Long debated and meticulously drafted, the European General Data Protection Regulation (GDPR) still turns out to have little profile with the public and to be underestimated by many businesses. Although recent news stories may have changed this.

A survey by the Federation of Small Businesses in the UK published in March, found that a mere 8% have completed preparations for what is the most far-reaching of all data protection laws, even though it comes into force in Britain on 25 May.

There can be no ignoring the new regulation, which potentially imposes penalties of up to 4% of global turnover, on companies failing to meet its stipulations for the handling of personally identifiable data concerning any citizen of the EU or the UK.

Putting the privacy of data right at the heart of its aims, the new regulation is firmly set down to protect the interests of individual consumers. With so little time remaining before the new regulation comes into force it is essential that the marketing industry sees GDPR not simply in terms of compliance, but as the once-in-a-generation opportunity to create new levels of consumer trust and embed privacy as a core brand value.

All businesses must comply with consumers' requests under the new regulation.

It is worth remembering the scope of the new obligations. From the end of May, consumers will be able to demand an account of all the data a business holds that could identify them. Then, if they so choose, they can ask for it to be destroyed so that they can be "forgotten".

Consent is one aspect of GDPR, but it is just one of the six legal grounds on which the processing of personally identifiable data can be justified, one of which is "legitimate interests". Fortunately, some effective lobbying by The DMA has resulted in direct marketing being included as a legitimate interest under the terms of the new regulation. This offers greater flexibility but nonetheless requires careful assessment. Marketers will have to weigh up their freedom to market against the subject's right to privacy under the new regulations, offering clear opt-outs. Consent, by  contrast,  will require unambiguous opt-ins.

In the UK, be thankful for the ICO's initiative

In the UK the supervising authority  for GDPR will be the Information Commissioner's Office (ICO), which has issued guidance that legitimate interests are likely to be the most appropriate basis for an organisation that uses people's data in ways they would reasonably expect and which have minimal privacy impact, or where there is a compelling justification for the processing.

In her address at the DMA's recent Data Protection Conference, the Information Commissioner, Elizabeth Denham, highlighted the problems of GDPR-compliance that face smaller businesses, especially those with fewer than 250 employees. She said the ICO was receiving 1,500 calls each week to its helpline and was determined to ensure that the UK retained its position as one of the safest places on the planet for e-commerce.

Addressing the concerns of marketers, she said the ICO had also been working with the DMA to produce a Direct Marketing Guide, helping draft sections on accountability and the essentials of GDPR. She urged marketers to spend time "establishing informed, active, unambiguous consent" both in relation to GDPR and forthcoming regulations about electronic marketing and privacy.

She said once businesses had overhauled their data and established the right consents, they would be able to market to consumers in full confidence that they were complying with GDPR and the accompanying ePrivacy Regulation being prepared in Brussels. It would make for more effective engagement that would bring them real benefits, she claimed.

She did, however, acknowledge the difficulty of balancing consent with legitimate interests, as well as the challenges of validating "legacy data" and of ensuring that any breach of the regulation is reported within 72 hours.

Raising GDPR awareness is a major priority

While stressing that the ICO's immediate goal was to increase public trust in the way their data is handled, she said it was necessary to recognise that low levels of GDPR awareness meant few people would be able to exercise the new rights the regulation conferred upon them.

This made public awareness-raising and education a necessity, she said, while cautioning that if the average consumer's data was held by 100 organisations, messages from each organisation about the implications of GDPR would be potentially overwhelming. Hence the ICO's "Your data matters" campaign, which would lead on the issue.

For the marketing industry, the ICO's leadership on this issue is very welcome. Even if research published by the DMA in February indicates that consumers increasingly understand how the use of data makes their lives easier, awareness of GDPR remains low. Only 39% of respondents said they are aware of the new regulation. Yet almost two-thirds are already happy with the amount of data they share with organisations, and slightly more than half see the exchange of personal information as essential for the smooth running of modern society (compared with 38% holding this view when the same survey was conducted in 2012). 

So it is not as if consumers are unchangingly defensive about their data. In fact, the percentage concerned about online privacy fell from 84% in 2012 to 75% over the last five years.

Research shows that trust and transparency are the chief hurdles

Problems with trust and transparency loom very large, however, which makes tackling GDPR with the right customer-first approach essential. Some 86% of consumers in the survey want more control and 88% want greater transparency about what companies do with their data. Trust emerged as the single most important factor for consumers when deciding whether to share their data with an organisation (selected by 58%).

The results showed how the population can currently be divided in terms of attitudes to data privacy. Precisely half the population (50%) are "data pragmatists" who are prepared to share personal information with organisations as long as there is a clear reward for doing so. A quarter (25%) are  "data fundamentalists" who are unwilling to provide personal data to be collected, even in return for the enhancement of services they receive. Another quarter, however, have no little or no concern about how their data is used (which is an increase on the 16% holding this view in 2012). The results also show the percentage of the population that views its data as a tradeable asset is on the rise up to 56% from 16% in 2012.

All these findings point to greater maturity in attitudes to the data-driven economy. Yet many remain sceptical about the value of organisations sharing their data with one another. Only 29% were happy for a business to share their information with other businesses, even if the aim was to provide more personalised services. 

We must make clear the benefits to consumers

The key for marketers will be to make clear the benefits consumers will receive from sharing their data, such as the more personalised communications that 31% of them want. This is the route to creating stronger levels of comfort among those consumers who do value more personalised interactions with brands and companies.

If organisations use consent in conformity with the new regulations and are compliant in their employment of "legitimate interests" then they should be able to bring themselves major commercial advantages. They will be able to see customers through the "single pane" that brings together all transactional, purchasing and contact data. Admittedly it means being capable of fulfilling requests quickly when consumers exercise the right to see the data an organisation has about them. There is no avoiding the fact that these capabilities will have to be acquired through improved systems and processes and through training, which will be critical to the success of the entire project long into the future.

Everyone should be capable of avoiding the ICO stick

In her address, Ms Denham said electronic marketing will require consent and stressed that although legitimate interest will constitute the basis for processing in some circumstances, marketers must be confident they can rely on it. That seemed like a warning, but she also said she intended to use the carrot as well as the stick in supervising the new regulations. Education, engagement and encouragement would all come before enforcement, while privacy and innovation would go "hand-in-hand". 

Yet everyone in marketing should note that she also made clear that the stick would certainly be used against deliberate and willful perpetrators of regulatory infringements.

It must be apparent now that all businesses must adopt a customer-first methodology when they look at the new regulation. GDPR is so far-reaching it must be addressed at the top of each organisation as a challenge for the entire business - it is not a question for marketing alone. Although many may be weary of all the scare-mongering in relation to GDPR compliance, all marketers need to ensure they build trust and transparency with consumers because the resulting opportunities for maximising the effectiveness of marketing will be very considerable.