On 25 May 2020, the General Data Protection Regulation (GDPR) celebrated its second birthday. Since its introduction, GDPR has strengthened data protection laws and returned control of personal data to individuals across Europe.

GDPR’s introduction in May 2018 was necessary following years of high-profile data breaches and scandals involving the mismanagement of consumer data by businesses. The new regulation sought to harmonise data protection laws in the EU and be fit for purpose in the digital age.

The prospect of GDPR was initially a big concern for marketers. They feared the tighter regulations would impact their effectiveness. Email marketers were particularly concerned – many email programs rely on consent as their legal basis for processing personal data, and GDPR meant that obtaining consent was about to become a lot harder. Senders would need address factors such as positive opt-in; specificity/granularity; unbundling from other terms and conditions; and ensuring opting out was as easy as opting in. Senders would also need to refresh existing consents if they didn’t meet GDPR standards. For some senders, there was a real risk that lists built up over many years would be rendered obsolete overnight.

For senders who chose to rely on legitimate interest, the bar was about to be raised a lot higher too, with senders required to conduct a Legitimate Interest Assessment (LIA). This document would need to demonstrate that: a genuine legitimate interest can be identified; processing is necessary to achieve it; and doing so is balanced against the individuals’ interests, rights and freedoms.

So there was justifiable apprehension as GDPR’s introduction approached, not to mention plenty of blind panic as the clock ticked down. However, two years down the line we now have plenty of research which tells a more positive story. Many elements of the regulations were long-established best practices, and many marketers who were quick to embrace have seen significant benefits from doing so.

This article explores what we have learned since GDPR was established, how its introduction has influenced other countries and regions, and where data protection law is heading next.

The benefits of GDPR

After only a year of GDPR coming into effect, email marketers witnessed a whole host of benefits, including an uplift against all major KPIs according to the DMA’s Marketer Email Tracker report. Despite initial concerns, marketers experienced increased deliverability (67%), open rates (74%), click-through rates (75%) and conversion rates (67%).

Negative KPIs showed corresponding reductions, with metrics such as bounce rates, opt-outs and complaints also reducing – meaning positive implications for reduced list churn, and increased customer lifetime value as a result.

The reason for this boost is simple enough. More robust consent, improved data quality, clearer setting of expectations, and the provision of greater choice meant senders were building lists where trust levels between senders and recipients were stronger, meaning greater engagement and a higher propensity to transact. The DMA’s most recent report “Email Deliverability: A Journey into the Inbox”, shows over half of marketers (53%) reporting the impact of the new rules as being positive on their email deliverability specifically (only 19% reported a negative impact).

As a result, marketers have been benefitting from the value of ‘quality over quantity’ and have a strong incentive to maintain these higher quality lists.

We have also seen this in the form of list replenishment. In the UK, the average marketer lost 23% of their database when GDPR was implemented. However, recovery has been rapid with sectors such as retail now back above pre-GDPR levels – but with higher quality, more engaged subscribers. Validity’s 2020 Global Deliverability report shows Inbox Placement Rates (IPRs) for the UK are 87%, one of the highest for major global markets.

These improved metrics have been instrumental in improving businesses’ return on investment (ROI) for email marketing spend. The DMA’s latest “Marketer Email Tracker” report found that after GDPR, ROI is now 15% higher at £35.41 for every £1 spent compared to £32.28 before GDPR, and is just another great example of how GDPR has been significantly beneficial.

The influence of GDPR around the world

The rest of the world keenly waited to see the impact of GDPR’s introduction in Europe. Research by Super Office found Europe now has the highest average open rate of 26.84% and the highest click-through rate of 4.35%. This is compared to North America where the average open rate is 19% and click through rate is just under 3%.

This success has influenced other countries and regions to implement their own tougher data protection laws and regulations. In the US, the California Consumer Privacy Act (CCPA) – which has many elements in common with GDPR – is now in effect, while the New York Privacy Act – which is currently securing support in the state assembly – will be even tougher if accepted!

Brazil is introducing its Lei Geral de Protecao de Dados Pessoais (LGPD), a near carbon-copy of GDPR, in August 2020, There were hopes that due to the current impact of COVID-19, the enforcement date would be pushed back to January 2021. At the time of writing this is uncertain, pending a presidential decision.

In Australia, new privacy laws are also under consideration, and there is a real possibility that targeted advertising could become opt-in only under the potential reforms.

Where we are heading

Many people might assume that GDPR is the only legislation that governs personal data within the EU, but they would be wrong. It is E-privacy (implemented as PECR in the UK) that covers all electronic communications, including email. In some instances, E-privacy imposes higher duties of care on data controllers and processors than GDPR (e.g. consent is the default legal basis unless eligibility for soft opt-in can be demonstrated) and the two sets of laws need to be read in conjunction.

Revised E-privacy regulations, designed to be aligned with GDPR, are currently going through the European Parliament. However, progress has been slow, and the current Croatian presidency has indicated it will be deferring this legislation to the upcoming German presidency (July 1st).

In the UK, email marketers are waiting to see what data protection will look like once the country officially leaves the EU. All the current signals from the government is that they will not be seeking any extension to negotiations, so the likelihood of exiting without a trade agreement is that much greater given the short window of time that remains.

In the absence of achieving an adequate agreement with Europe, the development of an industry code to detail good practice which adheres with EU data protection laws will probably be the next best option. The UK’s Information Commissioner’s Office (ICO), with input from the DMA, is currently drafting a Direct Marketing Code.

This code is mainly being drawn from GDPR and E-privacy, but also includes substantial commentary and interpretation from the ICO, some of which will be eye-catching for marketers. For example, the new code includes the possibility of separate consent for profiling, segmentation, and analysis, as well as for tracking pixels (which are deemed to be cookies, and therefore personal data.

In summary

The initial panic from marketers in the lead-up to GDPR has reversed, and 35% of senior-level marketers who responded to the DMA’s 2020 Email Deliverability Report now believe ‘double opt-in’ procedures for subscribers are current best practice. In fact, marketers seem to be relishing tighter regulations. In the DMA’s “Data Privacy: An Industry Perspective” report, a majority of respondents (59%) said they would like to see “more strict” data protection policy for the UK. GDPR has truly turned from villain to hero in the minds of marketers.

Looking back over the last two years, undoubtedly those who were quick to embrace and adapt to GDPR saw their marketing campaigns significantly improve. This is positive news for marketers in other regions that are either at the beginning of complying to stricter regulations or are currently preparing for their new laws to soon be enforced.

While the risk of big fines and fear of public scrutiny might cause some unease, there are great results to be gained by getting data protection right and this should continue to motivate marketers through any further changes to regulations that may arise from our ever-changing world.

For more resources on email marketing, visit Econsultancy’s email marketing hub.