The GDPR goes into effect in less than two weeks and while many companies are focused on executing their compliance strategies, it's not too early to start thinking about the future of data in a post-GDPR world.

Here are how first, second and third-party data will likely be affected by the game-changing regulation.

Third-party data – too big to fail?

The fate of third-party data is perhaps one of the most debated GDRP topics. While many believe that third-party data has become so ingrained in the digital marketing ecosystem that it's effectively too big to fail, many others believe it will be the biggest victim of the GDPR, especially in light of the fact that post-Cambridge Analytica, the market for third-party data is already facing headwinds.

To be sure, it's not entirely clear how successful companies will be in gaining the explicit consent necessary to make a vibrant third-party ecosystem viable going forward. Gigya’s Jason Rose is a skeptic. "Consumers will now be asked to check a box that says, in effect, ‘We intend to sell your information to data brokers, allowing other companies to send you unsolicited offers and track your online movements’", he explained. "How many will accept, given they have no obligation to do so? My prediction is zero." 

Whatever happens, post-GDPR, companies that buy and use third-party data, and care about compliance, will be forced to do more due diligence instead of simply taking data brokers' word that everything is on the up and up. This need for greater scrutiny should reduce the volume of data available, increase transparency in the marketplace, and push out unsavory operators.

On one hand, this should for obvious reasons significantly benefit the third-party data ecosystem and make it stronger. On the other hand, extra work that companies will need to take on to ensure their use of third-party data is compliant with the GDPR could be a huge turn-off.

Second-party data – set to flourish?

While many believe third-party data could be the biggest loser post-GDRP, many see second-party data as the biggest winner. Second-party data is first-party data that is acquired directly from the first-party instead of a middleman such as a data broker.

Those who are bullish on second-party data believe the GDPR could hasten its rise because the market for second-party data is already by its very nature more transparent. Sellers and buyers deal directly, so the terms under which the data will be used are clear and there is a much greater opportunity for buyers to vet the quality of the data. In addition, because of the GDPR, companies collecting data will theoretically have a greater incentive to sell it directly to data processors instead of brokers.

Of course, data controllers that want to sell their data directly to data processors and remain GDPR compliant will still need consent, and that could prove challenging.

First-party data – less is more?

This brings us to first-party data. For years, companies in a position to do so have largely taken a collect as much as we can and figure out how to use it later approach to data that they have the ability to capture directly from their users and customers.

The GDPR will likely force them to rethink that approach. Companies will need to be far more transparent about the data they collect and how it will be used. And they will generally be forbidden from forcing users to agree to sharing of their data by denying them the ability to use their services if they refuse to opt-in to unnecessary sharing. Most importantly, consumers will have far more control over their data, including the ability to request its deletion.

For these reasons, there seems to be a general consensus that the volume of first-party data will decrease. But as companies become more thoughtful about the data they collect and the transparency the GDPR demands causes companies to better explain to users and customers how their data will be used, the quality of first-party data could increase, and significantly in some cases. 

Perfect timing?

For all the challenges the GDPR presents, it might be going into effect at the perfect time. For years, a number of observers, including security expert Bruce Schneier, have been arguing that data is more a liability than an asset.

Despite warnings that with big data collection comes big risks, companies, believing that digital data would help them survive and thrive in today's digital economy, clearly didn't do enough to mitigate against the risks of housing massive amounts of user and customer data.

Facebook's Cambridge Analytica scandal in many ways vindicated the data skeptics, as at least some of their most important predictions came to pass.

But ironically, the GDPR is giving companies a framework that can help them adopt better, more secure data collection and management practices so that Cambridge Analyticas don't become regular occurrences. And as consumers become more aware of the new rights they have to control their data under the GDPR, it might discourage them from taking more drastic action to avoid supplying their data.

From this perspective, the GDPR might just prove to be a godsend, especially if they truly embrace it.

online gdpr course 

Patricio Robles

Published 14 May, 2018 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2641 more posts from this author

You might be interested in

Comments (2)

Pete Austin

Pete Austin, Founder and Author at Fresh Relevance

This all depends on the ICO.

The GDPR "requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language” be used. To me, this means that privacy and legal pages must be short and easy to read - perhaps 400 words maximum.

But take facebook as one example. Its new Terms of Service are 3,200 words - I had to scroll 10x to reach the end - and this doesn't count the 11 other linked sub-pages. And right in the middle are the things that you give permission to.

Here's a great article that illustrates the problem, where Artist Dima Yarovinsky wanted to show how “small” and “helpless” we are against the power of massive corporations, and turned their long terms of service into art

If websites comply with the requirement of the GDPR to make information clear and concise etc, then people will know what they are agreeing to and they won't let brokers have their data.

But if websites continue with privacy pages and legal pages that are too long for most users to read, as some seem to be doing, and ICO takes no action? Then it doesn't matter what the GDPR says - people will give consent without reading and nothing will change. Related:

2 months ago


Matt Lovell, Head of Customer Data, Insight & Analytics at Eurostar International Ltd.

I'm with Pete on this. As an example, there are various companies in most sectors who sell a huge amount of their data (am thinking the likes of Money Supermarket / Uswitch for services, Skyscanner for Travel etc.) and yet to date I have seen no efforts by any of these parties to actively get consent or even actively make customers aware that they are doing this.

That would say to me that any companies using this data are putting both themselves and the data owners in breach of GDPR.

The question is going to heavily revolve around whether the ICO (and for people dealing with customers outside of the UK, the CNIL in France, BfDI in Germany, CPP in Belgium etc.) actually enforces this. Guess we just have to watch this space...

about 1 month ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.