It’s been almost a year since the EU’s General Data Protection Regulation (GDPR) went into effect. The goal of the regulation? To help EU citizens control their personal data and how it’s collected, shared and used. But the sweeping nature of the GDPR means that it’s not just EU-based websites and technologies that fall under its remit, but any that might potentially be accessed by an EU citizen.
The GDPR’s roll-out represented a major change for tech companies, data brokers and marketers, who had previously had free rein over the data that they collect. They’d never before had to disclose what data they were storing, what they were using it for, or why they wanted it.
But as any modern-day marketer knows, data is crucial for doing business. Sufficient user data gives us the insights we need to target our campaigns, optimize our sales funnels and respond both reactively and proactively to customer needs. There’s a reason that modern-day marketing is built on the intersection of data and AI.
More attention to and scaffolding around explicit consent
Under the GDPR, significant updates have been made around marketing-oriented tools such as website cookies and newsletter sign-ups/opt-outs, which collect customer data for marketing purposes. Under the GDPR, clarity around exactly what opting-in means is a must, and so is expressly asking a user’s permission. Gone are the days where filling in a form meant tacit permission to sign up for a newsletter, and sales tactics are changing accordingly.
But staying compliant involves more than a customer’s consent to share their data. Companies have had to rework their systems to ensure that it’s clear where data is stored, which data reflects sensitive or personally identifiable information, and who has access to it. Other mandatories include explaining how exactly an AI will use an individual’s data, and why – and the right to opt out of AI-driven decision making [pdf] in favor of human adjudication (for “significant” outcomes, like a loan).
Clearly, all of this has implications for just how much can be automated through AI, and exactly how this is to be approached. Fortunately, most marketing decisions don’t fall under the “significant” decision criteria – it’s really not a big deal whether you’re served the ad with the trance music or the ad with the R&B music.
Accepting that less data means more thinking
AI is an infinitely self-improving process that trains on input data to come up with more accurate outputs. Before the GDPR, all data was fair game, and AIs were able to feed insatiably on available data. But that’s all changed.
With current opt-in regulations, as well as limitations about what can be collected and how marketers have to accept that they might not get the same amount of data to work with. Less data means that you can’t “brute force” the solution, but instead you have to think about what aspects are important for the end-goal and make sure that your data is pristine. It also means that you need to use your data as efficiently as possible.
Marketers have an incentive to use the data they have more exactingly and to be more strategic about what they’re collecting. The advantage to this approach is that marketers *have* to do something that they should have been doing all the time – think about what to accomplish, understand the path to get there, take small steps, and be very precise. Following this path avoids feature creep, software bloat and minimizes unexpected effects from casting too wide a net.
Uncertainty about data collection and retention
The data minimization pillar of the GDPR says that companies aren’t just supposed to limit the data they collect; they’re supposed to limit how long they hold on to it. Not only that, but if an individual requests that their data be deleted or amended, companies have to comply.
In theory, this seems simple enough. But marketers’ ubiquitous use of AI makes things more complicated. If data is removed upon request but has already been used to train an AI, has it truly been deleted? AI is both a black box and endlessly iterative, meaning that data can live on in some form forever, but exactly how it’s all but impossible to ascertain.
In such cases, are marketers adhering to the GDPR, or flouting them? If data can still be leveraged despite being deleted, then data storage time limits are meaningless. Perhaps the only impact of the GDPR here is to encourage faster and more widespread processing of data in the name of beating the clock.
Worrying about enforcement over failure to comply
While some aspects of the GDPR may be open to fuzzy interpretation, others aren’t – and the stakes are high. Fines of up to 4% of global turnover apply to those who fall afoul of GDPR, and the first enforcement actions are being taken. Since the roll-out of the GDPR, some 59,000 data breach notifications have been served, with 91 fines issued – the largest being a EU50 million fine leveled against Google.
What’s Google being taken to task for? Lack of transparency over the information that will be tracked when creating a Google account; vague and generic provision of requested personal data; and lack of opt-in consent for its personalized ads.
Marketing automation, lead generation and PR pitching are all areas where marketers have to double-check they comply with GDPR standards.
But with one in five businesses believing that complete GDPR compliance is impossible, and less than half admitted to being fully compliant with the regulations, this is an area where marketers need to work closely with leadership to ensure they adhere to all aspects of the GDPR – or risk substantial fines.
An opportunity to build trust with consumers
The GDPR has at least started to push companies to be more respectful of the individual – the person behind the data. This creates new challenges around business, marketing and AI. But at the same time, it’s opened up an opportunity to build trust with consumers by offering visibility and transparency into how their data is used.
Given the general public’s reticence about the mysterious “black box” of AI, this step back may eventually pave the way for increased data quality. Moreover, as trust grows, so too will the free-flow of data throughout the EU and beyond. In these early stages, the GDPR may seem like a burden, but as companies rebuild trust with consumers, it will become a sustainable approach fostering both innovation and accountability.
After all, with acceptance comes further innovation – and more avenues for marketers to leverage AI-driven data while remaining aligned with public consent. Marketers, then, especially those in B2C, need to keep aiming for transparency, visibility and compliance to pave the way for better data-driven outcomes.
In the meantime, every company has the potential to differentiate by being really good at marketing in an environment with restricted data. That is a real business opportunity.