When GDPR was first brought in just over five years ago, it unleashed seismic changes upon the industry – forcing businesses to completely change the way in which they collected customer data.
First adopted by the European Union in April 2016 and implemented in the UK two years later, the General Data Protection Regulation (or GDPR) was supposed to herald a new golden age for data privacy, putting control firmly back into the hands of the individual.
For the very first time, customers now had the legal right to demand companies delete any personal data that they held, with opt-in models meaning the individual’s consent is needed at every turn.
Backed by the very tangible threat of a fine worth £17.5 million, or 4% of a firm’s global turnover, the policy has undoubtedly – after a somewhat shaky start – deterred a raft of data abuses and enacted significant change across the board for the better.
But what does that success really mean – and is it now under threat from the current government, which has indicated that it may wish to set up its own regulations for the post-Brexit era?
How did businesses adapt to GDPR?
It would be far from an understatement to suggest that the introduction of GDPR legislation in 2018 was the single biggest shake-up to the digital marketing industry since the widespread introduction of the internet in the late 1990s. How did businesses cope?
The answer is: begrudgingly and under great duress. Unsurprisingly, the media, telecoms and broadcasting industries have been the worst offenders in terms of the total sum of fines handed out, coming in at a whopping £2.5 billion over the last five years.
DGPR hasn’t been seen in an entirely negative light from within the industry however, with OpenOcean general partner Tom Henriksson highlighting that whilst the legislation “posed challenges for data accessibility and targeting”, it also “presented an opportunity to rebuild trust with consumers”.
“Marketers had to find innovative ways to gather insights while respecting user privacy, striking a balance between personalisation and compliance,” he continued.
“As a result, brands that prioritised user privacy and delivered meaningful, consent-based experiences have emerged as leaders in the evolving marketing landscape.”
While this is certainly true of many brands over the last few years, signalling a growing shift in how data is obtained and processed to benefit the customer, big tech players such as Meta, Amazon and Google continually defy the legislation.
Fines seem to make very little difference to businesses of this size, with Meta hit with a record-breaking £1 billion fine just last month. This all begs the question – does GDPR really work when squaring up to the big boys?
Subscribe to Marketing Beat for free
Does GDPR really protect the individual?
Perhaps not entirely is the most accurate answer – but what the legislation has done is force a cultural shift across the board, especially within European companies, who have now placed the customer firmly on a pedestal.
While the US tech leviathans may be able to swallow up any fines that the EU throws at them, smaller and medium-sized businesses cannot.
In that respect GDPR has undeniably helped redefine the power balance between business and consumer, with firms clearly listening to individual concerns regarding how their data is used, as Wunderman Thompson’s head of data strategy and consulting, Steven Richards points out.
“Looking at the rights of the individual, our research has shown that up to 91% of consumers in the UK and US were concerned about how brands use their data,” he says.
“In this sense GDPR has been a clear positive for healing the fractured relationship between brands and consumers and helps to make the entirety of marketing more effective.”
Although Big Tech remains stubbornly resistant to change, GDPR’s implementation has been broadly observed. While it may have proven to be a sizeable stumbling block for business, consumers at least can now breathe easy.
Havas CX Helia’s head of consulting, Mark Arnold agrees. He says that, by placing consumer rights at its foundation, GDPR is a “worthy piece of legislation”, adding that it has the “right values at its heart, and was a necessary wake-up call”.
“Technology and algorithms have made comms planning too functional and GDPR brings humanity back into our thinking. Brands are privileged to hold and use customers’ personal data,” he adds.
“We talk about data as an ‘asset’, but that word is associated with value to the brand; we forget who the real owner is. If earning consent means working harder to engage and thinking more creatively, that’s a good thing.”
Now that the UK has the left the EU, GDPR’s future has been cast into jeopardy. The Conservative government outlined plans in summer 2021 to move away from the rules by setting up its own regulations based on “common sense, not box-ticking” according to then-culture secretary Oliver Dowden.
Are we in danger of undoing all the good work that GDPR has done over the last five years? Or are there areas where it could be improved to benefit the post-Brexit UK market?
According to the DMA’s CEO, Chris Combemale, the latter might well be the case.
“There are still important improvements to be made through DPDI’s (Data Protection and Digital Information Bill) reforms,” he explains.
“With additional clarity in key areas of the legislative text, particularly around the use of legitimate interests for marketing, and less administrative burdens on smaller businesses the UK can supercharge data-driven innovation and economic growth, while maintaining GDPR’s robust privacy protections across the UK.”
Naturally, the legislation could always be tighter, and GDPR’s shortcomings in fighting Big Tech’s rampant data abuses are a clear testament to that.
So how can the regulations be improved – and will tampering with them simply lead to further uncertainty for marketers?
Brightbid CEO Gustav Westman believes that although GDPR “has always faced the challenge of striking the right balance”, its preservation is crucial. He says it will “prevent a return to the unregulated data practices of the past while ensuring that the laws remain clear and accessible to all.”
He believes that, although there have been “initial challenges”, there is still an opportunity to refine the implementation.
“As long as we have a well-crafted and effectively enforced law, marketers can gain confidence in utilising platforms that offer cost-efficiency and maximise their budgets,” he adds, something which is “particularly crucial” in today’s challenging economic environment.
While GDPR’s future in the UK remains uncertain, it has already guaranteed people across Europe a more secure experience online. It has also helped reform business for the better, forcing firms to put the customer back at the centre of their operations – with trust-building now more important than ever.
We can only hope that when the British government does eventually put its own spin on the regulations, that they at least preserve all the good work that the EU has done over the past five years – and, God forbid, maybe even improve upon it.