Impact of GDPR On Marketing Practices
Discuss the Impact of GDPR On Marketing Practices of Small Businesses
Technological developments and the advent of the internet have undisputedly provided myriad marketing opportunities for businesses of all shapes and sizes (Armstrong et al., 2015). For smaller businesses in particular, the ability to use the internet as a means to market directly to a much wider potential pool of customers, or conversely, segment and target with greater precision, has in many instances allowed such businesses to flourish were otherwise it may have been impossible (Mazzarol, 2015). Indeed, many contemporary texts believe that online and/or social marketing is fundamental to a broader marketing strategy. However, as with all such good things, invariably, it is taken too far by a handful of firms or individuals in pursuit of a ‘quick buck’ (Massiera et al., 2017). This has led to a proliferation of so-called ‘spam’ or unwanted marketing using online mediums and the suggestions of some scholars that the internet has turned into something of a ‘Wild West’ (Chaudhry, 2017, p.78).
Following extensive research commissioned by the European Union (EU), the conclusion was reached that there was a need for much tighter regulations over the use of customer data harvested from such online channels to prevent the nefarious use of such customer data. As of 25 May 2018, the UK and all other EU member states have been subject to the General Data Protection Regulations (GDPR). These Regulations set out quite onerous conditions for any organization seeking to use customer data and particularly so if these organizations wish to use this data for marketing purposes (Goddard, 2017). One of the most notable provisions of GDPR is that organizations must seek explicit consent from customers to ‘opt in’ to marketing communications in any form – a tacit assumption based on previous communication will no longer suffice (Nicolaidou and Georgiades, 2017). Furthermore, any organisation must demonstrate that it can comply with the protection of customer data or face punitive and potentially crippling fines. The challenge this presents for small businesses, in particular, is that the burden of GDPR compliance is very high and has arguably the potential to entirely disrupt the business models of some small firms (McAllister, 2017).
This discussion considers the application of GDPR to such businesses, the tension between ‘good practice’ online marketing principles and GDPR, and an assessment of how small businesses might be able to react to maintain marketing contact with their customers.
General Data Protection Regulations (GDPR)
To fully appreciate the potential impact of GDPR, it is necessary to provide some explanation of its functionality. Within the UK, GDPR is regulated by the Information Commissioner’s Office (ICO), a body that has long predated GDPR and which describes itself as “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” (ICO, 2018a, p.1). The remit of the ICO is to monitor the handling of data by public and private bodies, with particular emphasis on maintaining the right to privacy of individual citizens. It is, therefore, responsible as a body for ensuring that organizations operating within the UK comply with the provisions of GDPR. The ICO is also responsible for promoting and maintaining compliance with and regulation of specific UK legislation relating to data management protection, the most recent of which is the Data Protection Act 2018, which is a quieter cousin of GDPR and aims to “fill the gaps” between GDPR as a regulation, and UK legislation (ICO, 2018a, p.1). In practice, however, the two sets of regulations and legislation are relatively similar, with the same aim of protecting citizens’ private data.
Focusing on GDPR specifically, the overarching premise is that any organization that holds any form of data regarding individual citizens must do so safely and securely and ensure that it has the consent of the individual in question to hold such data (ICO, 2018b). Whilst face value, this sound relatively straightforward, research by Vanberg and Ünver (2017) suggests that each person in the UK has over 120 ‘data relationships’ with various organizations ranging from the obvious of the government, such as national insurance numbers. Driving licenses through much more tenuous relationships, for example, something bought online several years ago, whereby a customer unintentionally signed up to a marketing database. This latter element has caused a flurry of consternation amongst organizations. They have now been forced to actively seek consent from consumers who may have signed up many years ago and never had contact with the organization since (McAllister, 2017). The fines for failing to demonstrate proactive agreement on the part of the customer to hold data are punitive (ICO, 2018b), posing a genuine threat to organizations that fail to demonstrate compliance. Whilst some organizations are nominally ‘exempt’ under the guise of having a ‘legitimate right to data,’ for example, the NHS, De Hert et al. (2017) observe a concerning lack of clarity about the actuality of GDPR in practice. It is this which can disrupt many established small business marketing models.
The Rise and Fall of Social Media Marketing
The concern on the part of small businesses is equally legitimate, as the rapid growth of the internet has created many opportunities for organizations to offer a wide range of products and services to potentially a global marketplace. Indeed, many businesses operate entirely online and have proliferated through several emergent online marketing practices encouraged through data harvesting and social media sites (Tuten and Solomon, 2017). For example, the use of ‘cookies’ on websites to capture specific data regarding items viewed or browsed on a website and the internet trail of customers searching for items on the web. Technologically astute organizations recognize that tracking online consumer behavior is ideal for personalizing marketing experiences (Olsen and Levy, 2018). Indeed, in many practitioner papers, this personalization was presented as such, highlighting the significant increase in sales conversion by targeting customers in this manner.
Academic research has confirmed the effectiveness of this particular marketing approach, and it has rapidly become common folklore amongst business advisers that an online marketing strategy is essential for business growth (Harrigan et al., 2015). In turn, this led to the emergence of some marketing and also advertising firms actively using tracking to promote goods and services – despite the equally rapid proliferation of advert-blocking software (Lamberton and Stephen, 2016). The problem is that GDPR has stymied this relatively aggressive online marketing and/or advertising approach. Whilst it is undoubtedly entirely legal to market or advertises on the internet, it is no longer permissible to directly target individuals with such communications unless they have explicitly consented to receive them. In short, this has the practical effect that several widely accepted marketing and business practices have been entirely undermined (Allen et al., 2018).
Closing Thoughts – Where Now for Small Businesses?
The challenge at the time of writing is the uncertainty surrounding the actuality of GDPR in practice for small businesses. Anecdotally there is a reasonable expectation that the underlying purpose of GDPR was to prevent very large or unscrupulous businesses from harvesting and selling personal data as a shorthand marketing technique or profit generation approach (Yeh, 2017). Unfortunately, this may have been a noble aim, particularly in the context of several recent data scandals. Still, the burden of compliance with regulation and legislation has fallen disproportionately on entirely legitimate small businesses (McAllister, 2017). Some small firms that have spent years carefully building up a database of loyal customers have found themselves with their marketing lists slashed (Smith, 2018), potentially setting the business back years in terms of re-encouraging customer commitment and loyalty. To have lost their marketing databases in such a manner seems ill-conceived but could be interpreted as a literal reading of GDPR.
Some other small businesses have taken a more flexible but potentially higher-risk approach, concluding that if they can demonstrate that they handle customer data safely and comply with data protection, they operate within the spirit of GDPR (Schomer, 2018). As such, this tranche of businesses has actively chosen not to seek compliance explicitly but instead promote their new or updated ‘privacy policies’. This has enabled these small businesses to carry on essentially marketing as they have before to a dedicated marketing list but making it clear that customers can opt-out at any time.
It remains to be seen how the cards will fall with respect to GDPR in practice. For many consumers, it is undoubtedly a relief to no longer is bombarded by marketing emails daily. For many small businesses, however, reputable discussion sites suggest that they believe this has already caused a hit on their bottom line (Schomer, 2018; Smith, 2018). The concept of no longer being able to target specific consumer segments easily will arguably call for a rethink of marketing strategy and potentially return to the ‘old-fashioned’ traditional modes of print and postal marketing until there is greater clarity surrounding the functionality of GDPR in practice. Whilst it is sensible to assume that the spirit of GDPR was well-intentioned, the potential increased cost of marketing to small businesses is likely to be disproportionately high, and as McAllister (2017) suggests, GDPR very might well turn out to have unintended consequences for economic and business growth.
Allen, D., Berg, A., Berg, C. and Potts, J., 2018. Some Economic Consequences of the GDPR. [online] available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3160404 accessed 06/06/2018.
Armstrong, G., Kotler, P., Harker, M. and Brennan, R., 2015. Marketing: an introduction. Pearson Education.
Chaudhry, P.E., 2017. The looming shadow of illicit trade on the internet. Business Horizons, 60(1), pp.77-89.
De Hert, P., Papakonstantinou, V., Malgieri, G., Beslay, L. and Sanchez, I., 2017. The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review. DOI: https://www.sciencedirect.com/science/article/pii/S0267364917303333
Goddard, M., 2017. The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), pp.703-705.
Harrigan, P., Soutar, G., Choudhury, M.M. and Lowe, M., 2015. Modelling CRM in a social media age. Australasian Marketing Journal (AMJ), 23(1), pp.27-37.
ICO. 2018a. Home. [online] available at https://ico.org.uk/ accessed 06/06/2018.
ICO. 2018b. Direct Marketing Guidance [online] available at https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf accessed 06/06/2018.
Lamberton, C. and Stephen, A.T., 2016. A thematic exploration of digital, social media, and mobile marketing: Research evolution from 2000 to 2015 and an agenda for future inquiry. Journal of Marketing, 80(6), pp.146-172.
Massiera, P., Gilmore, A. and Sellami, M., 2017. Marketing illegitimacy within SMEs: learning triggers and influence on marketing communications. Journal of Strategic Marketing, pp.1-14.
Mazzarol, T., 2015. SMEs engagement with e-commerce, e-business and e-marketing. Small enterprise research, 22(1), pp.79-90.
McAllister, C., 2017. What about Small Businesses: The GDPR and Its Consequences for Small, US-Based Companies. Brook. J. Corp. Fin. & Com. L., 12, p.187.
Nicolaidou, I.L. and Georgiades, C., 2017. The GDPR: New Horizons. In EU Internet Law (pp. 3-18). Springer, Cham.
Olson, C. and Levy, J., 2018. Transforming marketing with artificial intelligence. Applied Marketing Analytics, 3(4), pp.291-297.
Schomer, A., 29th May 2018. GDPR – Immediate impact on Publishers and Tech [online] available at http://www.businessinsider.com/gdpr-immediate-impact-on-publishers-tech-2018-5?IR=T accessed 06/06/2018.
Smith, M. 1st June 2018. The Immediate Impact of GDPR [online] available at https://www.pepperjam.com/blog/the-immediate-impact-of-gdpr accessed 06/06/2018.
Tuten, T.L. and Solomon, M.R., 2017. Social media marketing. Sage.
Vanberg, A.D. and Ünver, M.B., 2017. The right to data portability in the GDPR and EU competition law: odd couple or dynamic duo?. European Journal of Law and Technology, 8(1), pp. 1-7.
Yeh, C.L., 2017. Pursuing consumer empowerment in the age of big data: A comprehensive regulatory framework for data brokers. Telecommunications Policy. 42(4), p..282-292.