I think it was about this time last year – the last quarter of 2017 – that GDPR first crossed my personal radar. As I talked to our General Counsel (who had been studying the documents for months by then already) it became pretty clear that this was going to be something quite important for any enterprise that was either based in the EU or wanted to do business there. But it was also pretty clear that GDPR was a bit of a niche interest back then. If you looked at the blogs or magazine articles at that time, you would be forgiven for thinking that nothing much was happening. It seemed a bit like a storm that the weather forecasters were telling us was on the way, but as the skies were blue, it seemed very hard to prepare for it.
Obviously that all changed once 2018 came round, and in the last few weeks leading up to the implementation deadline on May 25th, there was certainly a lot of buzz and challenges, and even more concerns and questions. And, judging by the number of virtual column inches, and – more importantly – the ridiculous number of re-permission emails that were being sent, the storm felt very strong as it passed over.
Five months on, it looks like the sun is shining again, but I was wondering what had actually changed….
Well, firstly, it doesn’t seem to have caused the major drop in email traffic that some were predicting. Recent research by Litmus has shown that most brands have not seen a major drop in their list size since the introduction of GDPR. And in fact, even if the lists had reduced, it’s likely that the results have stayed the same since the people who left were either inactive or didn’t want to get the messages any more.
During the Port25 Summit 2018, which took place a few weeks ago in Amsterdam, I had the privilege of running a panel discussion with two of Europe’s most prominent compliance experts: Rosa Hafezi and Matthias De Bruyne. Rosa is the Group Senior Legal Counsel at Certified Senders Alliance, and Matthias is the Legal Counsel, Privacy at Dutch Direct Marketing Association. They both epitomize a wealth of knowledge and expertise around both regulatory compliance and good practice when it comes to customer acquisition and retention, and it was very interesting to hear them describe how the landscape looked to them now.
They were both very clear that whilst the GDPR deadline helped raise awareness about data protection and privacy amongst both senders and recipients, none of their members had reported any kind of significant uptick in either subject access or deletion requests. And they agreed that it was pretty unlikely that any of the data protection authorities had the resources to launch investigations into companies unless there were significant complaints against them from the public.
So has nothing really changed? Was it all a fuss about nothing?
I think we’d all be extremely foolish to think that now that the 25 May deadline has passed, we can safely forget GDPR and carry on as we did before.
I think the landscape has permanently changed. The huge amount of publicity – and the ridiculous amount of unnecessary “re-permissioning” email that was sent – has affected a cultural change in the way individuals view their privacy. This cultural change, as our experts in Amsterdam highlighted, is a crucial step ahead and I think it’s probably the greatest change that GDPR has brought about. It was exactly what the policy-makers who drafted the regulations wanted to see happen.
There are also further storms not far away on the horizon. The negotiations over the final text of the ePrivacy regulations are rumbling on and, unless they are derailed completely by the European elections next year, we’re likely to see some more change in the next few years.
In the end, organizations will be much better placed to deal with whatever comes our way if we make sensible preparations now. This demands a change of culture in the way companies operate – we need to be sure the customer is actively involved in the way we capture and use data, and that every business should proactively design and develop a strategy for privacy that considers every single aspect of what we do. To stretch my analogy, if the foundations are strong then we’ll be much more able to stand firm – whatever the weather.