Long-term effects of GDPR? The Good, The Bad and The Ugly
So, you know about GDPR, right? D-Day is 25th May 2018, but have you considered GDPR's likely future impact?
Whilst GDPR is intended to better protect the privacy of individuals by empowering those who process personal data to do so responsibly, it should also help create a level playing field. GDPR is, by definition, an EU Regulation, so it applies to all data subjects in Europe, including the UK, irrespective of Brexit. It means that any global company doing business with EU citizens should comply with the GDPR regulations. And yes, this includes Google, Amazon and Facebook! This is actually good news for European companies. The likes of Amazon - fueled by relative liberal legislation in their home countries - have developed very advanced data processing skills. So much so, they know what you want for breakfast, even before you wake up. With a level playing field where all players are tied by the same rules and kept in check by some pretty serious fines (up to 4% of your worldwide revenue), European commerce companies have a fair chance again to play with data just like their big cousins across the pond are doing.
Interestingly enough, many people think Facebook and Google will be the first target of the regulators (they have been subject to privacy and anti-trust actions before). However, Forrester predicts the first fines will hit American marketing cloud and adtech vendors. These companies are very exposed (just do a simple Ghostery check) and are the dominant players in the European arena. So, you'd better check if your marketing cloud or adtech company is GDPR compliant, or start looking for alternatives.
it's data jim, but not as we know it
So, what else will change? Well, there may be a number of projects in your pipeline you need to re-evaluate. For example, the use of finger printing and ID recognition across devices as a means of identifying consumers (e.g. in an omnichannel environment) becomes an issue, as asking a piece of hardware for consent on behalf of its owner just doesn't hold up... And how about those big investments in your data management platform? The platform that was intended to provide you an evolving customer profile across all channels to tailor your marketing message to the individual, or, as Nicolas Negroponte called this marketers' pipe dream, "the demographic unit of one"? You may have to start blurring your precious data a bit and go back to traditional customer segments again, unless you have explicit consent from your data subjects.
Another no-go area is the use of 3rd party data for your marketing campaigns. Buying data from so-called lead generation companies that harvest email addresses via lotteries and games (for which consumers give their consent without knowing because it is hidden in the small print) is a very dangerous act in the context of GDPR. Why? Because GDPR is all about explicit and unambiguous consent. So only use your own datasets, and only if the intended recipients are appreciating your messages!
And how about profiling? Well, the good news is you can do this as long as automated profiling does not result in discriminatory or exclusionary practices. But, if you inform your customers about your intention and get their consent (with the option to opt out at any moment), nothing is preventing you from offering your customers a personalised shopping experience. However, make sure that you always create your personalisation algorithms with 'privacy by design' in mind - especially when you want to apply AI on personal data, as it is very difficult to meet the transparency standards set by GDPR when you apply automated decision-making tools.
By the way, you can expect to see new software and algorithms arise that exploit fewer points of data on individuals and are more advanced at pattern recognition and predictive modelling to build customer profiles, filling in the missing points of information.
it doesn't stop with gdpr
Just when you think you are done with GDPR, the next European regulation - the ePrivacy regulation - will come into effect. This regulation will complement GDPR and will regulate, among other things, unsolicited marketing, confidentiality, and reduce the usability of third party browser cookies by moving cookie controls from the webshop operator to the browser. The good thing is that you can finally remove the ugly cookie consent banner from your webshop again.
Disclaimer: we are ecommerce experts, not legal advisors. If in doubt on GDPR, please consult a legal expert.