Nivritti Ashok
Zenith’s
The time has come. The long awaited General Data Protection Regulation (GDPR), passed by the European Parliament, has been in effect for a few weeks now and it presents a pivotal moment in our modern-day era of digital transformation and data privacy. Establishments are facing the test of the most radical overhaul of data regulation measures in a generation. Data protection laws haven’t been updated since the 1990s. Since then, we’ve seen data collection evolve into a science. Data collected is used across industries to better understand past user behaviour, thereby enabling businesses to predict future trends with a greater level of accuracy. While companies have been gearing up and preparing for these regulatory changes over the past few months, the recent media attention on Facebook and Cambridge Analytica has strengthened the spotlight on data privacy, making it a hot topic of discussion amongst the masses. The episode has set forth a domino effect of awareness, bringing the perils of modern-day data surveillance culture to the forefront of everyday conversations.
We have a digital-focused economy today that was inconceivable back in the 1990s. Technological advances over the years, along with a convergence of legislations in our global economy, require new reforms to take into consideration the proliferation of big data, technological developments and evolving consumer expectations. Consumer trust is ever more crucial to the private as well as the public sector. Additionally, the Cambridge Analytica incident has awakened a sleeping giant, with people waking up to understand and seek further information about their personal data and privacy settings.
Enter GDPR, which I believe puts the power back into the hands of the consumers, giving them greater control of their personal data. The new directive is a monumental step in the realm of data regulation. While it is vital for businesses to comply with the changes to the data protection infrastructure, the key question facing marketers is whether then can continue to thrive in this new landscape.
GDPR is a digital privacy regulation that came into effect on May 25, 2018. While marketers in the EU have been preparing for GDPR for months, the legislation also affects companies globally.
GDPR directly influences the processing of personal data of EU residents (inclusive of those residing in the UK). The territorial scope of the regulation is blind to where the data is stored. This means that even if an establishment is based outside the EU and is either offering goods or services to EU residents or monitoring their behaviour, then it is subject to the legislation. The law therefore affects both data controllers and data processors. (Data controllers are those entities that determine the purpose and means of the processing of personal data, while data processors are entities that process data on behalf of a controller.)
Advertising has now entered an age of highly complex legal classifications. Marketers and ad tech professionals need to pay attention to “special categories” and other details that they didn’t have to previously. Categories such as political opinions, racial origin, religious beliefs and health data can only be processed with explicit consent. Moreover, one of the mandates of the law is that even if consent is obtained to process a user’s personal data, the organisation cannot use the data for any purpose other than that for which the consent was given. This is unless the organisation states the way the data will be processed and for what purpose at the time of obtaining permission. As a result of this framework, we are witnessing noteworthy transitions, in which key organisations are choosing to relinquish their stance as data controllers and passing the baton over to those willing to bear the responsibility.
We have already seen this come into effect with Facebook’s recent update to their custom audience settings. Facebook is making it clear that businesses are responsible for their own relationships with independent data providers, and thereby acting as data processors as opposed to data controllers. Additionally, media agencies executing campaigns on behalf of client marketing teams are considering avoiding the use of agency-obtained third-party data in connection with custom audience buys altogether, unless it is critical to maintain the status quo with clients. If agencies are to take on the responsibility, then they need to adhere to a strict set of guidelines and protocols.
So marketers should essentially be concerned with GDPR’s immediate impact on two key topics: big data and personalisation at scale.
One of the biggest pain points of the new law is the potential loss of data. In light of the above information, the hypothesis is that the overall volume of first-party data will shrink as users exercise their right to keep personal data to themselves. According to a 2010 study by the European Commission, “89 per cent of respondents agreed that they avoid disclosing their personal information online”. By requiring companies to obtain explicit consent for all data points, existing and new, the regulation significantly increases the costs associated with collection, storage and processing. In addition, many organisations are still struggling to grasp the direct implications on next steps to adhere to the regulations.
Overall costs, along with the novelty of the law, could mean that a lot of companies could end up deleting far more dark data (data of unknown value) than necessary in the process. This could radically diminish data pools of valuable information worth billions of dollars.
In addition to the fate of first-party data, the fate of third-party information has perhaps been the most debated GDPR subject. While many perceive third-party data to be so deep-rooted within the digital marketing ecosystem that it is too stable to fail, a significant number of people also see it being the biggest casualty of GDPR. One of the most popular hypotheses is that, third-party businesses being the most convoluted of all data entities, companies may shy away from sharing their data altogether, thereby shrinking overall access to third-party data. Anyone who has run a programmatic campaign or leveraged a DMP can understand the drastic repercussions of this on his or her campaign strategy.
That being said, if data is cleaned and processed the right way, GDPR may serve as just a temporary hiccup, slowing down big data only for the time being. However, in the long run it will provide a better standard for more focused and high-fidelity first- and third-party data.
It is important for companies to take time and view GDPR as an opportunity to shed light on the dark data they harness. Instead of blindly deleting pools of data en masse, organisations should audit their data so they don’t throw out the baby with the bath water.
It is evident that we have now entered a highly sensitive era of consent. Most consumers were already treating the recent spate of GDPR related email opt-ins as a