GDPR. “It’s not an EU regulation which just affects businesses in the EU. It affects EU residents.”
That’s what Jeff Nicholson, VP of CRM product marketing at Pega told me, and in goes right to the very heart of why GDPR is different and why it requires the focused attention of brands and brand marketers, not just in Europe, but around the world. “For the longest time,” said Nicholson, “customer data has been thought of as a corporate asset. This turns it on its head.” For the personal data of European data subjects (details here), “this changes the entire dynamic.”
A wake-up call for U.S. brands
Pega, the veteran BPM/CRM platform, is headquartered in Boston, but has a global footprint. As for the EU, “We’re across the region,” said Nicholson, with offices in the Benelux, France, Germany, Italy, Poland, and Sweden. This puts it on the front line when it comes to understanding GDPR, and providing advice on compliance. Do U.S.-based brands get it yet?
“They’re slowly waking up to this new reality they have to come to grips with,” said Nicholson. “They need to devise a strategy to comply. If someone filled out a web form — a year ago, or yesterday — maybe they were applying for a line of credit — you have their data.” Of course, we’re talking about the personal data of European data subjects. What is I market products and services to the U.S., and just happen to have collected some European data by accident: Do I have exposure?
“Technically yes,” said Nicholson, “but you have to ask yourself to what extent you’re at the risk of someone enacting a GDPR request.” Make no mistake, brands which are conducting eCommerce across borders as a matter of routine are certainly affected.
What will trigger GDPR requests?
Part and parcel of putting data ownership squarely in the hands of individual consumers, is that it’s the consumers which can trigger problems for unprepared brands. European data subjects have multiple rights under GDPR, not just to have their consent to collect data clearly sought, but to have data corrected, erased, or returned to them. In some respects, this triggered a false sense of security among brand, with the majority of consumers not seeming to care much — or understand much — about the Regulation.
This is where Pega saw an opportunity. Among the many surveys asking if brands were prepared to comply, there was an absence of data on how consumers were likely to respond. To fill the gap, Pega surveyed 7,000 consumers in seven EU countries (an enormous consumer survey by any standard). This is what they found. While only 21% of those surveyed understood their rights under GDPR:
- 90% want direct control over how companies use their data
- 89% want to see the data companies store on them
- 47% see the latter as their most important right
- 22% see the ability to have their data erased as their most important right, and
- 45% say that finding their data had been sold or shared would be the biggest motivation for a GDPR request.
In other words, once consumers are informed about GDPR, look out.
Given the history of data activism in Europe, it seems likely — to me at least — that an attempt to make an example of a high profile brand by launching onerous GDPR requests is surely inevitable. And that will put GDPR in the news and encourage further requests. “It’s likely to happen,” Nicholson agreed. “But will it be just a circus act, or something which really has an impact. But yes, someone will try to test the system at some point.”
All it takes, he said, is a tweet by someone with millions of followers identifying a brand as a target.
Brand behavior can trigger problems
The imperative brands should take away from this data, Nicholson explained, is that “they need to build a new skill set they probably don’t have today. They need to anticipate behaviors which might trigger these requests, and avert them before they happen.” Consumers who are subjected to intrusive, irrelevant messaging are going to be concerned about what data is out there and how it’s being used. This is a serious matter for brands, beyond the threat of fines: Data, Nicholson said, is basic fuel for many marketers; if data is erased, lines of communication with that customer are cut.
The challenge, he said, “is to understand not only data, but what matters.” Some of the data brands are using now, without proper permissions or accuracy checks, is “shallow” anyway. Take away the kind of data-based marketing which isn’t of interest to consumers and “you’re saving money, you’re limiting marketing fatigue.” And maybe, under GDPR, you’re keeping communications alive.