Interesting things about the packaging industry, retailing dynamics, consumer trends and NOA’s insight.

GDPR: storm in a teacup or wind of change?

May 16, 2018 | Packaging Research and Analysis

If you run a business and haven’t yet heard of GDPR we can only suppose you’ve been away, asleep or totally off the radar.

Because it seems that every other conversation people are having in the business world – at least across Europe – is all about GDPR.

Here are some of the reactions:

  • I’m deleting my entire database and will never send out a marketing missive again
  • I’m sticking my head in the sand and doing nothing
  • I want to do something but I don’t know what
  • I’ve taken some action – is it enough?

Before we go further, let’s make it clear that at NOA we’re not GDPR experts: we specialise in packaging industry research and packaging market research (NB should anybody claim to be an expert? Since the legislation doesn’t come into force until May 25, and so has yet to be tested in the courts or by the Information Commissioner’s Office, anyone professing expertise should be treated with caution!)

But nonetheless we’ve done our research – after all, research is what we do – and this quote from Elizabeth Denham, Information Commissioner, sums it up: “There’s a lot in the GDPR you’ll recognise from the current law, but make no mistake, this one’s a gamechanger for everyone.”

What is GDPR?

As a quick resume, GDPR stands for General Data Protection Regulation (GDPR) (EU) 2016/679 and is a regulation in EU law on data protection and privacy for all individuals within the European Union.

There is not a clear definition of what specific elements of GDPR will most affect specific types of business and what should be done about it.

If you have fewer than 250 employees, the rules are different than they are for larger organisations. Depending on which ‘informed expert’ you speak with, there are 5, 7, 9 or 11 key things that you should be doing. There are different interpretations, different advice, hundreds of different opinions – it’s not surprising there is a level of confusion. One thing is clear: if your business offers goods and/or services to citizens in the EU, then it’s subject to GDPR.

Even at 261-pages long, covering 99 articles, the official text of the GDPR still doesn’t tell marketeers, or regulators, exactly what they must do to be compliant the day after the law comes into force.

Indeed, it’s likely that much around the GDPR will remain unclear until enforcement cases come before the regulator, or possibly before a judge in the courts. However, this is no reason for inaction or delay, as organisations need to act now to be ready in time to meet the deadline.

GDPR and Brexit

GDPR of course comes into force before Britain leaves the EU, and even after the UK’s withdrawal it’s likely the regulation will remain in place for some time, if not indefinitely. Moreover, the UK government has confirmed the regulation will apply.

Impact of GDPR on customer engagement

Here is something we do know: the conditions for obtaining consent are stricter under GDPR requirements. An individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities.

This means you must be able to prove that an individual agreed to a certain action, to receive a newsletter for instance. It is not good enough to assume consent, or add a disclaimer, and providing an opt-out option will no longer suffice.

This changes a lot of things for companies, not least the way marketing and sales activities are managed. Companies should now be
reviewing business processes, ensuring applications and forms are compliant with double opt-in rules and email marketing best practice. In short, to sign up for communications, prospects will have to fill out a form or tick a box and then confirm their consent at a second stage, for example by clicking a confirmation link emailed to them.

Organisations must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data held must have an audit trail that is time stamped, along with information that details what the contact opted into and how.

If you purchase marketing lists, you are still responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data.

In the B2B world, sales people meet potential customers at a trade show, they exchange business cards, and when they come back to the office, they add the contacts to the company’s mailing list.

After May 25, this system will need to change. Companies will have to look at new ways of collecting customer information.

Beware services making a buck from GDPR

There are already organisations offering spurious certifications for GDPR compliance officers or similarly unnecessary training. The huge scope and nature of the GDPR means you’ll likely need some help to prepare, but look closely at what’s being offered to ensure you’re not ripped off. In one week alone, we heard from “specialists in GDPR solutions for SMEs” offering GDPR compliance from “only” £100 per month, and another company that said it could “use our systems to let you know which of your customers are limited companies and which ones aren’t as the GDPR rule does not apply to your customers who are limited companies”. Suffice it to say, we politely declined!

Benefits and opportunities of GDPR

Amid the warnings of huge fines, and fears you’ll be unable to use much of your carefully collected data after May 25, it’s important to remember GDPR presents a number of opportunities for B2B marketeers, in the following ways:

  • Databases will be leaner, and email marketing more targeted. Under GDPR individuals will need to opt into your marketing, and you’ll need to be able to prove they have done so. This will probably mean the loss of much of your database, but if they weren’t engaging, how much will that matter? Individuals who have opted into your communications should be much more interested, resulting in higher click-through, open and engagement rates in your email campaigns.
  • Accountability could provide a competitive advantage. The Information Commissioner has stated that those organisations which can prove they handle customer data sensitively and respect an individual’s privacy will have a competitive advantage over those which cannot.
  • It will raise the profile of marketing within the organisation. If marketing steps up to the challenge presented by GDPR and takes the lead in developing the culture of privacy demanded by the Information Commissioner, it should highlight the importance of marketing among senior leaders and increase the credibility of the function.

GDPR – a bit like the Millennium Bug?

Cast your minds back to 1998/99, just before the turn of the millennium. Our Head of Marketing, Katie Ryan, was then working with an IT services company and recalls the panic that went on about the potential impact of the Millennium Bug, or Y2K for short.

“We had a team of Y2K analysts, Y2K consultants, a Y2K benchmark, Y2K published research – it was like we had hit the jackpot,” she says. “There was a belief at the time that the reliance on technology had become so strong that the entire world would stop working as the clock struck midnight on December 31, 1999 – banks would no longer be able to process or issue money, hospital equipment and systems would shut down making treatment impossible, the transport network would grind to a halt. Companies and organisations worldwide checked, fixed, and upgraded their computer systems to address the anticipated problem.

“When it came to it, very few computer failures were reported when the clocks rolled over into 2000, although admittedly it is not known how many problems went unrecorded. I strongly suspect people’s reactions to GDPR is a little like this: after May 25, the world won’t fall apart and fire and brimstone won’t rain down on organisations which aren’t immediately 100 per cent compliant.”

But, to go back to the reactions we outlined at the start of this article, to do nothing isn’t an option. So our advice – which we are following – is to put systems in place to ensure you are GDPR compliant to the best of your knowledge and, come May 25, see what happens.

As we said, we’re not experts here at NOA on GDPR but we are very good indeed at researching packaging market trends, packaging industry analysis and creating a corrugated packaging industry report. If you’d like to chat about any of this areas of expertise please get in touch.

Recent Articles of Interest: