5 min.
GDPR: When Transparency and Good Will Are Dictated by Law
1L’art de la gestion de projet2Un projet à succès commence par une bonne gouvernance3Cascade, agilité, demandes de changement?

GDPR: When Transparency and Good Will Are Dictated by Law

Business Strategy E-commerce Digital transformation Client experience & UX

This article has 2 parts: A fact sheet that summarizes the nature of the GDPR in 6 key points followed by an in-depth analysis on what this new regulation really means.


There’s panic in the marketing world

Legislators have just stuck their noses into an area previously reserved for nerds: data. People are worried for two reasons: first, because to mere mortals, legal jargon might as well be written in an alien language. The only thing we all understand, is that power of the law is coercive; in other words, it forces us to behave in a certain way under pain of sanction (big ones in the case of the GDPR!). The second reason for the general uproar, is that the precious data in question is the black gold of our times, it’s been the cornerstone of everything digital for years now.

With a Master’s in IT law and another in electronic business administration (and one foot in both worlds), my marketing colleagues naturally turned to me to clarify these notorious new regulations around data protection.


GDPR in 6 Key Points


But What Does It Really Mean?


Why does it (often) come from Europe?

Having completed my law degree in France, I can attest to the persistent desire of European legislators to regulate digital practices. Think of the efforts around the anti-pirating law (HADOPI) in 2010. It’s no easy feat for them to follow the relentless pace of technological development, but they’re encouraged by European citizens themselves who, culturally speaking, seem to be more sensitive to the use of their personal data.


What’s different this time?  

What’s striking this time is the reach of the legislation. Legislators have come to understand that the immaterial world of digital cares little about state borders (an American website is just a click away from a German user, for example). The GDPR therefore has a vocation to apply to everyone, everywhere, the second that the personal data of Europeans is collected, stored and used by a company.


What will actually change?  

The truth is that, behind the question of “simple” legal conformity (that your lawyer and every article on the topic are trying to explain in a way you can understand), this legislation marks the beginning of a new era. And I don’t say that lightly. There’s no going back on these fundamental questions of society and even ethics. The Cambridge Analytica scandal and Mark Zuckerberg’s testimony before congress played out in the public sphere: people’s eyes were opened. There has been a real public awakening on this sensitive subject. The proof: it was a topic of conversation at my last family dinner. When I quoted Andrew Lewis to my grandfather, “If you’re not paying for it, you’re not the customer; you’re the product being sold,” he responded that had he understood that his information was being “sold,” he would at least have wanted to be told! And that’s the heart of the problem.


What are the consequences for marketers and companies?

Let’s be clear, the GDPR doesn’t exist to put an end to the collection, use and storing of users’ personal data. The legislation has a dual purpose:

1. Protection of users’ personal data (to prevent, for example, breaches such as the one experienced by Equifax in March 2017)

Personal data can be defined as any information (or grouping of information) that allows for the identification, directly or indirectly, of a physical person. The most obvious, for example, are: name, location data and identification number, but this also includes one or more factors specific to a person’s physical, psychological, genetic, mental, economic, cultural or social state.

2. Informing users

The requirements listed all converge on companies’ ability to demonstrate extreme transparency in how they collect, use and store information. Things that were previously done unbeknownst to users, particularly in the area of Ad Tech, now need to be explicitly and intelligibly exposed. And that’s where marketing is going to have to adapt.

Acquiring consent is the the heart of a new user experience. According to the law:

The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.


How do you integrate a request for consent into the user experience?

Because yes, a user might well want to consent to the collection, use or storage of their information… If there’s something to be gained in return. After all, targeting is a practice that allows advertisers to serve content, services and messages that really are more relevant to the user. I am a woman in my thirties, living in Montreal, who loves art. I want to see ads on the Foire Papier in my neighbourhood, not ads about discounted menswear from a store in Sherbrooke. The promise of curation and relevance is, in my opinion, the key to new “seduction’’ strategies in order to obtain consent. The message will be changing from a shy “Please agree for legal purposes.” to a proud “You have every reason to opt-in!”


The (re)birth of First-Party Data:

Another important point: the new law expects companies to be able to prove “legitimate use of any data that’s collected, used and stored.” Which means that the impact will vary depending on the company concerned, the nature of its activities and the reason for collecting, using and storing data. Once again, an Ad Tech company, whose very business model revolves around monetizing user data, has more reason for concern than a company that collects information about its customers (through explicit consent) simply to serve them better. It’s an ideal opportunity for companies to rethink their user experience and redouble their efforts and creativity to exploit their owned data in an optimal (and legal!) way. #DataOptInFTW


You’re a Canadian company? Stay calm.

Step 1 – Gather the right people

  • Legal manager
  • I.T. manager or business architect
  • Marketing manager


Step 2 – Audit yourself!

This is an opportunity to take stock of the following issues:

  • What is the nature of our audience? (Are there European users?)
  • What data do we collect? How?
  • What is the (real) use of it?
  • Do we have a consent strategy?
  • Do we have an exit strategy?
  • What business value do this data represent for us?
  • What benefits does a user get by giving me access to this data?

Yes, the exercise will be tedious, but oh so useful! Once documented, it will then be easier for you to measure the real impacts of GDPR on your business and to take the right actions. Who knows, you may find that some data collected did not ultimately bring you so much business value…