Where are we, post-GDPR go-live?
GDPR is now fully enforceable by the ICO, but just weeks before it became so, the business world seemed to be waiting with bated breath as marketers, technologists, lawyers and business leaders circled the deadline with varying degrees of understanding and commitment.
One of the last surveys of decision-makers preparing for the introduction of GDPR (or more accurately, the enforcement of GDPR that all organisations should have been preparing for over the past two years) demonstrated that many decision makers (61%) would have ideally liked a six-month extension if it had been allowed.
45 per cent of those surveyed had put money aside for dealing with expected ICO fines post-enforcement– a topsy-turvy position considering the benefits of adequate preparation before the deadline.
All hail the Data Protection Officer (DPO)?
Strangely, the DPO, a mandated position for many organisations processing sensitive or extensive customer data, has been quite absent from the thoughts of many in charge of the compliance process. IT had become the department of choice for looking after customer data in the GDPR world (24% of respondents), followed by Marketing (23%) – with the Data Protection Officer a mere 1 per cent.
Respondents also gave a mixed bag of answers regarding who is in charge of the overall risks around GDPR, with the CEO in the driving seat for 32 per cent, the Chief Data Officer at 26 per cent, and then the Chief Marketing Officer at 22 per cent. Only 14 per cent cited the Data Protection Officer as the risk manager – yet this is a GDPR mandated position where organisers perform regular and systematic processing of data subjects on a large scale – and of these nearly a third (27%) had not filled this mandatory role.
A brighter future?
Marketers were nearly evenly split on the matter of GDPR potentially diminishing the quality of the data they receive: 34 per cent agreed, 28 per cent did not, and 29 per cent were unsure. Many commentators have predicted that those opting in would provide good, truthful data on themselves and their preferences following GDPR, but the research perhaps indicates a crisis of confidence in the data analytics community.
In organisations where technology plays a central role, ‘technology implementations’ were only cited by 44 per cent of respondents. In fact, ‘setting new data metrics’ was a tactic for only 30 per cent of those surveyed.
Respondents had strongly (63%) put in place new policies to increase the quality of data wanted to receive after 25th May by regulating their customer data input channels. Over half (59%) put in place stronger internal data policies. Worryingly, fewer than half (47%) were enforcing new policies on partner data acquisition, which may now leave them open to GDPR non-compliance. Respondents who are enforcing partner policies also said that updating contracts with third parties was important for 36 per cent of them.
Encouragingly, many benefits of starting the journey to GDPR compliance had already come through before the 25th May: Better quality of data (29%), data more easily managed (20%), and an improvement in sales success based on this data (18%).
It’s not the end
Enforcement is in no way the end of the customer privacy conversation. The industry awaits how the courts will interpret test cases as customers, privacy advocates, lawyers, judges, and organisations contend with a much brighter light shining on consent and data protection issues.
Organisations need to keep a tight control of their data processes and regularly audit to ensure that they at least meet, if not exceed, their commitments. Whichever department or executive has overall control over data governance needs to keep a close eye on all aspects. As technologies are retired or deployed, new processes debuted or employees are onboarded, there are points of challenge to overcome.
Those in charge need to keep a few elements constant to maintain confidence in the underlying direction of the data governance push…
Tag management has never been so crucial, given the fact that tags often capture and share site visitor data from the moment a consumer arrives, before they have offered consent and acceptance. Although such JavaScript tags are a well understood part of web architecture they have not always been well governed, and so act as data leaks. That is no longer acceptable in the consent and privacy-conscious world of GDPR. Compliance requires enforcement, which means all tags, regardless if they are hardcoded on a page or served through a tag management system, must be kept from firing prior to consumer consent.
The website must offer a watertight consent experience. Customers will face these consent gateways across much of the web, and they are not only a regulatory requirement but a source of differentiation for the brand. They could be a source of education and engagement as well as a mere hygiene requirement, used correctly.
Businesses should have by now polished off their data governance process and ensure that solutions like consent overlays and consumer preference enforcement are in place. If need be, A/B testing to help fine-tune how these experiences result in higher conversions for the marketing team and the smooth operations of the sales process.
Plainly put, it’s only the start of the adventure!