Despite the weeks of hype leading up to last week’s deadline to comply with the European Union’s General Data Protection Regulation, a recent report from SAP found that a fair number of marketers still either neglected to prepare for the law or couldn’t decide whether the rules applied to them.
Of the 165 marketers surveyed within a couple months of the May 25 cutoff, around 26 percent said they either didn’t have a plan or weren’t aware of one, 19 percent said they believed there was still time to draw one up and only 30 percent had completed a data audit to confirm compliance.
Adweek spoke with SAP’s chief digital marketing officer, Mika Yamamoto, about the widespread confusion around the regulation, how the deadline could have caught brands off guard and why the law is so necessary.
The following has been edited for length and clarity.
Adweek: From the results, it seems like marketers are fairly optimistic about what GDPR could mean in terms of better customer experience, data protection and consumer trust. Yet at the same time, they don’t seem very prepared, and some of them don’t even seem to know whether GDPR applies to them or not. How do you explain this discrepancy?
Mika Yamamoto: What’s challenging is that because it’s a European regulation, some companies are wondering whether it applies to them based on their operations. One factor is if you’re in the United States, for example, but you do business in Europe … the interpretation of what that means for a company has been … a question mark for some of them. Some of them just don’t have the resources from a legal standpoint to have someone interpret the law on their behalf.
So you look at midmarket companies and small companies—a lot of those companies don’t have internal legal counsel, and if you’re not based in Europe, you might not be as acutely apprised of the law because in your circles, you might not hear about it as much as we do as a European company or as a company that has really significant operations in Europe.
And lastly, I would say that, as with any law … it’s pretty lengthy and complex so a lot of it is an interpretation of that law and figuring out, ‘What does it really mean to me?’ … It’s not like it’s a one-pager with simple bullet points. … So you have to decide on a balance between how locked down you’re going to be while optimizing for commercial value and being able to actually connect to customers and conduct business. That is a continuum that I think all companies are thinking right now, ‘OK, what bed am I going to make in terms of those trade-offs?’
What are some of the opportunities that marketers see with GDPR?
Well, beyond being legally compliant, I think the bar is a lot higher, regulation or no regulation. If you just look at what’s happening in the media—either with security breaches with companies like Equifax or Cambridge Analytica—consumers are becoming more and more aware of what’s happening with their data, and I think we need to be stewards in protecting that data and protecting the privacy of our customers. That’s becoming a cost of doing business, regulation or not. … Some marketers got way too complacent.
It becomes really easy to just make a list and blast emails out to that list without personalizing or thinking about how to segment that list based on their own preferences, and we can’t do that anymore. You can more legally do so in the United States, but it’s becoming something that isn’t very tolerable or appealing to consumers.
Do you have any sense of whether marketers might have been able to comply in the weeks since this survey was taken? Some said they felt they had enough time.
When we released this study, if you weren’t on your road to being compliant, by this day, you’re probably not—unless you have super simple operations. … It’s unlikely that a couple weeks is enough to get compliant. Most companies started to prepare a year and a half ago. There’s a wide spectrum of ways that companies are preparing for this, some very conservatively. We’ve chosen a very conservative route at SAP, but others are just saying, ‘You know what? I’m willing to take the risk. I don’t do much business in Europe. And if I do, we’ll see what happens.’