How will the GDPR impact FMCG brands, and how can they prepare?

Stuart Elmes

To the engine that is digital marketing’s rapid evolution, consumer data is rocket fuel.


Without consumer data, companies wouldn’t be able to keep track of their customers, marketing agencies couldn’t accurately calculate ROI, and Facebook would have no revenue model.

These consumer data points, which include everything from email, IP and physical addresses, to metadata such as when an individual is online, what apps they use to communicate, who their circle of friends are, what devices they use and where those devices connect to the web (in turn revealing where they’re located), have historically been controlled by corporations. This corporate ownership of personal data has sown distrust between companies and consumers, making concerns about privacy and security widespread.

New EU legislation, which comes into effect in just a few months, is about to challenge the very way the digital marketing engine runs.

The General Data Protection Regulation (GDPR) will, in effect, put the consumer in control of their own data, with the ability to choose exactly who can access that information, how it can be shared or used, and even whether it can be collected at all.

This momentous shift appears largely positive for consumers and their privacy, but what does it mean for the FMCG brands which have spent years overhauling entire marketing departments to run on consumer data?

You may have heard ominous warnings about GDPR, but we’re here to lay out exactly what it is, how it will affect digital marketing and what FMCG brands can do to stay ahead of this change.


What is the GDPR?

The GDPR is a set of policies outlined by the EU to strengthen data protection and privacy for individuals within the European Union.

It doesn’t only affect European companies, however. Any company that transacts with residents in the EU, regardless of where that company may be located, will feel the GDPR sting as well. This significant legislation comes with a serious bite and heavy penalties for non-compliance.

Some of the key requirements of GDPR are that companies enable consumers to see, modify, transfer or delete any data held on them by any part of a business. Given that many large FMCG companies managing a broad portfolio of brands may not even know what they know about an individual customer, and have designed their tech stacks with built-in data redundancy, this is a pretty serious ask.


When does the GDPR come into effect?


Companies are required to be GDPR compliant by 25 May 2018. That doesn’t mean that they should begin to reform their IT policies and “start looking into things” come the 25th of May. By that date, they’d better have their data house in order, or they could be facing fines of up to 4% of annual global revenue or €20m (£17.5m).


Why is this happening?


As the world went digital and marketers fell in love with the possibilities of “big data”, corporations have indiscriminately collected massive piles of information. Consumer information has become warehoused on a grand scale and shared in unspecified locations. Unclear security and access protocols about, and specific plans for when or how, if ever, that data would be disposed of have remained a mystery. This laxity has invited security breaches and encouraged a wide range of unscrupulous business practices.

In a broad sense, becoming GDPR compliant will require a data-security audit the likes of which hasn’t been seen since we entered the age of “digital-first.”


How GDPR will impact brands

As we wrote about in “The Ongoing History of Digital Marketing – Part 2“ vast troves of information from retailers, credit card companies, search engines and social media platforms have transformed the marketing landscape, allowing marketers to maximise consumption by more effectively delivering ads to the right person in the right moment.

This new normal isn’t about to change, so post-GDPR brands can still grow their value and improve their operations through data-driven processes. What is changing, however, is the dynamic between consumer and seller – marking an even stronger swing of the pendulum in favour of the user already well underway.

Because the GDPR requires a systemic overhaul in how companies collect and hold consumer information, brands and marketers will be on the hook for every data collection and retention decision they make. Effectively, this means an astonishing level of transparency on the consumer side not seen since the advent of digital marketing. This also means that internal processes and policies will have to be rethought and designed in order to be compliant.

While brands and marketers will surely be impacted, it is important to remember that the GDPR doesn’t have to be a bad thing. Enhancing privacy and security can also mean enhancing strategy and operations in a powerful way, namely by putting consumer experience first (which we at Adimo have always thought was the best way forward!).

As others have pointed out, these changes will kill certain marketing tactics, but those are the unpopular practices which decrease consumer trust anyways, such as including assumed opt-ins or indecipherable terms and conditions, and shady list-building practices like collecting business cards just to add people to email lists.


What must brands and marketers do to become compliant with the GDPR?

While the long-term benefits to both consumers and brands may be apparent, what’s even more clear is that this will be a drastic change, and that there is a lot of work to be done. Achieving effective GDPR compliance without losing revenue will involve working with two unsexy departments – legal and IT – which don’t always get a seat at the table when the topic at hand is strategy.

The good news is that businesses which have invested in becoming digital-first are already on the right track, as one of the most expensive and complex changes to accommodate GDPR compliance can be to the tech stack.

As legal compliance is the name of the game, it is critical that organisations seek out qualified advice, but the necessary changes to meet compliance can be outlined under three areas:

1) reviewing data collection policies and rewriting/restructuring data collection procedures
2) implementing IT security and building in compliance measures
3) working with partners to ensure compliance.

Policies and Procedure

Review all existing policies to ensure they’re compliant. make sure all opt-ins are explicit, which includes asking your existing email list to opt-in again if you didn’t have express permission to contact them through this channel for marketing purposes in the first place. Review all your sign-up forms and the language on your websites and landing pages to clearly communicate with prospects what they are signing up for and how you will use their data.


Before being able to fulfill a customer’s data request, you must first know exactly what information you have collected about that customer, where this data is stored, and how it can be retrieved. Do you know what your company’s data-retention policies are? Does your architecture support this, or does it undermine you by distributing back-ups willy-nilly?

Asking these fundamental questions and performing an inventory of your data will help you to understand your risk exposure, guiding you to the critical steps needed to mitigate risks as well as how you will need to modify your architecture and applications.


One of the scariest parts of the GDPR is that companies will be liable for what their partners and third-party service providers may be doing with their data. If it’s been a while since you’ve reevaluated your long list of SaaS providers, it’s time to start re-vetting, and it’s also high time those outside the tech team wrap their heads around what exactly the Cloud is and where exactly your customer data lives.

The good news is that since GDPR affects all companies that work with EU residents, this umbrella is very broad, so your partners and service providers should be hustling to become complaint too. But not all will be, so it’s on you to make sure all your partners are equally as on the ball as you are.


The outlook for marketing FMCGs after GDPR

For teams managing a single brand, GDPR compliance might mean revising a handful of landing pages and checking in with a few essential software partners. For FMCGs managed under a corporate umbrella, this may be a months-long slog dragging legal teams, IT engineers and senior leadership through a gruesome process overhaul.

The most innovative companies, however, view this as a once-in-a-generation chance to reform their data management and instill best practices within the organisation. For Unilever, GDPR compliance represents an opportunity to promote trust and relevance with consumers, thereby enhancing brand value.

For this reason, we venture to assert that GDPR will, after the hard work is done, become a very good thing for marketers and brands alike. The most successful FMCG brands are leveraging the best technology and committing to delivering value. By prioritising GDPR compliance, they will build trust and relationships with consumers, and generate value by providing worthwhile content instead of employing bait-and-switch tactics that don’t serve a brand’s long-term prospects.