but that won’t last forever.
“Since May 25 [when GDPR went live], driven by the fines that can be imposed for GDPR violations, companies are shifting from trying to collect as much data as possible to collecting data that's less sensitive and then determining how to use that information to drive multiple lines of value, like for marketing and product positioning — taking a “quality over quantity” approach to list management. Data protection is becoming increasingly important across the world, and, GDPR, with its groundbreaking policies, pro-user approach, and harsh penalties, has set the tone.”
Dennis Dayman • Chief Privacy and Security Officer, Return Path • @ddayman
“Since #GDPR went live, co’s are collecting less-sensitive #data & adopting a quality > quantity approach to #listmanagement” says @ddayman CLICK TO TWEET
As GDPR complaints mount in other regions, it’s critical for U.S. brands to follow these steps toward compliance and to maintain an ongoing culture of data privacy — shifting from a vicious cycle of data madness to a virtuous cycle of data value.
➤ Pro Tip: The retail and e-commerce industries are perhaps affected most by GDPR. Retail brands can continue working toward GDPR compliance by using concise consent forms, notifying authorities if a break does happen, informing their partners and suppliers that they’re also liable, and making compliance an ongoing, fluid process.
GDPR and what it means has been covered well. But sometimes it can seem more like an abstract idea rather than a solidified thing. The concept of big data we’ve all heard about, in part, has evolved as a product of our relatively unbridled ability to go out and get as much data as we wanted, freely and without much consequence.
As data regulations change, so does marketing. The goal, in response to GDPR, needs to be to convince audiences to exchange their personal information for the promise of value. U.S. brands have to continue focusing on several key areas to get closer to GDPR compliance:
- Adopt a cultural/strategy mind-shift. How can permission-based marketing help you achieve your business objectives? It’s time to stop taking customers’ data and instead earn it.
- Data rationalization. Why do you have the data you have? You MUST be able to easily “prove” consent and respond to data subject requests (e.g., by locating all of the personal data held on an individual, and, if necessary, delete or transfer it).
- Go with the flow. Understand GDPR isn’t stagnant nor is your marketing approach. Continuously iterate and improve systems and processes.
Failing to recognize, adapt to, and comply with GDPR — or slyly shifting to stealthy data collection habits to circumvent it — is to abandon your obligation to serve customers. Misusing customer data leads to abusing your consumer relationships. And that flies in the face of not only the regulation, but also why we’re all here. Keep forward momentum, and comply with GDPR, not because you have to, but because you choose to be a catalyst in this dawning of a new data integrity era. ◾
Handpicked Related Resources: