GDPR Four Years On | Redefining Relationships with Consumers

Nearly four years on from the introduction of GDPR, the relationship between business and consumer has radically changed, according to John Mitchison, Director of Policy and Compliance at the Data & Marketing Association (DMA).

Mitchison says the advent of GDPR addressed an imbalance with regard to how businesses viewed the collection and use of consumer data and redefined organizational approaches to compliance and transparency.

“Prior to GDPR, companies had always viewed data as their own asset, something that was theirs and they did whatever they wanted with it,” he says.

“GDPR flipped the data protection regime on its head, changed the relationship a great deal and put the individual firmly at the heart of everything the data operator does.”

Mitchison believes the initial furore of GDPR implementation created an urgency among organizations and firmly reinforced the importance of responsible data use.

A Big Eye-opener for Organizations

“The first thing that organizations had to do was look at how they were really using data,” he explains. “They all had to get to grips with what data they had, conduct mapping exercises and establish what goes where and how to use it.”

“This was a big eye opener for a lot of organisations, as many didn’t really know what was going on.”

Placing the onus on businesses to engage with consumers and outline how they plan to use data also sparked a new wave of interest in data privacy.

During that period, incidents such as the Cambridge Analytica scandal and a myriad of high-profile data breaches placed the issues of data protection and privacy into the public sphere. This, combined with increased coverage of GDPR-related issues, created a heightened level of consumer awareness.

“GDPR brought these issues into everybody’s eyeline, and there’s been a lot of intense discussion about this. The Max Schrems case or the Cambridge Analytica affair raised eyebrows and, as a result of that, people are more aware,” he says.

Increasingly, Mitchison believes, consumers now view trust and transparency as a key issue when engaging with brands and organisations.

In a recent study from the Global Data & Marketing Alliance, more than one-third of respondents agreed that trust in an organization is the “most important factor” when considering whether to share data.

Similarly, a 2020 report from McKinsey found that a vast majority (87%) of respondents would not engage with a company if they had concerns about security. Nearly three-quarters also revealed that they would stop doing business with a company entirely if it gave away sensitive data without permission.

GDPR Four Years On

Four years on, the political landscape has shifted, and Britain’s exit from the European Union presents organizations with fresh challenges in terms of compliance.

However, there is an opportunity for Britain to make meaningful, practical changes to data protection regulations, Mitchison believes. The recent DCMS consultation, titled ‘Data: A New Direction‘ offers an exciting glimpse into how Britain could overhaul its data protection regime and enable organizations to harness data more effectively.

“This means we could potentially tweak data protection legislation to meet our needs much more precisely,” he says. “There’s an interesting potential here for sure.”

This changing landscape means organizations are faced with a growing – and at times confusing – raft of regulations, guidelines and code of practice.


From GDPR to ICO regulations and industry-led guidance, organizations can find themselves mired in a seemingly never-ending quagmire of red tape. As such, Mitchison says it is critical to understand how these frameworks interact, align, and supersede one another.

“There is a lot of uncertainty here. You can go to the government for guidance and look up legislation or draw from ICO guidance. The DMA also has its own code of practice,” he explains.

“Some of these things appear to conflict or say different things, and that makes it incredibly difficult for people,” Mitchison adds.

A Hierarchy of Codes

In response, the DMA has established a ‘Hierarchy of Codes’ that businesses can refer to and ensure they are on the right track with regard to data privacy compliance. This hierarchy includes information on legislation, codes of conduct, best practice guidelines and critical advice for data handlers.

At the top of this hierarchy is the DMA code, he explains. The code is an ethical framework, the overarching principal of which is to ‘Put The Customer First’.

Amidst a period of uncertainty and with an privacy-conscious public, Mitchison believes the code gives crucial advice and enables them to harness data in a responsible manner.

If in doubt, always follow a principles-based approach.

“It’s not always a clear-cut situation with data privacy,” he says. “Sometimes it’s wise to observe things from a higher level and think about things deeper.”

“We’re operating in a very unusual time and the reality is that nobody has all of the answers all of the time, so you do often have to revert back to basic principles and ethics.”

This ties into the initial culture change that GDPR sparked, Mitchison believes; the idea that behind every bit of data is a person. And companies should acknowledge and respect this.

“When we talk about data we are talking about people, and that often gets lost. People use the word ‘data’ as if it’s any other ingredient or raw material,” he says.

“Fundamentally, businesses should approach this as treating people how you think they should be treated.”

Data Protection Summit | Join the Conversation

John Mitchison will discuss ethical data use and the DMA’s Hierarchy of Codes at the Data Protection Scotland Summit, held live and in-person on 24th March.

For information on how to register a free place, please visit:

Leave a Comment