Mar­ket­ing ver­sus data pro­tec­tion: Who holds the trump card?

Petra Dahm – Pho­to: Boris Dahm

In her Duet Inter­view with Petra Dahm, strate­gic con­sul­tant and for­mer copy writer, cre­ative direc­tor and strate­gic plan­ner in the adver­tis­ing world, Dr Cal­daro­la, author of Big Data and Law, dis­cuss­es the trade-off between two stake­hold­ers with dif­fer­ent needs as far as dig­i­tal busi­ness is concerned.

It is essen­tial for a company’s sur­vival to sell prod­ucts and/or ser­vices. How­ev­er, it is also impor­tant that its hard-earned rev­enues not be lost by enor­mous data pro­tec­tion fines for non-com­pli­ance (up to 4% of the world­wide turnover of a com­pa­ny group) , as we have seen in an ear­li­er inter­view with Prof. Dr Schrey. One can observe dif­fer­ent phe­nom­e­na in dig­i­tal activ­i­ties: (1) com­pa­nies seem­ing to become bold­er in sell­ing activ­i­ties on the inter­net; (2) at the same time, con­sumers feel­ing anx­ious that their data is not secure – accord­ing to sur­veys, (3) con­verse­ly, con­sumers scrolling imme­di­ate­ly to the end of a doc­u­ment with­out even mak­ing the effort to read seem­ing­ly end­less infor­ma­tion in order to give their con­sent to com­pa­nies hav­ing com­posed, for the most part, long, detailed and seem­ing­ly trans­par­ent data pro­tec­tion state­ments. What must com­pa­nies do to be com­pli­ant? What trend have you observed? And which con­se­quences do the behav­iour of poten­tial cus­tomers and ven­dors list­ed above have with regard to the intend­ed legal goals?

Petra Dahm: Com­pa­nies are def­i­nite­ly get­ting bold­er in their dig­i­tal activ­i­ties. Over the last five years, glob­al sales via data-dri­ven por­tals and e‑commerce have almost dou­bled (source: Sta­tista). The pan­dem­ic and the asso­ci­at­ed con­tact restric­tions have accel­er­at­ed this devel­op­ment even fur­ther because COVID-19 has pro­found­ly changed sta­tion­ary and dig­i­tal com­merce with­in just a few months – a trend which clear­ly has the poten­tial to remain with us.

Accord­ing to a fore­cast by the Insti­tute for Retail Research IFH Cologne, growth in Ger­many alone is expect­ed to dou­ble, and the mar­ket will increase to up to €88bn in sales. The gen­er­al will­ing­ness to open up to dig­i­tal tools has also been sig­nif­i­cant­ly strength­ened by the pan­dem­ic – both on the part of com­pa­nies as well as on the part of customers.

How­ev­er, there is still dis­sat­is­fac­tion with the online shop­ping expe­ri­ence because, accord­ing to the mar­ket research com­pa­ny For­rester Con­sult­ing, Ger­man cus­tomers, in par­tic­u­lar, are not pro­vid­ed with a suf­fi­cient­ly intu­itive user expe­ri­ence – both when search­ing for suit­able prod­ucts or ser­vices on the inter­net and when nav­i­gat­ing an online store itself. This cir­cum­stance can be attrib­uted to a num­ber of fac­tors: On the one hand, it results from a rather poor dig­i­tal strat­e­gy of com­pa­nies that is not yet ful­ly devel­oped in many cas­es, but is also du to the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) intro­duced since 2018, and oth­er guide­lines, such as the very com­pli­cat­ed reg­u­la­tions of the cook­ie noti­fi­ca­tion or opt-in/opt-out pro­ce­dures which have all made life dif­fi­cult for com­pa­nies in this coun­try. For all these rea­sons, pages or noti­fi­ca­tions are encod­ed, not to be pre­sent­ed in a visu­al­ly appeal­ing way, or the nav­i­ga­tion is so com­plex that con­sumers either will­ing­ly click on online offers with­out know­ing the rel­e­vant back­ground infor­ma­tion. After that one fatal click, they are then lit­er­al­ly flood­ed with fol­low-up offers and feel pow­er­less and frus­trat­ed. The alter­na­tive sce­nario is to sim­ply refuse every­thing from the out­set, leave the page and men­tal­ly des­e­lect the service.

In addi­tion, there are still con­sumer con­cerns about data secu­ri­ty, although accord­ing to a recent study by Deloitte, shop­ping behav­iour dur­ing the pan­dem­ic has also relaxed sig­nif­i­cant­ly in favour of con­ve­nience – one only has to remem­ber how read­i­ly per­son­al data was shared when vis­it­ing a restau­rant this year or recall the wide­spread use of cloud-based col­lab­o­ra­tion tools, such as Zoom and the like, and pri­vate, unen­crypt­ed WLAN-con­nec­tions in home office sur­round­ings. Or let us con­sid­er an even more press­ing issue: Health pro­tec­tion vs. pri­va­cy? Here it is also worth tak­ing a look at the dif­fer­ent behav­iour­al pat­terns of the var­i­ous gen­er­a­tions, par­tic­u­lar­ly in terms of tar­get group seg­men­ta­tion – while the Baby Boomer, GenX and GenY gen­er­a­tions tend to be more restric­tive with their per­son­al data, younger gen­er­a­tions are much more will­ing to dis­close their data in order to make use of online services.

When con­sumers vis­it a web­site and/or nav­i­gate through the inter­net, they are con­front­ed with “fea­tures”, such as pri­va­cy state­ments, con­sent, dou­ble opt-in and the like. Even though such require­ments are oblig­a­tory, have they been cor­rect­ly imple­ment­ed? Are they more of a deter­rent or even counter-pro­duc­tive? Why is the way com­pa­nies are ful­fill­ing these data pro­tec­tion require­ments so antag­o­nis­tic to consumers?

When con­sid­er­ing this mat­ter, it is cer­tain­ly nec­es­sary to dif­fer­en­ti­ate between glob­al enter­pris­es and small and medi­um-sized enter­pris­es (SMEs), which have pre­dom­i­nant­ly been active on local mar­kets, and are now mak­ing their way to inter­na­tion­al mar­kets. The key fac­tor is the com­pa­ny’s lev­el of dig­i­tal matu­ri­ty and how well it is posi­tioned in terms of its dig­i­tal busi­ness strategy.

I find it prob­lem­at­ic that two years after the intro­duc­tion of the GDPR, many com­pa­nies have still not suf­fi­cient­ly come to grips with the issue in terms of its sig­nif­i­cance for mar­ket­ing, sales and adver­tis­ing. In addi­tion, there is anoth­er dif­fer­ence between B2B and B2C com­pa­nies: name­ly that while in a B2C buy­ing process only one con­tact is deci­sive, in a B2B buy­ing process up to sev­en con­tacts or more are part of the sale.

Although the nec­es­sary admin­is­tra­tive or IT-relat­ed mea­sures may have been tak­en inter­nal­ly, such as data access con­trol, or data reten­tion, many SMEs in the B2B sec­tor have only real­ly start­ed to come to terms with dig­i­tal busi­ness mod­els, mul­ti-chan­nel approach­es, online mar­ket­ing and data-based analy­ses of online cus­tomer jour­neys and buy­ing process­es since the Coro­na pan­dem­ic, which means that there is a great deal of catch­ing up to do in terms of dig­i­tal com­pe­tence – and thus with regard to secure com­pli­ance with GDPR regulations.

In addi­tion to pure­ly tech­ni­cal exper­tise, it is par­tic­u­lar­ly impor­tant to act in a cus­tomer-ori­ent­ed man­ner – here, among oth­er things, an under­stand­ing of user expe­ri­ence and user inter­face is an essen­tial pre­req­ui­site for com­mu­ni­cat­ing reg­u­la­tions and require­ments in a user-friend­ly fashion.

We our­selves see both ten­den­cies in the dis­cus­sions with our cus­tomers, which have espe­cial­ly been trig­gered by the pub­li­ca­tion of the first more sub­stan­tial fines: either online mea­sures are being mas­sive­ly scaled back or at least put on the back burn­er for fear of mis­takes in imple­men­ta­tion, a reac­tion which is actu­al­ly fatal, as this restricts the pos­si­bil­i­ties of dig­i­tal busi­ness mod­els, or penal­ties are, quite sim­ply, fac­tored in delib­er­ate­ly and accepted.

Do com­pa­nies take advan­tage of their mar­ket pow­er? In oth­er words, does the con­sumer real­ly have the choice of not accept­ing data pro­tec­tion rules estab­lished by com­pa­nies? Will the con­sumer find alter­na­tive offers from a dif­fer­ent com­pa­ny that has – in his eyes – bet­ter data pro­tec­tion rules?

One fac­tor which must be tak­en into account is that the appli­ca­tion of the GDPR is being inter­pret­ed com­plete­ly dif­fer­ent­ly, in part, by data pro­tec­tion offi­cers, but also by data pro­tec­tion lawyers. This impor­tant con­clu­sion was one we could reach from our own expe­ri­ences with dif­fer­ent cus­tomers. Since we our­selves con­stant­ly deal with the data pro­tec­tion guide­lines and, as a mar­ket­ing con­sul­tan­cy, nat­u­ral­ly also make cor­re­spond­ing sug­ges­tions to clients for online cam­paigns or mea­sures, this some­times leads to heat­ed dis­cus­sions and the client is forced to decide either in favour of a strict or a some­what lax­er inter­pre­ta­tion of the GDPR.

What we find lack­ing – espe­cial­ly after the pub­li­ca­tion of the first offi­cial eval­u­a­tion from June 2020 – is a clear and unam­bigu­ous pre­sen­ta­tion of the reg­u­la­tion for all par­ties based on best prac­tice exam­ples. Instead, we were main­ly giv­en a mere inven­to­ry of the sta­tus of the imple­men­ta­tion of the GDPR, which might be help­ful to sta­tis­ti­cians, but not for advanc­ing a prac­ti­cal approach to the regulation.

Above all, one thing must be kept in mind: the GDPR is based to a cer­tain extent on a lev­el of dis­cus­sion, which had already tak­en place 10 years ago, and since then, as is well known, a lot has hap­pened in terms of tech­nol­o­gy, analy­sis options, cus­tomer behav­iour, gen­er­a­tion devel­op­ment etc. Not to men­tion inno­va­tions, such as voice track­ing (voice assis­tant envi­ron­ment), eye track­ing (extend­ed real­i­ty envi­ron­ment), emo­tion­al track­ing (HR assess­ment envi­ron­ment) and let’s not for­get the advent of cloud com­put­ing (Indus­try 4.0/IoT envi­ron­ment) as well as the increased use of arti­fi­cial intelligence.

In the course of increas­ing­ly ubiq­ui­tous com­put­ing, we are no longer deal­ing with sim­ple, trace­able data pack­ages in indi­vid­ual silos, but with intri­cate, net­worked appli­ca­tions that require a sim­i­lar­ly com­plex view of data pro­tec­tion – both for com­pa­nies in terms of pro­tect­ing their intan­gi­ble assets and for cus­tomers safe­guard­ing per­son­al and sen­si­tive data.

The prob­lem is that the speed of tech­no­log­i­cal devel­op­ments presents almost insur­mount­able chal­lenges for a prop­er data pro­tec­tion impact assess­ment because it is not pos­si­ble to draw up or imple­ment new or adapt­ed reg­u­la­tions in the time need­ed and to train staff accord­ing­ly. There­fore, a dia­logue involv­ing all inter­est­ed par­ties should be held that already begins dur­ing the devel­op­ment of such tech­nolo­gies and is con­sis­tent­ly kept going.

My favorite quote is:


“In times of change, the great­est dan­ger is to act using yesterday’s logic”.

Peter Druck­er

Do com­pa­nies lose sales oppor­tu­ni­ties when apply­ing data pro­tec­tion require­ments? If so, what pro­por­tion of sales oppor­tu­ni­ties are lost? Can you give us a short overview of how mar­ket­ing and sales work to draw in poten­tial cus­tomers using dig­i­tal busi­ness mod­els, when a deci­sion for a spe­cif­ic action is nor­mal­ly tak­en, how much addi­tion­al time and how many clicks decrease a poten­tial dig­i­tal pur­chase, and, final­ly, explain why the “fea­tures” nec­es­sary for data pro­tec­tion com­pli­ance, such as con­sent, cook­ie guide­lines and sim­i­lar, are so dis­rup­tive with regard to mar­ket­ing and sales in the process of win­ning poten­tial cus­tomers on the internet?

To be hon­est, it is very hard to give a gener­ic answer to how many sales oppor­tu­ni­ties are lost because, at the very least, a num­ber of para­me­ters are involved. For exam­ple, the stricter cook­ie direc­tive and the result­ing restric­tions on the inte­gra­tion of com­mon online ser­vices have severe­ly lim­it­ed both cus­tomer ser­vice and the analy­sis of user data, which can have a neg­a­tive impact on online mar­ket­ing plan­ning. Here, we see Europe at a clear dis­ad­van­tage com­pared to Amer­i­can or Asian com­pa­nies, for exam­ple, which sim­ply have com­plete­ly dif­fer­ent options for a tar­get-ori­ent­ed cus­tomer approach and for con­tin­u­ous­ly opti­miz­ing the cus­tomer jour­ney with tech­nolo­gies, such as pro­gram­mat­ic adver­tis­ing and pre­dic­tive tar­get­ing, and can thus ful­ly exploit the advan­tages of dig­i­tal marketing.

How much poten­tial is actu­al­ly lost can there­fore only be esti­mat­ed, but the fact that an online cus­tomer jour­ney gen­er­al­ly has more touch­points than an offline one means that the pos­si­bil­i­ty of bounc­ing back in the course of a jour­ney is cer­tain­ly high­er. What we def­i­nite­ly see in our own analy­ses of inter­na­tion­al com­par­isons is that the restric­tions imposed by the GDPR are hav­ing a mea­sur­able impact. As already men­tioned at the begin­ning, small and medi­um-sized enter­pris­es in Ger­many, in par­tic­u­lar, are still far from mak­ing com­plete use of the oppor­tu­ni­ties offered by dig­i­tal busi­ness mod­els. In this respect, I see a high poten­tial for dis­cus­sion and con­flict in the com­ing years.

Above all, the dis­pro­por­tion com­pared to the Big Five from the USA is a sub­ject for dis­cus­sion because, to be hon­est, from our point of view, a real­ly cut-throat com­pe­ti­tion is devel­op­ing here. Due to a tech­no­log­i­cal head start and less restrict­ed pos­si­bil­i­ties, com­pa­nies, such as Google, Face­book, Ama­zon and oth­ers, are devel­op­ing more and more intel­li­gent data analy­sis options and, above all, have the eco­nom­ic lob­by­ing and finan­cial resources, not to men­tion tech­ni­cal exper­tise, to stand up to Euro­pean data pro­tec­tion authorities.

We our­selves have just seen how long a clar­i­fi­ca­tion by the EU Com­mis­sion can drag on – in the mean­time, bil­lions of data points have already been gen­er­at­ed again: THE asset of every dig­i­tal­ly ori­ent­ed com­pa­ny. Inci­den­tal­ly, a sim­i­lar imbal­ance can be observed when look­ing at tech­nol­o­gy-ori­ent­ed start-ups in Ger­many in an inter­na­tion­al com­par­i­son – here we should not be sur­prised if tal­ent is poached or emigrates.

Are there real­ly alter­na­tives or are con­sumer asso­ci­a­tions, the Cham­ber of indus­try of com­merce, con­sul­tants and oth­er dig­i­tal pri­va­cy providers har­mo­niz­ing the appear­ance of the dig­i­tal jour­ney as well as how it pro­ceeds so that there is lit­tle or no oth­er possibility?

The advances in tech­nol­o­gy and the asso­ci­at­ed adjust­ments to data pro­tec­tion are devel­op­ing so quick­ly that we require a high lev­el of con­tin­u­ous train­ing and fur­ther edu­ca­tion to keep up. Above all, the com­plex infra­struc­tures described above require a con­sis­tent inter­dis­ci­pli­nary exchange between indi­vid­ual par­tic­i­pants so that prac­ti­cal and cus­tomer-ori­ent­ed solu­tions can be devel­oped that cor­re­spond to our Euro­pean under­stand­ing of privacy.

Unfor­tu­nate­ly, the guid­ance offered by indus­try or pro­fes­sion­al asso­ci­a­tions as well as offi­cial con­tact points, such as the cham­bers of indus­try and com­merce, usu­al­ly only pro­vide gen­er­al basic infor­ma­tion or focus on the cor­rect inter­pre­ta­tion of data pro­tec­tion direc­to­ries or check­lists. If you are look­ing for mean­ing­ful train­ing oppor­tu­ni­ties in the areas of marketing/sales or dig­i­tal busi­ness mod­els, you are usu­al­ly left with sem­i­nars or work­shops – and iron­i­cal­ly, these are often not even avail­able online so far.

Mar­ket­ing and data pro­tec­tion seem to have con­flict­ing agen­das. Which side nor­mal­ly prevails?

It is impor­tant to under­stand that mar­ket­ing has become extreme­ly com­plex com­pared to ten years ago. With the abil­i­ty to net­work ana­logue and dig­i­tal mar­ket­ing as well as the advent of com­mu­ni­ca­tion mea­sures, we are in a posi­tion to per­fect­ly per­son­al­ize offers- even a small-sized com­pa­ny is in a posi­tion to serve glob­al tar­get groups via mul­ti-chan­nel approach­es- and com­pa­nies right­ly expect analy­ses that are as com­pre­hen­si­ble as pos­si­ble and, in the best-case sce­nario, can be con­sis­tent­ly planned and read­just­ed on the basis of mea­sur­able data. With the data-dri­ven net­work­ing of a wide vari­ety of online chan­nels (web­site, social media, email mar­ket­ing, plat­forms, etc.), the colab­o­ra­tion of lead man­age­ment, trans­par­ent mon­i­tor­ing of the cus­tomer jour­ney, and pos­si­bly even direct feed­back from the prod­uct itself via IoT and auto­mat­ed after-sales ser­vices, these var­i­ous process­es and the asso­ci­at­ed per­son­al data can cer­tain­ly be mul­ti-lay­ered with regard to the indi­vid­ual mar­ket­ing and com­mu­ni­ca­tion steps with­in the cus­tomer jour­ney. When a cam­paign or sys­tem is set up from scratch, we there­fore advo­cate get­ting all the deci­sion-mak­ers from mar­ket­ing, sales, ser­vice, prod­uct, sys­tem devel­op­ment and data pro­tec­tion at the same table to define clear require­ments and expec­ta­tions from the out­set. How­ev­er, it becomes dif­fi­cult when a sys­tem or cam­paign is already up and run­ning and needs to be assessed to deter­mine whether it is a pri­va­cy-com­pli­ant solu­tion. This often leads to very exten­sive dis­cus­sions, since mutu­al under­stand­ing must first be estab­lished – and that is not always easy. In most cas­es, quick exter­nal advice is not pos­si­ble because care­ful aware­ness of the over­all strat­e­gy and the indi­vid­ual objec­tives is nec­es­sary – and acquir­ing this under­stand­ing takes time.

How do mar­ket­ing and data pro­tec­tion form an effec­tive trade-off of their needs and inter­ests? Are there bet­ter ways to syn­chro­nize data pro­tec­tion require­ments with­out los­ing sales oppor­tu­ni­ties? Any ideas?

If we imag­ine that the world will become even more con­nect­ed and mobile in the future, then we need to rec­on­cile this delib­er­ate­ly open and, in many cas­es, per­haps also desired infra­struc­ture of inno­v­a­tive tech­nolo­gies, such as blockchain, cloud com­put­ing, Inter­net of Things, Aug­ment­ed Real­i­ty (smart glass­es) and arti­fi­cial intel­li­gence with the strict reg­u­la­tions of the Euro­pean Data Pro­tec­tion Reg­u­la­tion. And we must ask our­selves quite hon­est­ly: is such a rec­on­cil­i­a­tion even pos­si­ble? The Euro­pean Com­mis­sion itself has just phrased it very nice­ly in the con­text of the draft for a Data Gov­er­nance Act (DGA): We are prob­a­bly try­ing to square the circle.

Mrs Dahm, thank you for shar­ing your insights on the chal­lenges of mar­ket­ing and sales in the dig­i­tal environment.

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with rec­og­nized experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Petra Dahm

Petra Dahm started her career in advertising in the beginning of the 90s before concentrating on online marketing along with the rapid development of the internet and apps business. For the past 15 years she has been working as a strategic digital consultant for global B2B enterprises as well as SMEs in Germany. Currently her interest lies in the adaption of new technologies like VR/AR and AI in the media and communications, and their role in a future digital society.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.