Are there any positives from the first year of GDPR?

A year has passed since the new EU data protection law came into force. What have we learned in that time that can help organisations deliver benefits from the regulation?

The first anniversary of the General Data Protection Regulation (GDPR) arrives on 25 May 2019. Discussions about GDPR generally receive about as a positive a reception as Brexit, but are there any positives that companies can take after a year of living with the new rules?

No one would suggest that preparing for GDPR was an easy or popular process. It wasn’t, and even consumers and regulators found it rather trying. However, as it is something that couldn’t and can’t be ignored, why not at least try to get as much out of it as possible and embrace the opportunities it can present? Here are some of the key opportunities for companies to embrace now as GDPR beds in:

Cost savings

Data protection legislation has always held as a core principle the fact that personal data should not be held for longer than is necessary for the purpose for which it was collected. GDPR didn’t change this, but given its new obligations around accountability, and of course the higher penalties for breaches, this caused mounting panic about the deletion of datasets in the run-up to the 25 May 2018 deadline.

Although it is a common-sense principle, deciding on appropriate data retention periods and then enacting them across multiple systems – many licensed rather than owned, and so with different levels of control – is not a straightforward exercise. Many companies became tied up in knots in this area or engaged consultants charging huge sums to introduce complicated programmes.

But the simple fact is that holding less data is, ultimately, not only better from a compliance perspective, but can also be cheaper. Many a company found the act of deleting old, unused datasets surprisingly liberating and positive once they started – not quite Marie Kondo levels of joy, perhaps, but the storage cost savings certainly helped.

Data strategy

The other opportunity that a GDPR data spring clean presented was the chance to better understand – perhaps for the first time, in many cases – what datasets actually exist within a company. Knowledge of the data you hold already is so important for informing data strategy, which, in turn, is so central to growth and innovation in most businesses today.

All too often, because data has sat in isolated silos with different gatekeepers, companies don’t have the visibility to make decisions around data partnerships or growth, and sometimes even license externally to obtain data or insights at a cost, when in fact the information already exists right under their nose. 


GDPR has certainly brought consumer trust issues around data to the fore, hitting newsfeeds on an almost daily basis. The largest tech companies can’t escape it and have been reacting by ensuring that privacy heads the agenda in CEO speeches and conferences.

However, too few other companies have recognised the opportunity that GDPR represents to engage with users about how their data is used and to do so in a way that is compelling and different.

It is a legal obligation to set out how personal data is used in a privacy policy or other form of notice and to respond to data subject rights queries – but no individual is impressed to read the standard “we take the security and protection of your personal data very seriously” type messaging. It is surprising how few companies with fabulous marketing and design teams don’t utilise them in relation to communicating and shaping data compliance programmes.

Some companies rose to the challenge and offer good examples. EasyJet has an excellent, simple privacy video, which opens with a member of the cabin crew preparing the plane and audience for the privacy promise that follows. It explains far better than just a privacy policy can how the company uses personal data.

Not only is this a better communication tool for complex information, but it has also been a successful brand promotion – the video on YouTube has received more than 62,000 views, and social media responses have been positive. Other companies using a video to great effect are LinkedIn and Channel 4.

The Information Commissioner’s Office (the UK regulator for GDPR) encourages such techniques and has embraced them by using a series of infographics on different topics as an additional way to the standard privacy notice of explaining how it uses personal data.

Similarly, rather than seeing data subject access and other requests as simply a pain, companies should consider this as a proactive engagement by an individual with the brand that should be responded to as positively as you would to someone engaging with you through a social media channel. Many companies would kill for more direct consumer interactions, so make every one count.

New forms of engagement

It was sad to see so much confusion in the run-up to GDPR around consent for direct marketing. This resulted in many companies deleting parts of their marketing databases on the back of disastrous re-consent campaigns to a fatigued population, even where there may have been other solutions for compliance.

Trying to see any positives at all in this may seem challenging. However, some companies were forced to be more creative and imaginative in customer engagement channels. They reflect, with hindsight, that relying on a volume-based e-newsletter reach was perhaps false comfort, and other more nuanced and tailored experiences are far better at getting results.

So 25 May should not just be a date for a sigh of relief at surviving a year without one of those scary fines everyone warned you about – but well done, all the same. It should also be a date for reflecting on the positives you got out of GDPR in the past year. If you can’t think of any, then another look and a rethink may still reap some rewards.

Read more about GDPR

Read more on Privacy and data protection

Data Center
Data Management