Impact of General Data Protection Regulation (GDPR) on Marketing and Procurement

author

By: Praveen Ramachandruni -- Customer Success Lead

02 May, 2018

Impact of General Data Protection Regulation (GDPR) on Marketing and Procurement
BLOG

Negotiation -- an increasingly necessary skill


Introduction

Data has been crucial to marketers around the globe for years. Increased adoption of digital media by customers has fueled the growth of data usage by marketers. However, often, customers’ data is tracked without their awareness or their consent to use it. This has resulted in compromising customers’ privacy, giving rise to many unpleasant incidents that negatively impact customers’ privacy and equity of brands. Though governments in many countries have considered this a serious issue, we have not seen any major initiatives that regulate customers’ data sourcing and usage. 

In 2016, the European Union (EU) countries came together to change the 20-year-old data regulation laws and adopted the General Data Protection Regulation (GDPR), which is expected to protect customer privacy and regulate data handling by marketers. The GDPR will come into force on May 25th this year and is expected to alter the way marketers procure and use data. 

The GDPR changes how personal data can be used. It offers individuals rights to access their information that has been captured by companies and mandates businesses to have better data management. It helps marketers to realign their marketing and procurement strategies to create effective marketing campaigns, and thereby gain better returns on marketing investment (ROMI). 
 

Expert Opinion

“This an opportune time for those that have been flooding the spam box and have never used their procurement principals to marketing. Take a step back and consider new technologies to gain more clarity on your data.”
 

Impact on Marketing and Procurement

The European Union (EU) has adopted in a new policy named General Data Protection Regulation (GDPR) to regulate the way companies collect, process, and store EU citizens’ personal data. GDPR is being introduced to harmonize data privacy laws across Europe, to protect and empower all EU residents’ data privacy, and to redesign the approach of organizations across the region toward protecting the data privacy of EU residents working across the globe. Thus, the GDPR affects the European businesses as well as the organizations handling the personal data of EU citizens. As per the regulation, if any company handling EU citizens’ data is found to be non-compliant of the regulation, they will be penalized with unprecedented fines of up to 20 million euros or 4 percent of global annual revenue for the previous financial year, whichever is higher. 

As per the GDPR description, organizations can be categorized into processors and controllers. Controllers store personal data, while processors use that data for a specific purpose but discard it after that purpose has been achieved. Organizations that process payments in-house rather than outsourcing them to a third-party provider may play the roles of both processor and controller. GDPR mandates that processors should guarantee that the way they process the personal data meets GDPR requirements, the way they protect related personal data is aligned with current security standards, and provide assistance and advice to customers that may be non-compliant. They are also required to alert customers in case of a data breach.
    
GDPR will significantly change the way many marketers do business, especially when it concerns the use of consumer data for delivering marketing content. The three key areas that marketers will need to emphasize are data permission, data access, and data focus. It will be essential for marketers to obtain explicit permission to collect, process, or store personal data using language that clearly describes how the data will be used. Marketers will no longer be able to communicate the terms of consent in complex, technical language or to rely on consumers to opt-out of unsolicited communications. Moreover, consent must be specific to usage; it means that data collected for one reason (for example, downloading a white paper) cannot be used for another purpose (such as targeting marketing emails) and that organizations cannot collect more data than what is necessary for the stated purpose. In addition, organizations must make it easy for EU residents to withdraw their consent at any time. This changes the way procurement managers engage with marketing suppliers across services. 
 

Preventive Measures and Mitigation Steps
 

Create a Data Protection and Compliance Team :

The primary step in preparing for GDPR is to create a team to handle the data protection and compliance functions. A data protection and compliance team will help in devising organizational level policies that will facilitate the adoption of the GDPR regulations. They will help in preventing a data breach and provide support in case of any data protection failures. 
 

Integrate Marketing and IT functions:

In many organizations, IT and marketing functions work in silos. Although this model negatively impacts the organizational goals, they are not witnessed on a large scale. However, with the introduction of GDPR, it would be crucial for the management to integrate marketing and IT functions to ensure that the GDPR regulations are correctly understood and rightly followed. 
 

Review Existing Data Practices:

By reviewing existing data practices before the enforcement of GDPR, organizations would be in a position to devise an action plan to face the newer regulations and minimize the impact of these regulations.
 

Build Tools or Partner with Tool Providers:

Organizations can build tools internally to address various aspects of data like locating and categorizing unstructured, personal data hidden in emails, anonymize the data collected, or engage with external vendors who offer tools that help in achieving GDPR compliance. 
 

Engage with GDPR-compliant Partners:

Procurement managers now have a new criterion to choose suppliers, as per which companies may be penalized for the data breach made by their third-party partners. Therefore, procurement managers should focus on engaging with GDPR-compliant suppliers and ensure that their incumbent suppliers also have proper policies to align their data practices with the GDPR regulations. Procurement teams should ensure that there are specific provisions in contracts with processors that would enable them to meet the GDPR standards. They can use the following checklist to ensure that their suppliers are following GDPR-compliant practices.

Supplier Compliance Checklist

Supplier maintains adequate documentation

Supplier cooperates with the National Supervisory Authorities (NSAs)

Supplier implements appropriate security standards

Supplier conducts data protection impact assessments

Supplier appoints a data protection officer (DPO)

Supplier complies with the provisions of international data transfers


Raise Internal Awareness:

Organizations must ensure that their key stakeholders and decision makers are aware of the upcoming changes, deadlines, and implications of GDPR. This can be realized by taking the following action steps. 
Raise Internal Awareness GDPR


Conclusion:

GDPR will give consumers more insight into and control over how their personal data is collected and used. This will equip consumers with greater confidence in the advertising ecosystem, which would result in increased usage of the online content by consumers. Marketers can turn the regulation into an opportunity to clean up the market by giving consumers and publishers more control over their data. Organizations that readily develop policies in alignment with the GDPR regulation and procurement teams, which improve their engagements by collaborating with GDPR-compliant suppliers, are expected to grow both in terms of revenue and brand equity.