GDPR: threat or opportunity for the experience makers?

08 February 2018Sam Miller

Why do we need GDPR?

These days, we spend so much of our lives connected and online and everywhere we go, we leave digital footprints that enable companies to understand who we are and what we want. They collect our data on a massive scale and, if we’re honest, a lot of the time we don’t know that it’s happening or what they do with it.

Sure, we’ve all experienced the creepy ads that follow us around the internet or have been targeted based on something we’ve searched for or liked on social media. We see the pop-up cookie notices or the requests to access our location but often that’s where our thinking about the data we give away and the way it could be used stops. But, it’s worth remembering that companies are making fortunes from capturing and analysing the data that we’re giving away free.

This has led to increasing concern about the lack of control we exert over our own data, whether that is transparency around how it’s processed; or where, how and how long it is stored and who has access to it. Not to mention the recent slew of high-profile hacks and data breaches that can have long-lasting and compromising consequences, which have added fuel to the fire.

To tackle these issues and many more, GDPR is coming!

What is GDPR?

Just in case you’re not up to speed, The General Data Protection Regulation is a new EU law that comes into being on May 25th 2018, it aligns all member states under a common regulatory framework that aims to put more power back into consumers hands. Before you ask, Brexit will not have an impact, as the UK has agreed that it will fully adopt this regulation. GDPR will apply to any company that does business in the EU, even if they are not based there.

It's a blockbuster issue and potentially a big shift for you and your company. Hence the deluge of GDPR articles that are undoubtedly filling up your Twitter and LinkedIn feeds and your inbox.  So why are we adding to the influx? There are many lenses that one can apply to GDPR, many of them, we’ve noticed, focusing on the negative aspects of the impact on business. But it’s not all negative. Our intention is to focus on the impact that GDPR will have on customer experience, both from the business and consumer perspective.

What do you need to know?

The short answer is quite a lot! We’re going to stick with the more interesting and potentially impacting elements but if you want a more comprehensive exploration of the details then this Information Commissioner’s Office Guide is a good place to start.

GDPR will put a much larger burden on data protection, privacy, transparency and individual rights for companies:

Personal Data

What constitutes ‘personal information’? This has been expanded for GDPR with a broader definition of personal data (which must be encrypted) based on, direct or indirect, personally identifiable information including IP address, online identifiers, mobile device IDs and cookies, which has wide-ranging impacts for online tracking and customer experiences, as discussed below.


Consent (including the near universal practice of cookie notices) is another area which will be given an overhaul following the introduction of GDPR. No longer will a blanket opt-out be acceptable, moving forward consent must be a clear choice with an active opt-in for users that defines at a granular level what user data will be used for including by third-party data processors, it must be separated from other terms and conditions and with a clearly outlined option for easy withdrawal of consent, at any time.

Individual rights

GDPR updates the rights of individuals, enhancing them in a number of areas. There are 8 individual rights provisioned for in GDPR, including the right to be forgotten allowing individuals to request that their data is deleted and the right of access states that individuals can request access to their personal data and understand the processing that it is being used for.

Adhering to these individual rights require companies to understand all of the data they hold on an individual, where it is held and be able to provide a copy of the information within a 30-day limit. This could pose a significant challenge if data storage or processing is siloed or internal data procedures or policies are not clear.

What does this mean for the customer experience and those who create them?

Now we understand more about GDPR and what it will demand of organisations, let’s consider what we think the consequences could be for the customer experience.

The headline changes, stemming from the introduction of GDPR, that are likely to impact the customer experience are twofold. Firstly, disruption to the way organisations use customer data for targeting, personalisation and tracking. It will put a swift end to broadbased email campaigning for good. Secondly, it will necessitate a change in the way companies collect, organise, process and store data, so that they are compliant with the regulatory bar set by GDPR and hence, avoid substantial fines.

However, despite these variations to the current status quo, GDPR offers a chance for organisations to put users in control and offer radical transparency, with companies offering a genuine trade-off in utility for their users’ engagement and data sharing.

Transparency and traceability

The focus on transparency and clarity in the collection and processing of data will lead to a greater emphasis on the purpose and value of the data that organisations ask for and store. The business and use case for storing and creating value from data will have to be clearer.

The new individual rights enshrined in the GDPR will likely add additional costs to data processing and storage, as these necessitate robust processes to be in place to execute the capability of providing details of the user data held and deletion of a user’s data footprint. Clear consent must be entirely traceable for every single set of data held. This additional obstacle for organisations could herald a move away from the current practice of data hoarding with the hope it bears some utility at a future point.

Either way, with the updates to consent it is likely that many customers will be less likely to share their data, meaning that the ongoing data collection abilities of organisations will be reduced.

Those users who are happy to share their data will usually be engaged and expect something of genuine value in return for their buy-in.

More emphasis on behavioural data

On the flipside, the need for customer data could diminish with real-time, onsite behavioural data becoming more valuable in its place. We’ve talked previously how this type of data can impact the customer experience. AI will come into its own here, building up a picture of anonymous aggregated customer journeys from on-site behaviour. This will enable marketers to predict potential customer behaviour and hence, beneficial business outcomes and intelligently update the customer experience, negating the need to capture and store customer data to drive this process.

Harnessing GDPR for a better customer experience

With these changes in mind, how can you harness GDPR to create a winning customer experience?

  • Update your consent and privacy notices with transparency in mind – make clear how and what user data will be used for and by who. Think about where the data will be stored and for how long. Make it clear to users that there is value for them in parting with their data and build a relationship.
  • Think about how the reduction in personal knowledge about site visitors can be overcome. If you rely on cookies and user data to segment, personalise and improve the customer experience, think about how this could be proxied using real-time behaviour.
  • Be clear on the use cases for storing and processing data. If it’s not adding value, then don’t do it. Under the new regulations, it will only create additional and potentially costly processes.
  • Create an organisational data map – understand what data you have, where it resides and just as importantly who is in charge of it.
  • Map out robust internal procedures to comply with the new Individual rights established by the GDPR and have an agreed data breach policy.

Stay tuned to the Cog Blog for more on GDPR. The next blog in this series looks at why we think GDPR will accelerate the use of AI in marketing.

Author: Sam Miller
Published: 08 February 2018
GDPRdatacustomer experiencepersonalisationmarketing

People in or team love to share their experience. Explore our blog

Job Opportunities

We're always looking for new faces to join the Cognifide family. Take a look at our available jobs.