Cybersecurity Editor's Choice Europe Fintech Regtech

More Regulation is a Good Thing: Guy Hanson from Validity Explains Why

Despite the ICO appearing to take a tougher stance on GDPR compliance in the last few months, having stricter regulation in place is not necessarily a bad thing for businesses. In fact, research published only a year after GDPR was brought into effect found that many marketing teams saw clear uplifts in their KPIs, as well as improved ROI and consumer trust.

However, in the last few months alone, we have seen the likes of American Express, the Conservative Party and Papa John’s fall foul of GDPR with their bad email practices. Guy Hanson, VP Customer Engagement at Validity, explains why we should be embracing tighter regulations and how adhering to best practices can ensure businesses experience all the benefits.

Benefits of regulation

Guy Hanson, VP Customer Engagement at Validity

In the run-up to GDPR’s introduction in 2018, there was initial concern among marketers that stricter regulations would negatively impact marketing campaigns. Email marketers were especially fearful, as GDPR (in conjunction with PECR) required use of active opt-in, it significantly raised the bar for signing up new subscribers, and also required re-permissioning of existing subscribers whose consent did not meet the new standards.

However, a series of reports by the Data and Marketing Association (DMA) clearly shows the companies who embraced the tighter regulations have benefitted. For example, in 2019 – only a year after GDPR was introduced – the DMA’s Marketer Email Tracker report found the majority of email marketers saw uplifts against all major KPIs, including deliverability (67%), open rates (74%), click-through rates (75%), and conversion rates (67%). 

While this initial uplift in email performance was welcomed, the underlying reason was simple enough. While marketers were concerned about smaller email lists, many of the subscribers they lost were their least engaged ones. Once they were removed, only those who had actively chosen to opt in and engage remained. GDPR effectively acted as a prompt to thoroughly cleanse subscriber lists and start afresh.

This encouraging momentum was not a once-off event, and a more recent DMA report shows marketers continue to see positive increases for all key email metrics. Nearly half (48%) agree GDPR has improved data quality and email metrics (32%) with only a small minority reporting a decline. Importantly, post-GDPR ‘Mailable list sizes’ are growing again (58%), while ‘Spam complaints’ have reduced for most (62%) businesses.

How to embrace GDPR and thrive

Despite GDPR’s clear benefits, there are still many businesses whose customers are clicking the ‘Spam’ button, or even reporting them to the regulators. A recent example in the financial services industry saw American Express fined £90,000 by the UK’s Information Commissioner’s Office (ICO) for sending more than four million unwanted marketing emails.

Given that the financial sector is faced with more rigorous regulation anyway, it is crucial for these firms to follow GDPR’s rules diligently and maintain their reputation and consumer trust by doing so. 

The fines issued by the ICO to American Express, Papa John’s and the Conservative Party have one theme in common, and that is consent – or rather in all three cases, the lack of consent, and/or the ability to prove consent had been provided! As mentioned earlier, GDPR requires positive consent for marketing emails from subscribers, but there have been many instances where ‘consent’ has been misunderstood. 

Papa John’s believed soft opt-in meant they had consent to use email addresses provided when customers had placed orders (which is true), but failed in its obligation to also notify customers they can opt out from receiving marketing emails. 

The Conservative Party also fell afoul of GDPR’s consent requirement. Following a change of email service provider, the database of previous opt-outs was not transferred over correctly, and the Party then emailed people who had previously opted-out, and/or for whom they could not provide proof consent had been provided. 

In American Express’ case, the company believed it was sending service emails (which do not require consent), but the ICO ruled they were marketing emails (which do require consent). 

These recent cases make it clear the ICO is now more intent on penalising failures to observe the process, in addition to more high-profile breaches. The priority for financial organisations (or indeed any business) is to avoid punitive fines by erring on the side of caution when it comes to consent. This means continually reassessing customer data for accuracy, responding promptly to unsubscribe requests, and suppressing unengaged subscribers. But it also means ensuring the requirements for consent are fully understood, across organisations, and what types of communications it applies to.

The bottom line

The first three years of GDPR show regulatory bodies are fully prepared to enforce punitive measures on bad actors. However, it is reassuring that companies who have proactively complied with the regulations are benefitting from a positive impact on their marketing campaigns. In fact, 59% of marketers would like to see “more strict” data protection policy in the UK!

Although there have been high-profile examples of fines and regulatory pressure, there is plenty of evidence to demonstrate tighter regulations have been good for brands and consumers. Further regulatory changes and adaptations will inevitably follow, but GDPR shows businesses shouldn’t necessarily view them as a hindrance to successful performance.


  • Polly is a journalist, content creator and general opinion holder from North Wales. She has written for a number of publications, usually hovering around the topics of fintech, tech, lifestyle and body positivity.

Related posts

Paymob Expands Horizons to the UAE

Tom Bleach

Behind the Idea: Paysafe

Tyler Pathe

Mobile Wallets To Be Adopted by Over One-Third of Global Population by 2024

Tyler Pathe