A little more than two years after the Council of the European Union adopted it, (and more than six years since its inception), the General Data Protection Regulation finally went into effect on May 25th earlier this year.
Better known as GDPR, the legislation’s goal is to change the way businesses collect, use, and dispose of consumers’ personal information. The ruling holds companies and corporations to a higher standard in terms of preserving the privacy of their customers – and giving consumers complete control of how companies use their information.
There was some uncertainty leading up to GDPR in terms of how it would affect businesses – and consumers – moving forward. A little more than six months later, we’ve already seen some major shifts in the way organizations handle customer data – and in how consumers expect them to do so.
We’ll take a look back at the changes that have occurred over the past few months from the perspective of businesses, as well as from that of the consumer, what these changes mean for everyone moving forward, and how these changes go hand-in-hand with the ever-evolving expectations of the modern consumer.
Let’s dive in.
The Impact of the GDPR on the World of Business
It’s fair to say that a decent amount of companies in the EU – and around the world – weren’t ecstatic about GDPR. Among the chief concerns were worries about the added cost of compliance, the added responsibility of doing so, and the potential negative impact the GDPR would have on companies’ ability to engage with potential and current customers.
But these fears certainly weren’t without merit.
Regarding the cost of compliance, the figures definitely aren’t negligible, by any stretch. According to data collected by TrustArc in July of this year:
- 68% of the companies surveyed reported spending at least $100,000 on compliance
- 25% of US-based companies, 10% of those in the UK, and 7% of EU-based companies spent over $1 million
- 10% of US, 2% of UK, and 3% of EU companies spent over $2.5 million
Any time a company gets hit with additional expenses is a major cause for concern – especially when the benefits of the expenditures are unclear. Luckily, these benefits exist; we’ll come back to that in a moment.
The potential – and actual – loss of business for many companies has been pretty hard-hitting. Senior analyst at Forrester Enza Iannopollo explains: “Many companies have reported a decrease of about 25 percent to 40 percent of their addressable market. These are customers or prospects that have not given their consent to receive marketing communication or be profiled.”
As far as compliancy, a lot of progress has been made – but many still have a long way to go. According to the same TrustArc study, 21% of UK-based companies, and 12% of American companies, have become fully compliant as of July 2018.
That might not sound all that impressive, but in 2017 – before the regulation became officially enforced – these numbers were 4% for US companies, and 3% for UK-based organizations. If you’re keeping score at home, that’s a 700% increase in GDPR-compliant companies in the UK, and a 300% increase in US-based ones.
What’s more, 74% of organizations across the world believe they’ll be fully compliant by the end of 2018; 93% say they’ll reach compliance by the end of 2019.
It’s pretty clear:
The new law has led more and more companies to up their game in terms of keeping their customers’ data safe and secure.
But this is not to say that the law is the only reason companies are putting in more effort in this area. Across the EU, UK, and US, the number one reason companies report working toward compliance is to meet the expectations of the modern consumer. The number two most common reason: maintaining compliance with the law simply aligns with the values of the company in the first place. Fear of penalties and sanctions, surprisingly, ranks a distant third.
So it seems that though GDPR may have sparked organizations to make strides in consumer privacy, most of these companies agree that the new law has been more like the “kick in the pants” they needed to start doing something they should have been doing all along. Data from TrustArc shows that most companies now believe the new regulations will have a positive impact on their ability to provide a positive customer experience. In that same vein, the GDPR will ultimately end up being a good thing for fully-compliant companies.
Some Notes on Non-Compliance and Complaints
As was to be expected, the advent of the GDPR has led to a number of complaints filed against companies unwilling to adopt the regulation.
In fact, the first complaints were lodged mere hours after the GDPR went into effect, by non-profit organization NOYB (“None of Your Business”). And it’s not as if NOYB went after small companies that were struggling to keep up with the new law, either; the main companies named in the complaint were Facebook, Google, and WhatsApp.
While it would be easy to dismiss these complaints as opportunistic and perhaps a bit political in nature, the recent Facebook data breach proves that NOYB wasn’t simply trying to make headlines; the organization truly knew Facebook wasn’t adhering to the rule, and was intent on holding the social media giant accountable. And accountable it will likely be; according to recent reports, Facebook may face sanctions of over $1.6 billion.
But it’s not just non-profits and legal teams levying complaints against disobeying companies. According to The Independent, the Information Commissioner’s Office received over 6,000 complaints between May 25 and July 3 alone; a clear implication that the modern consumer has become cognizant of the way in which their private information is handled.
The GDPR’s Impact on the Customer Experience and Consumer Expectations
These new regulations weren’t put in place just to make companies jump through a new set of hoops; they were put in place for the sake of the consumer.
In this section, we’re going to look at three different aspects of the situation:
- How the evolution of the modern consumer led to the GDPR in the first place
- How the GDPR has changed the way companies engage with their customers
- How the modern consumer’s expectations will continue to evolve now that the GDPR is firmly in place
Consumers Expect Authenticity
We’ve said it before:
The modern consumer doesn’t just appreciate authenticity from the companies they do business with; they expect it.
Let’s break this down a bit more.
It’s not enough for a company to say it’s following GDPR protocol if it isn’t really doing so. For one thing, the company will likely be exposed sooner or later – and will be held accountable for its transgressions. Secondly, the company wouldn’t just be breaching GDPR protocol; it’d be breaching its customers’ trust, as well. That said, even if no official sanctions were placed on the company, it would almost certainly lose business from former customers who were left feeling betrayed.
But it’s also not enough to simply adhere to the bare minimum requirements of the GDPR, either. While this will technically keep a company “above board,” it’s likely that the savvy consumer will take a company’s minimal effort to mean that the organization doesn’t care all that much about their privacy – it just wants to “get by” and continue making money.
the modern company should see its adherence to the GDPR not as a selling point, but as table stakes to be raised moving forward. As more and more companies reach compliance over time, it will be those that go above and beyond to protect their customers’ data that will stand out from companies just going about business as usual.
Consumers Expect Transparency and Clarity
The modern consumer demands to know how companies use and store their information. Those who have used the internet in the past five or so months can vouch for the fact that around the time the GDPR came into law, companies around the world flooded customers’ inboxes with notifications of changes to their terms of service and privacy policies. Additionally, most of us are still being asked to give websites permission to collect our information via cookies and pixels.
But, if we’re being honest, the vast majority of us probably never actually read all of those new privacy policies. Still, that doesn’t mean the modern consumer doesn’t care about how companies use their data. According to Iannopollo, “1 in 3 US adults refused to complete an online transaction because they read something in the privacy policy that didn’t resonate with them.”
Most consumers probably aren’t going to take the time to comb through a company’s new privacy policy. Of those that do, many will likely find something they don’t understand and/or disagree with – leading them to opt out of doing business with the company. In other words, those email blasts explaining policy changes probably had either no effect on the consumer or had a negative impact on their view of certain companies.
In order for companies to be truly transparent with how they use their customers’ data (and anything else, for that matter), they need to provide the opportunity for customers to engage in meaningful dialogue with them – not just shoot them a long-winded email full of industry jargon.
You can only be transparent and clear if you’re doing so on your customers’ terms. Otherwise, you’re just paying lip service.
Consumers Expect Personalization – But Need to Have Control
You don’t need us to tell you that the modern consumer loves brands that provide them with a personalized experience in one way or another.
A 2017 study by Epsilon found that 80% of consumers are more likely to make a purchase after a personalized experience, and that 90% of consumers find personalization “appealing.”
For companies to provide a personalized experience, they need to collect information on each of their customers, right? (This isn’t a trick question).
It’s all too easy for companies, however, to go overboard when collecting this data. As we’ve discussed before, too much personalization creeps consumers out, and often causes them to break off their relationship with the brand altogether.
The advent of GDPR aims to put a stop to this over-collection of data. Not only are companies required to be transparent with how they use their customers’ information, but they’re now only allowed to collect information that’s pertinent to the initiative. A simple example: a company can’t collect its customers’ phone numbers “just to keep them on file”; it would need a specific reason for collecting this data in the first place.
When you think about it, this makes perfect sense:
“Personalization” is not about learning everything you can about your customers (whether you’re going to use this info or not). True personalized service is allowing each individual customer to decide for themselves what they want to receive from you. Some people might be more than happy to receive a “check up” phone call from your company six months from now; others might not even want to give you their email address.
Some customers might love seeing personalized recommendations whenever they log on to your website; others might get creeped out when your ads start showing up on their Instagram feed. Some individuals might want you to know almost everything about their entire world; others might not even want you to know their last name.
With all this in mind, we can look at the GDPR not as restrictive in terms of what it allows you to know about your customers, but as a nudge to begin giving your customers true control over their experience with your brand.