GDPR 2 years on: What’s changed?

Two years after its implementation, GDPR has continued to pave the way for protecting personal information in a data-frenzied world. With a focus on personal data, the 6 key principles that underpin GDPR regulations concentrate on upholding the rights of individuals. In doing so, many non-compliant marketing efforts have fallen by the wayside and allowed room for compliant organisations to continue collecting high-quality data that drives lead generation and sales.

While some exploitative marketers incorrectly see the GDPR directive as a money-making and restrictive device, the core purpose of the regulation aims to identify culprits and help to move the industry towards compliance. Firmly backing the purpose and intention of GDPR, our core focus remains on the supply of unparalleled quality in datasets that uphold compliance and provide information that drive leads and sales.

Notable changes over the last 24 months

The overall positive effect is evident. Less opportunity for unscrupulous data collection, financial ramifications for organisations who carry on unchecked, and a less spammy existence for the average joe.

One aspect where GDPR has perhaps fallen short of achieving its intention is evident in its failure to standardise data rules across Europe. Each country within the EEA and EU continues to follow its own version of PECR (Privacy and Electronic Communications Regulations) which stand alongside GDPR regulations. Different GDPR criteria is applicable to various member states. Some argue that the unlevel playing field created by GDPR is a positive - as different countries should operate in a way that works for them and their unique needs while PECR guidelines still enforce data security protocol.

Importantly, GDPR has promoted a spike in data quality: the GDPR directive mandates that organisations treat data more fairly and transparently. By managing and maintaining accurate and up-to-date personal data, marketers have been able to streamline audience targeting with better, more personalised messaging and appropriate offers. This has led to a rise in the amount of qualified leads, and ultimately sales.

What is at stake for non-complaint organisations?

If an organisation fails to uphold data security, or is negligent in the handling and protection of the data they have at hand – and finds themselves in a situation where that data has been breached – they are liable to face financial penalties of up to 4% of their total global revenue – or 20 million Euros (whichever is larger).

Non-compliance fines have served well to dissuade data negligence, which we have seen applied to huge corporates such as British Airways who were held liable for an approximate £183m fine, where the conglomerate "diverted users' traffic to a hacker website [resulting in] in hackers stealing the personal data of more than half a million customers.

In the lead up to implementation, advertisers shifted away from using third-party data or chose to bring on Data Protection Officers into their organisations. By moving away from data suppliers, many organisations unwittingly hampered their ability to market effectively, and all but nullified their ability to generate new sales.

We are seeing a re-emergence of advertisers and marketers approaching trusted list brokers after gaining an understanding of the requirements and seeing that compliant list brokers are still capable of delivering high quality data while remaining entirely compliant with the regulation.

How we're sticking to our end of the deal

GDPR has certainly weeded out unsavoury data providers by hitting where it hurts, allowing the cream to rise to the top.

We've been hard at work maintaining our compliance throughout the last 24 months, as is evident in our Legitimate Interest Assessment and Data Protection Impact Assessment. These are legally binding confirmations of their GDPR and PECR (Privacy and Electronic Communications Regulations) compliance.

This helps us understand the balance between the rights and freedoms of the data subject and the processing by the List Owner. By having this data and understanding the insights it provides, we can firmly support compliant customers and further expand our data archive to ensure a fully compatible and conformant supply chain.

The impact of Brexit on GDPR

Although the transition away from the EU was anticipated to be mammoth for GDPR - it has actually been relatively smooth. GDPR will only remain applicable until the end of transition period out of the EU (currently scheduled for 31 December 2020); however, UK-based organisations will remain compliant after this point due to the DPA (2018) enacting data protection requirements outlined in the GDPR directive into UK law.

What does this mean for you? The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 statutory instrument will form the new UK GDPR, which consists of amended and merged DPA (2018) and GDPR directives. For the most part - GDPR outlines will still be followed, and close attention paid to continued compliance with data protection guidelines.

GDPR Predictions

  • An anticipated short-term growth spike as COVID-19-stricken companies use marketing to boost their recovery.
  • Data will grow as an industry as compliant organisations continue to drive data viability and quality.
  • Confidence – once interrupted by concern over viability – will continue to climb as the potential of high-quality data is realised.
  • A steadier rise in demand as almost every company's outbound strategy relies in some part on data.

Do you have any questions surrounding GDPR, or how your data broker is handling lists? Our expert team is at hand to discuss your queries. Get in touch with us today by filling out this form, reach us on 0161 941 5700 or email us at