News & Views
23/02/17 / news

Deconstructing: What is GDPR?

General Data Protection Regulation (GDPR): Towards better governance and customer centricity

What is it?

Recent data leaks and privacy concerns have intensified efforts by the EU to focus on providing clearer legislation and direction around data protection and privacy.

This increase in regulatory pressure has resulted in the creation of the General Data Protection Regulation (GDPR), which aims to protect consumers from privacy and data breaches.

The legislation has been separated into five sections:

– An individual’s right to have control over their own data

– Data collectors and processors being accountable and transparent with their processes

– Determining when a data breach has occurred and when to report one

– When and how an individuals’ data can be transfered

– Exceptions for EU member states to introduce complementary legislation

…so what’s the problem?

With the legislation planned to be enforced from the 28th of May 2018, a recent report by the Direct Marketing Association (DMA) revealed that 26% of marketers are still unprepared and uninformed on the topic.

This problem is compounded by a degree of ambiguity with the legislation and a lack of clarification as to the practicality regarding obtaining consent and pseudonymised/encrypted data use.

The DMA outlined some of the top concerns and priorities for marketers:

– Conducting privacy impact assessments (PIA) into privacy risks and data security internally (42%)

– Getting consumers to consent to receive marketing material through a transparent opt-in process (71%)

– The effect that the opt-in process will have on email (90%) and mobile marketing channels (73%)

Time to take action…

Despite the current uncertainty and confusion, it is important to formulate a basic plan, and while it may take some time to become ‘GDPR ready’, penalties of up to 4% of annual global turnover or €20 million, whichever is higher, for non-compliance could be severe.

A simple first step is to initiate discussions with your relevant internal stakeholders & executional partners (e.g. agencies & technology vendors) to align around a plan for readiness.

Internal discussions should focus on educating wider stakeholders around the ‘what’ and ‘why’ of GDPR and its implications. Where brands have existing capability (e.g. data protection officer (DPO), they should look at conducting a privacy impact assessment to determine the potential risks.

Agency discussions should focus on how they can help with education as well as to understand possible implications to digital strategy and execution, when taking into account consumer consent changes.

Technology supplier discussions should focus around on the processes and practices they employ around data use, privacy and data breach notification. You should also talk to your data protection officer (DPO) about conducting a PIA of your own and look into a privacy by design approach to minimise the risk of a breach.

Not forgetting consumers

In a recent survey by Edelman and The University of Cambridge Psychometrics Centre, 71% of consumers believe that their data is being used unethically, with 58% saying that they have avoided a service due to privacy concerns. This reinforces the importance of explaining to consumers why you are collecting their data and how it is beneficial to them.

Where to from here?

The GDPR discussion is going to happen regardless, and only through a transparent & proactive approach will brands be protected from the possible implications. Despite this, the growing movement towards purposeful brands creates a great opportunity for companies to position themselves positively as a responsible leader in protecting consumers’ interests.

If you are after a more technical layout of the legislation, the ICO have released more technical analysis here.

This is a real opportunity for businesses to position themselves as innovators and clearly define their relationships with consumers.

Although some of the implications to come out of the GDPR are yet to be seen, businesses can use the change brought on by the GDPR to more efficiently store data, lessen the risk of a brand damaging data breach and adapt marketing process and communications to a more customer centric approach.


Tim Rudder, Analyst at Stack I/O, the advertising and marketing technology consultancy designed to support brands through data and technology driven acceleration. For more information, get in touch: