The GDPR goes into effect in less than two weeks and while many companies are focused on executing their compliance strategies, it's not too early to start thinking about the future of data in a post-GDPR world.
Here are how first, second and third-party data will likely be affected by the game-changing regulation.
Third-party data – too big to fail?
The fate of third-party data is perhaps one of the most debated GDRP topics. While many believe that third-party data has become so ingrained in the digital marketing ecosystem that it's effectively too big to fail, many others believe it will be the biggest victim of the GDPR, especially in light of the fact that post-Cambridge Analytica, the market for third-party data is already facing headwinds.
To be sure, it's not entirely clear how successful companies will be in gaining the explicit consent necessary to make a vibrant third-party ecosystem viable going forward. Gigya’s Jason Rose is a skeptic. "Consumers will now be asked to check a box that says, in effect, ‘We intend to sell your information to data brokers, allowing other companies to send you unsolicited offers and track your online movements’", he explained. "How many will accept, given they have no obligation to do so? My prediction is zero."
Whatever happens, post-GDPR, companies that buy and use third-party data, and care about compliance, will be forced to do more due diligence instead of simply taking data brokers' word that everything is on the up and up. This need for greater scrutiny should reduce the volume of data available, increase transparency in the marketplace, and push out unsavory operators.
On one hand, this should for obvious reasons significantly benefit the third-party data ecosystem and make it stronger. On the other hand, extra work that companies will need to take on to ensure their use of third-party data is compliant with the GDPR could be a huge turn-off.
Second-party data – set to flourish?
While many believe third-party data could be the biggest loser post-GDRP, many see second-party data as the biggest winner. Second-party data is first-party data that is acquired directly from the first-party instead of a middleman such as a data broker.
Those who are bullish on second-party data believe the GDPR could hasten its rise because the market for second-party data is already by its very nature more transparent. Sellers and buyers deal directly, so the terms under which the data will be used are clear and there is a much greater opportunity for buyers to vet the quality of the data. In addition, because of the GDPR, companies collecting data will theoretically have a greater incentive to sell it directly to data processors instead of brokers.
Of course, data controllers that want to sell their data directly to data processors and remain GDPR compliant will still need consent, and that could prove challenging.
First-party data – less is more?
This brings us to first-party data. For years, companies in a position to do so have largely taken a collect as much as we can and figure out how to use it later approach to data that they have the ability to capture directly from their users and customers.
The GDPR will likely force them to rethink that approach. Companies will need to be far more transparent about the data they collect and how it will be used. And they will generally be forbidden from forcing users to agree to sharing of their data by denying them the ability to use their services if they refuse to opt-in to unnecessary sharing. Most importantly, consumers will have far more control over their data, including the ability to request its deletion.
For these reasons, there seems to be a general consensus that the volume of first-party data will decrease. But as companies become more thoughtful about the data they collect and the transparency the GDPR demands causes companies to better explain to users and customers how their data will be used, the quality of first-party data could increase, and significantly in some cases.
For all the challenges the GDPR presents, it might be going into effect at the perfect time. For years, a number of observers, including security expert Bruce Schneier, have been arguing that data is more a liability than an asset.
Despite warnings that with big data collection comes big risks, companies, believing that digital data would help them survive and thrive in today's digital economy, clearly didn't do enough to mitigate against the risks of housing massive amounts of user and customer data.
Facebook's Cambridge Analytica scandal in many ways vindicated the data skeptics, as at least some of their most important predictions came to pass.
But ironically, the GDPR is giving companies a framework that can help them adopt better, more secure data collection and management practices so that Cambridge Analyticas don't become regular occurrences. And as consumers become more aware of the new rights they have to control their data under the GDPR, it might discourage them from taking more drastic action to avoid supplying their data.
From this perspective, the GDPR might just prove to be a godsend, especially if they truly embrace it.