Make no mistake about it: the General Data Protection Regulation (GDPR) is coming to the business world — including the North American business world — in May 2018.

Heralded by the European Union as the most important change in data privacy legislation in 20 years, the GDPR has the potential to fundamentally change the way your company acquires and stores information on prospects and customers. It’s also going to affect your company’s business practices and technology stack: everything from customer relationship management (CRM) tools and content management systems (CMS) all the way to marketing automation systems. And if you have just one resident of Europe in your customer base, there’s no way around it.

It has been hard to avoid discussions of the GDPR in the past several months. Numerous news stories, seminars, webinars and other presentations have flooded the business world.

So how do we get past the headlines and determine what this new legislation really means, and what your business has to do to prepare for it? We recently sat down with Tim Walters, principal strategist and privacy lead at consulting firm The Content Advisory, to discuss the GDPR and its ramifications for business. We caught up with him at a GDPR informational seminar being held in London.

Marketing and IT Professionals, Take Heed

My impression is that most of the people doing the listening when it comes to the GDPR legislation are technical people — data security and data governance professionals — but not so much marketing people. Yet this latter group of people should be listening perhaps more than anyone else, correct?

Tim Walters: It’s not emphasized often enough that marketers need to be very, very aware of what’s going on here .... If the technical people are not even talking to the marketers about this legislation, then they aren’t beginning to understand what the impact is going to be on the firms and what level of effort — that is, what level of budget and resources — is going to be necessary to address it. So marketers need to wake up to the fact that the GDPR significantly disrupts the way they thought about doing business because we’ve finally become somewhat successful at using personal data to inform and fuel digital marketing practices. So that obviously is going to have some kind of braking effect, slowing down some of the momentum of digital marketing efforts.

Delivering Privacy and Data Protection by Design

It sounds like privacy and data protection are two of the guiding principles of the GDPR.

Walters: The GDPR insists that privacy and data protection be baked in from the outset. So it has to be from the very first thought about how you’re going to conceive of a process, whether it’s a technical or business process, what the aims of it are going to be. You should also, from the very first moment, think about how it affects privacy, how it impacts data protection, and how you can minimize and alleviate those risks in the design process. And very importantly, you need to document that you’ve done it. So if somebody comes to you and asks, “Did you practice data protection by design when you created this particular process?” the answer cannot be simply “yes.” It has to be, “Yes, and here’s the documentation to prove that we did so.”

Putting People in Control of Their Own Personal Data

I know that you view the GDPR as a double-edged sword in that it sets some new rules for marketing with punitive fines attached but, at the same time, you see it as bringing some much-needed change to the industry.

Walters: What I think of as the core principle of the GDPR … is that people should be in control of their own personal data. And imagine what happens, how marketing is transformed, if marketers take that proposition seriously and really embrace it and ensure that their marketing practices reflect respect for peoples’ personal data and the fact that they ought to remain in control of their personal data. 

Yes, that’s going to disrupt a lot of our current marketing practices that treat personal data with, to put it mildly, a cavalier attitude. But once you do figure out how to institute those processes — again, by data protection by design and other strategies — then you are in a position to create genuinely trust-based relationships with customers and prospects.

Learning Opportunities

Engaging People Rather Than Pushing Them Through a Sales Funnel

I don’t know anyone who likes aggressive sales tactics and enjoys being 'pushed through the sales funnel.' It seems that the GDPR turns this reality on its head, encouraging companies to engage with people rather than trying to simply sell them. Is that accurate?

Walters: That fundamentally transforms the way in which marketers can begin to think about their jobs. Rather than feeding the top of the [sales] funnel by whatever means necessary with whatever leads you can possibly find, it creates something that is much more like a consistent kind of exchange between engaged consumers and buyers.

So now you’re not trying to entice people, to push them and move them reluctantly to the next stage of the sales funnel or something like that. But you are engaged with people who from the outset have made a conscious decision to be engaged with you. They’ve said, 'Yes, I’m going to give you consent to use my personal data because you’ve convinced me, or I’m at least hoping that you will carry out your promises to benefit me by the use of my personal data.' So you can begin to get into exchanges where there is a mutual benefit.

Powering a ‘Personal Data Economy’

Despite all of the fear and apprehension that’s building out there, you firmly believe that the GDPR is ultimately going to have a positive influence on business, correct?

Walters: It’s sometimes hard to believe, especially for Americans, that the EU regulators, these bureaucrats, really think that they are doing something that is business-positive and actually is going to promote business activity. But [the regulators] genuinely do believe it. Because they want to encourage innovation in the so-called personal-data economy. They want companies to be able to use personal data, but they want to and have to — according to the EU Charter of Fundamental Rights — ensure that that personal data is used in a way that respects the privacy and data protection rights of the EU residents.

Now Is the Time to Start Preparing

The GDPR is a significant piece of legislation that is going to affect the marketing practices of all companies doing business in Europe or selling to Europe. But the good news is that we know when it’s coming and, increasingly, we know what it means. So as businesses are making their 2018 digital marketing plans and determining their associated IT and marketing budgets, now is the time to fully consider the implications of the GDPR and plan accordingly.

Review your technology stack and make sure your CRM, CMS and marketing automation systems are GDPR-friendly and up to the task. Make sure that both the IT and marketing sides of the house are planning for the GDPR, and that they’re talking to each another. Engage a technology partner or consultant who’s intimately familiar with the GDPR. And finally, consult with members of your legal team for their point of view.

Doing all this homework now will ensure that you’re in full compliance when the GDPR goes into effect in May 2018.

Learn how you can join our contributor community.