GDPR, the General Data Protection Regulation, which regulates the processing and use of European data, has been in force for nearly a year now. It is timely to look at its impact so far, and see what lies in store for other parts of the world. In fact, most developed countries already have some kind of data protection law already in place.
Firstly, just a quick reminder of the main principles of GDPR:
- Data subjects now have control over the use of their data
- Consent is usually but not always required – and notice and choice is always needed
- Data controllers must be transparent over usage – and consent must be freely given, unambiguous, and not onerous for the data subject
- Data subjects have the right of access, and usually the right to be forgotten
- Fines can be heavy – up to 4% of the data controllers’ annual global revenue
So how is this working out in practice? Here are my three main conclusions so far.
- Everyone is paying attention
Whether it was the long run up to GDPR, media attention, the size of the potential fines, the emergence of a GDPR industrial complex, or all of the above, one thing is for sure – a high level of awareness has translated into compliance action by most organizations.
How much of this is lip-service, or “flying under the radar”, at this point is hard to tell. “GDPR compliant” has become an overused and perhaps unsubstantiated claim by some. But, on the whole, much has been done to review data flows, organize compliance processes, and update privacy policies – and practice.
What about consumers? The CMO Council has found that 57% of consumers claim to have a deeper understanding of how companies use their data. On the other hand, 65% said GDPR made no difference at all on their brand experiences. Perhaps that is good news given all those annoying opt-in requests sent out before May last year.
- Still a work in progress – with some surprises
Even though most businesses have a plan in place, it is perhaps not surprising that many are still following a “wait and see” policy to determine whether their approach has to be tightened up or perhaps loosened. On the whole the big companies – who see themselves as prime targets – have adopted a conservative approach, even in the business-to-business context, while smaller companies are looking at things the other way around. Only when more cases come up before the various country Information Commissioners will things become, we hope, a bit clearer.
While the large €50 million fine imposed on Google by the French Information Commissioner for an inadequate consent process has been heavily publicized, it is a recent penalty from Poland of a mere €220,000 that has attracted a lot of attention in the data protection community. A company with over six million consumer records used the justification of Legitimate Interest for storing and handling this data – and that requires giving individuals “notice and choice”. The data subject has to told that their information is being held, and given the chance to opt-out. But the company only gave notice and choice to those data subjects for whom it had an email address. It claimed that the effort to inform the remainder would be “disproportionate” – in theory an acceptable reason in the regulation - because of the cost involved. The Polish authorities said that cost should not be a factor because the company had access to postal records. So now, as well as paying the fine, the company has to decide whether a mailing makes commercial and financial sense. They only had 90,000 emails out of the six million records – and 12,000 of those opted out.
How will such cases be decided in future?
- Impact on marketers
Firstly, lets remind ourselves that in Europe – and many other places as well – GDPR is only part of the story. There are also regulations around digital marketing – in Europe known as ePrivacy regulations. At the moment these differ somewhat from country to country, but a new directive is expected later this year or in 2020 which will harmonize the laws.
In other words, as a generalization, GDPR dictates how you can lawfully store and process data in the first place. ePrivacy mandates how you can use it in the digital marketplace.
Here are two main marketing consequences of GDPR so far.
- Because you cannot “grandfather” GDPR compliance the use of 3rd party data is harder. Essentially you have to undertake your own justification. Think of compliance as a supply chain step not a one-off event.
- This means a move towards “pull” rather than “push” marketing – and inevitably more reliance on web optimization, search, and programmatic advertising. Although the latter is also now under scrutiny in the UK and elsewhere, guess who is benefitting from these trends? Google, of course. I wonder if that is what the EU officials had in mind.
While the world watches, how can you prepare for GDPR like laws?
It is likely that your country already addresses data protection and privacy in some form or other, but that may well be extended in the next few months or years to incorporate the key GDPR principle that the data subject has control over their own information. That is certainly true of the new law coming into effect in California next year – the CCPA.
How can you prepare in advance even though you may not be certain of what is ahead?
Here are 5 actions that will serve you well based on GDPR experience.
- Keep track of actual and prospective legislation in your country at the national and local level
- Consider appointing a Data Protection Officer – required in Europe for big companies – who can lead the charge
- Carry out an Impact Assessment to see what effect new regulations might have on your business – marketing, HR, finance, and customer service
- Audit the data flows within your business so that you know exactly where data sits, for how long, and what it is used for. Strong data governance processes are crucial for compliance
- Create a cross functional “tiger team” under the leadership of the DPO that is prepared and ready to act and will represent all aspects of your business.
Finally, remember that data protection has to become part of your organization’s culture. So internal communication, training, and leadership from the top are vital.
For any legal privacy and GDPR specific compliance advice please contact a qualified attorney