What can US Marketers Learn from GDPR

Matt Shepherd, Head of Data Strategy, BBH London discusses the lessons that US firms can take from the EU’s new legislation.

In the wake of GDPR, US marketers have a great opportunity to stand on the shoulders of giants.

I’m not suggesting that the EU is in any way better than the US, I don’t want to make the same mistake that Isaac Newton made by including that “giant” quote in a letter to Robert Hooke. Hooke mistook this as an insult to his height, rather than a complement to his work that had helped Newton advance his theories faster than he would have otherwise been able to on his own.

So what exactly is GDPR? It stands for General Data Protection Regulation. In simple terms, it is a common-sense piece of legislation that means brands can’t take liberties with EU customers when it comes to collecting and using EU customer data.

The GDPR’s scope covers the processing of personal data for all EU citizens, wherever that processing is taking place. The new regulations have good intentions, they are being introduced to help protect personal data across all the EU states and promote the safe transfer of data both within and beyond the EU.

There are 7 key principles that all brands will need to cover as part of processing data for EU citizens. These include:

– Fair and lawful processing
– Specific and legitimate and compatible purpose
– Adequate, relevant and limited
– Accurate and up-to-date
– Kept no longer than necessary
– Information on security
– Accountability   

Brands that interact with EU customers will need to be crystal clear about how (and why) they are going to use customer data from the point of collection (which will require a clear privacy notice) and beyond. So in the post-GDPR world, brands will need clear consent or a legitimate reason to talk to customers and prospects, the days of pre-ticked opt-in boxes, and hidden data processing notices are over for brands that want to service and sell to EU markets.   

GDPR no longer allows you to collect or store data that is just ‘nice to have’, so brands need to decide what information is necessary rather than cast the net wide and trawl it later. Brands will also need to ensure that the data they hold is accurate and up to date, if a brand is still using data collected a few years ago it may no longer meet the requirements of the other GDPR principles.

Customer data still needs to be stored safely so you need to implement controls that protect the confidentiality of your customers data. You will also need a Disaster Recovery Plan to restore the data if the worst happens. But I’m sure these are in place already.

So across Europe, brands have spent a lot of time, money and resources to ensure that they will be able to adhere to these processing principles and avoid the headline-grabbing fines (4% of turnover or $24m whichever is greater). And as I’ve already mentioned above, EU residents are protected wherever the data is processed so it’s imperative that US brands also take note and cover this in their legal process too.

The easiest way to achieve this is to copy the data and GDPR strategies that your EU counterparts have been drafting and implementing in the run-up to the changes. To quote Steve Jobs misquoting Picasso: “Good artists copy; great artists steal”.

But GDPR is more than just processing and principles, customers will have rights too. Beyond the changes in technical process and legal jargon that is keeping data practitioners awake at night, we shouldn’t forget that these customer rights are the linchpin that will enable brands to continue doing brilliant work that builds mutually beneficial relationships with your customers, instilling trust, that will in turn lead to brand growth.

These consumer rights include:

– The right to be informed
– The right of access
– The right to rectification
– The right to erasure
– The right to restrict processing
– The right to data portability
– The right to object

Rights related to automated decision making and profiling

Despite first, scary and often negative appearances in the new customer rights, there are big and positive opportunities for brands in a post-GDPR world, though marketers will have to be prepared to think creatively if they’re to realise them.                                     

Therefore, it’s now time for brands to raise their sights and focus on the potential ushered in by the new world of customer data ownership. BBH refer to this concept as the Data Value Proposition                       

In plain English, what is the value that you are providing for new and existing customers?  How do you persuade them to lend you their data, and to let you go on using it rather than taking it to your competitors, especially the disruptors within your sector?                        

That value may be monetary. But our view is that to default to cash for data is tantamount to admitting defeat; the equivalent of throwing money after promotions rather than investing in long-term brand equity.                        

Rather, BBH believe you should be asking yourself how you will use customers’ generously offered data to co-create unique value with and for them. The brands that do this successfully will be manufacturing for themselves an effective, cost-efficient, and sustainable competitive edge for years to come.                                                

In a world where data breaches are on the rise in terms of both scale and severity, GDPR will strengthen the regulation and use of personal data and standardise good privacy and security practices. While GDPR is set to go into effect across the EU, it has a much wider reach, all international brands should consider its regulations and principles as the benchmark for a great data strategy.

GDPR presents itself as the ideal model for best practices around personal data for businesses the world over. It will also provide a framework for creating transparency and an essential roadmap for building and restoring trust with consumers worldwide.

So stand on the shoulders of giants, learn from our mistakes, copy our data strategies (But don’t steal the data).