May 2022 marks the fourth anniversary of GDPR – a landmark piece of legislation that ushered in a new era of data privacy. In the four years since, its impact has been seen across far more than just fines and penalties for non-compliance – here, we explore five key trends from the last four years, and look ahead to what might be coming next in the evolution of data privacy.
1. Privacy became part of the collective consciousness
At milestones like this, it’s worth taking a step back from the day-to-day conversation on regulation and guidelines to reflect on the cultural and societal significance of GDPR.
In the industry, we can see GDPR’s impact in how almost every actor – from marketers to infosec professionals to DPOs – now know what data privacy means for how they do their jobs. But more than this, in the four years since GDPR’s staging date there’s been a marked shift in consumer awareness of data privacy. Far from being a niche piece of legislation, it’s been a touchstone in an evolving social conversation around data privacy, sitting alongside other flashpoints such as the Cambridge Analytica scandal in driving awareness of how consumer data should be used in a digital world.
For example, our research has shown that 60% of consumers have grown more conscious of the personal information they share with companies over the last year. Furthermore, there’s plenty of evidence to indicate that consumers are now evaluating brands’ data privacy practices and accreditations when making their decisions as to who to buy with (read the full story here).
This emergence of data privacy into the collective consciousness is a rapid paradigm shift and a positive one – while GDPR isn’t the only engine driving this conversation, the pace of change in the last four years indicates that it’s been an important one.
2. The panic is (mostly) over as GDPR clarification continues
When GDPR first came into force, there was uncertainty and no small measure of panic. For many – such as marketers or customer success experts – this was the first time that data privacy stood to change the way they work (and potentially put them at risk). With that came a wave of frantic activity, particularly in adapting customer-facing touchpoints where data was collected.
Four years later, and the first thing that becomes apparent is that this atmosphere has changed radically: as it turns out, GDPR was not the cataclysmic event once feared.
There’s an important reason for this shift – the panic that characterised the early days of GDPR came largely because there were so many open questions about the law and how it would be applied. As usual with new legislation like this, these open questions could only really be fleshed out once real-life applications put it to the test. Over the last four years, this is exactly what happened – clarification and specification has come through thick and fast, removing the remaining uncertainty little by little .
What’s helped is how regulators have been relatively measured and fair in allowing companies to adjust – giving ample warnings that allow companies to fix mistakes before penalties are on the table. This has led some to accuse regulators of ‘toothlessness’, as fines have often fallen short of their full potential – but in reality, this has been a justified approach to the early days of adapting to new rules.
3. The changing role of the DPO
Inevitably, the last four years have seen a proliferation in the number of people qualifying as Data Protection Officers in order to meet the sudden demand for oversight and advice. However, the last couple of years have seen the role of the DPO itself change in response to the entrenchment of GDPR and other data privacy measures.
Rather than being simply an ancillary function, the DPO is becoming an increasingly strategic contributor as data privacy becomes part of the fabric of business. We expect this trajectory to continue in the coming years, with more DPOs having a ‘seat at the table’, shifting their position from being potential blockers of activity to becoming enablers.
4. The rise of a new European tech ecosystem
New problems to solve means new solutions cropping up proclaiming to be the silver bullet, and GDPR has been no exception to this rule: the last four years have seen huge growth in data privacy solutions and this trend shows little sign of slowing (though more signs of convergence).
What’s special about the change GDPR has caused here is that it’s sparked a uniquely European renaissance in the tech space. As the problems are Euro-centric, so have many of the solutions been – actors like Zeotap, Didomi and Usercentrics among them leading the vanguard of innovation. With privacy at the top of the agenda, Europe now has the opportunity to be a pioneer and test-bed that other areas of the globe will surely follow.
5. The customer engagement challenge is far from over
Although GDPR has now become firmly established in how marketers and customer experience professionals go about their jobs, it doesn’t mean that the job has become any easier. These first few years of GDPR have seen most businesses able to deliver on the ‘table-stakes’ compliance tasks of obtaining consent to marketing, for example, but many are still shy of being able to unify consent preferences when they’ve been captured across multiple different touchpoints.
This is where the impact of COVID-19 also made a tangible difference to progress. When the pandemic hit and many businesses were forced to adopt digital channels nearly overnight, the number of digital touchpoints mushroomed – bringing with them the conundrum of how to account for all this new data. Like many things with GDPR, it presented an opportunity (more data) with a simultaneous challenge (how to manage it properly).
Incidentally, if this is a challenge that you relate to as a marketer, you may want to check out our webinar on how to be a successful marketer in the age of data privacy.
What’s next in data privacy after GDPR?
If GDPR was the beginning of a new chapter in privacy, the story is far from over.
Many of the next developments will be technical, accelerated by the impending deprecation of third-party cookies in late 2023. Amongst these, consent management systems are likely to move closer to being preference management systems to reflect the complexity of choice and control. At the most extreme end of this spectrum are PIMS (Personal Information Management Systems), which may see greater prominence as a new way of giving consumers control over their data.
The next few years will likely also see evolving roles for different actors in the privacy space. One area in particular may be in the development of industry standards being developed jointly between industry bodies and authorities to ensure that they’re fully compliant. A good example is IAB Europe, who created the Transparency and Consent Framework, which was adopted widely before it was challenged by the Belgian Data Protection Authority (APD) – as part of the verdict, the revision process will be conducted jointly in order to ensure a more successful next iteration.
There’s also a potential shift in discourse to look forward to. While the focus to date has largely been on the question of consent, we could see the next few years shine a spotlight more on IT security and the need to protect against data breaches.
Finally, while GDPR was the first of its kind in terms of landmark data privacy legislation, the last four years have seen many other areas of the world follow suit with the California Consumer Privacy Act (CCPA) being amongst the most notable examples – all this will continue to gather speed:
- In Germany, the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) has only just taken effect, and will be one area to watch
- The EU’s Digital Services Act (DSA) will conclude trilogue negotiations between the parliament, the Commission and Council, with the aim of modernising the existing e-Commerce Directive
- The Trans Atlantic Data Privacy Framework continues to be developed between the United States and EU to regulate the flow of data between the two territories
The final verdict: has GDPR been successful?
It’s impossible to have a perfect law for a subject as complex and quickly evolving as data privacy – but all in all, GDPR has done a good job in guiding the industry towards better outcomes, and the shifting trends of the last four years are testament to its impact. While there remains a great deal of work to be done from all sides, GDPR has set an important precedent for regulation of data privacy for today’s digitalised world.