Industry Insights

Kenneth Sanford Discusses the Impacts of the GDPR

Last July, one of our contributors, Scott Liewehr, Industry Analyst and Founder of Digital Clarity Group, discussed here, at CMS-Connected, where organizations were at that time with their knowledge and readiness to comply. Since then, the drumbeat has started to pick up as we are getting closer to the European GDPR deadline of May 25, 2018. A breach of the GDPR can result in fines of up to €20 million or 4% of annual global turnover (whichever is greater). That being said, Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. To help you navigate these daunting waters, the data science company DataIKU recently published a white paper entitled Five Essential Pillars of Big Data GDPR Compliance. To inquire further into the details, our media reporter Laura Myers spoke with Kenneth Sanford, Analytics Architect, U.S Lead at DataIKU to discuss how organizations can best prepare for the new regulations before they take effect.

Kenneth couldn’t stress enough how important it is to develop a plan and get up to speed with GDPR requirements now. To that end, he mentioned the top three changes he suggests for organizations to start with. First and foremost, he recommends looking at the amount of data replication that organizations are doing. Speaking from experience, Kenneth brings attention to the fact that “a lot of work has been done in a very decentralized way so there are still copies of data everywhere throughout the organization.” From there, as a second step, he suggests to use a software that can help organizations develop auto and cataloguing capabilities to be able to clearly see where the data is sitting, what they are being used in, what projects the data is touching, what models are being built off what data, and so on. Last but not least, he touched upon aligning teams around being an analytics-first organization.

Since the impact of the GDPR is going to ripple out into many disciplines in the tech industry, vendors and service providers have started assembling numerous governance tools to help organizations comply. IBM, for instance, developed a software platform that can be mapped to the GDPR, an information governance catalog, StoredIQ data visibility software and models for data scientists across Europe to use, whereas Informatica is beefing up its artificial intelligence platform, CLAIRE Engine, to help organizations automate in accordance with GDPR compliance. During the interview, Kenneth also shed light on the fact that the new data storage companies with a focus on centralized data storage and security have lately been mushrooming.

Marketing and Truth

The legislated principle of “data protection by design” dictates that companies must use the smallest amount of personal data, for the shortest period of time, expose it to as few employees as possible and delete it as soon as they can. On the other hand, today, in the scope of data-driven, machine learning powered marketing, organizations tend to collect as much data as they can from any available source, even though they are not sure how to utilize it yet. In other words, “collect it now and figure out what to do with it later.” The reason behind this is that many believe, more data improves customer experience. According to Forrester, “77 percent of consumers have chosen, recommended, or paid more for a brand that provides a personalized service or experience.” As a matter of fact, the majority of the big tech giants like Amazon, Netflix, Google, and Facebook have built their unique business models on the data that they have harvested. However, the question is whether a practice of data maximization and blanket consent is the only way of providing personalized experiences?

Two years ago, at an event in Washington, Apple CEO Tim Cook gave a very controversial speech on protecting personal data. “I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.”

As being a statistician-economist, Kenneth Sanford also believes that everything is cost benefit and said: “For the longest time, I’ve been saying, you probably don’t need the millionth observation or the billionth observation to prove out what you’re looking for, the mode is not always getting better without cost.” So the mentality of ‘let’s keep everything without thinking’ is starting to subside a little bit, according to him. That being said, Kenneth doesn’t believe that the companies like Amazon and Google are trying to manipulate consumer data and behavior in an evil way, yet he states: “They’re trying to benevolently manipulate your behavior, nudging you toward things you probably want. I think that shows value even though some might not believe it.” He also explained the reason lies behind this belief with an analogy: “Since there is so much data out there, it almost becomes overwhelming and anonymous. It’s very much like walking around New York City, when you walk around New York, you never feel scared or vulnerable because there are so many people, so much so that there is nowhere to hide, and it’s the same thing with data, there is so much of it and monitoring it has become so good, there is nothing evil that can happen.”  

It will be the end of wide-scale data collection for marketing purposes if there is no consumer consent. In other words, consent will be king rather than content. At a very simplistic level, it won’t be okay to send a newsletter to a visitor who just downloaded your whitepaper unless you collect their clear active consent on that specific interaction. In this case, does the GDPR mean the end of digital marketing? Yes and No. It may be the end of the way of executing digital marketing as we know it today but therein lies an opportunity to develop more thoughtful approaches to targeting and lead acquisition. Kenneth also agreed on that point, saying: “I would imagine there’s going to be some sort of niche industries that come up, or niche providers, just obfuscate data using machine learning in a way that doesn’t detract from the value and doesn’t lose meaning.”

Considering the steep penalty that organizations will face in the event of non-compliance after the GDPR has come into effect, Kenneth said that he would expect pretty sizeable budgets when it comes to the amount companies should plan to allocate on GDPR readiness and compliance efforts. According to a survey conducted by PwC, over three in four (77%) US multinational companies plan to allocate $1 million or more on GDPR readiness and compliance efforts -- with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million to address GDPR obligations. However, Bart Willemsen, a Gartner analyst, says that rather than allocating a larger portion of their budget to meet the GDPR in the next cycle, companies should dedicate a permanent budget for privacy compliance.

On top of the risk of facing a potential 4% fine of global revenues, when you also think of the fact that the average cost of a data breach is $4 million, and 70% of data breaches are caused by internal employees, allocating a permanent budget seems like a wise strategy not only to comply with the new regulations but also to prove that your organization values consumer trust. To allocate that budget, Kenneth suggests organizations to start by having a close look at their current IT budget as he believes that many organizations have serious IT spends on tools that are not solving their problems. If it is the case for an organization that is looking for extra resources to allocate budget on the GDPR requirements, relocating some of the inefficient investments in their current digital ecosystem may provide them with a breath of fresh air.


Due to the current way of doing digital business, consumers leave a trail of data whenever they interact with sites. Finally, the days are about to end when businesses hide behind the thin veil of, “but that was included in our Privacy Policy.” Considering today’s ever-changing consumer expectations and tomorrow’s increasing regulatory fines, business throwing the rule book at their customers who want them to revoke their information associated with their accounts will no longer survive. Therefore, we will definitely see more and more marketing campaigns focused on establishing explicit consent to utilize the personal data that they have already captured previously in a sneaky way. Tomorrow’s survivors will be the ones who empower their customers with their personal information, provide an access to the information they hold about them and are specific on how they use the data. After all, regardless of what the GDPR dictates, there is an obvious correlation between greater revenues and consumer trust.

Venus Tamturk

Venus Tamturk

Venus is the Media Reporter for CMS-Connected, with one of her tasks to write thorough articles by creating the most up-to-date and engaging content using B2B digital marketing. She enjoys increasing brand equity and conversion through the strategic use of social media channels and integrated media marketing plans.

Laura Myers

Laura Myers

A digital business, marketing and social media enthusiast, Laura thrives on asking unique, insightful questions to ignite conversation. At an event or remotely, she enjoys any opportunity to connect with like-minded people in the industry.

Featured Case Studies