Gartner analysts estimate that by the end of 2018, more than 50% of companies affected by the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, will not be in full compliance with its requirements.
European companies are expected to spend an average of $1.4 million (€1.3 million) to comply with the GDPR personal data protection requirements. U.S. businesses, meanwhile, are setting aside at least $1 million for GDPR readiness, with some assigning up to $10 million. Yet very little of this money will support leveraging GDPR to increase business value from such personal data.
The terms and requirements for consent to use the data remain one of marketers' greatest challenges, according to Andrew Frank, Gartner Research vice president and analyst.
Frank believes the GDPR documents clearly define the definition of “consent,” but it is less clear how to go about obtaining it and when it needs to be obtained.
The GDPR allows for exceptions to consent if the company deems that the use of the data is based on legitimate interest. There is even a passage that calls out direct marketing as a potential example of legitimate interest. It also specifies that there must be a balancing test to ensure that the legitimate interest does not outweigh the rights and freedoms of the data subject. Getting the line correct is one of the more confounding problems facing marketers today, he explains.
"I don’t think one can label it good or bad," he said. "It’s more complicated than that. The intent is good and I applaud the impulse to give people more control of their data and how it’s used, but I do think there are problematic aspects that make it difficult for companies to put into practice.”
For example, he said, marketers using personal data to create an explanation of profiling that is clear, concise and complete remains very difficult to implement. “You can usually pick two, but it’s very difficult to do all three at any level of sophistication,” he said. “Things like that are putting a great deal of anxiety on execs in the marketing industry. They are struggling with the details that are left up to the interpreter to implement.”
Frank believes that GDPR will have an influence on the way marketers implement campaigns, even in the U.S. It will force them to ask questions they may not have asked in the past, and will open them up to have different types of conversations with consumers as more write to opt-out.
At the Search Insider Summit this week, Virginia Tonning, global manager of paid search marketing at Schneider Electric, will deliver the opening keynote on how the company prepared for GDPR. Gary Kibel, partner at Davis & Gilbert, will outline for brands some of the legal implications of GDPR.
This column was previously published in the Search Insider on April 9, 2018.