How Important is the GDPR 10 Months In?
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. That statement is from the EU’s own information portal, which goes on to say that, The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond. What that statement doesn’t say is that it will also fundamentally reshape the way in which data is handled in countries outside the EU including the US. If you want a quick overview of the sweeping changes mandated by this law see the Key Changes page on this site. An earlier post reviewed the implications of the law from the perspective of US brands.
What Are the Main Issues of GDPR Compliance?
The GDPG mandates a strong set of protections for consumers and their data as shown in a section of the original infographic. Publishers were expected to comply with these requirements by the time the law went into effect.
 |
| https://www.pinterest.com/pin/342273640423081936/ |
The GDPR took effect in May 2018 so its impact on marketing organizations is becoming clear. In order to plan their compliance with the GPDR organizations were advised to:
• Conduct a complete audit to find out how much customer data was collected throughout the organization. Most were surprised by how many data items were being collected and how many different groups in the organization were collecting them.
o This led to the identification of much ROT (redundant, obsolete and trivial) data. By one estimate 70% of data in most organizations is ROT and should be eliminated.
• Appoint a data protection officer. That is a requirement of the law.
• Review and update privacy policies and statements. That includes an assessment of how permission is obtained and managed.
• Review data security policies for compliance with the law. That includes not only keeping customer data safe but also making it accessible to review and correct.
• Have procedures in place to promptly report data breaches.
• Make sure that everyone in the organization who has any contact with data is fully informed about GDPR requirements.
This short list indicates that compliance with GDPR is no small issue. As stated in the earlier post most companies were not prepared and have had to spend the last 10 months scrambling to catch up.
What Happened When the GDPR Was Implemented?
As had been predicted since its passage, relatively few businesses were fully compliant when the law went into effect in May 2018. As shown in the eMarketer chart it may not be surprising that the fewest firms in the US were fully compliant and the most hadn’t even started.
My personal favorite headline: “Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law,” from Gizmodo. Since then:
• France fined Google $50 million for violating requirements for obtaining explicit consent.
• The EU fined Google $5 billion for anti-competitive activities involving the way in which it required manufacturers to install Google apps on Android phones.
• Germany alone has issued 41 smaller fines charging Google with various GDPR violations.
• Facebook was fined $644,000 for leaking data in the Cambridge Analytica scandal.
• A data breach that affected the access tokens of more than 50 million Facebook users could result in a fine of $1.63 billion.
• In February 2019 ITPro reported that Facebook was the subject of 10 major GDPR investigations.
The amounts of the potential fines vary by type and location. The largest can be $23.6 million at the time of writing or 4% of the total worldwide annual turnover (sales). That accounts for potential fines in the billions of dollars. Smaller companies obviously will not face fines of this magnitude but they can still be devastating. Perhaps even more important for small firms, they do not have the legal and IT resources the larger businesses can rally to comply with the law and to fight charges of violations.
The effect of GDPR is felt in more ways than fines, and some of those could have major impact on marketing activities. Digiday lists 5 marketing impacts and has charts to support them. They are:
1. The use of third-party cookies has decreased. The study covered only news sites.
2. Marketers are concerned that their martech applications may not be compliant with the requirements.
3. Contextual targeting has increased due to issues of using third-party targeting data.
4. Smaller companies, including techs, are struggling with the requirements.
5. US publishers are still holding back, waiting to assess the impact of the law.
Business applications that depend on AI, from self-driving cars to customer service, may find their efforts frustrated by data issues. Innovation across the board could be inhibited. Digital business models may be invalidated.
Customers may find the opt-in requirements frustrating and may see free services, supported by their data at present, disappear. At the same time, customers are becoming more aware of privacy issues and the value of their data.
The GDPR may stimulate more data protection efforts. California and Vermont have already passed data privacy laws that have broad implications. These efforts may affect consumers and data protection efforts in other states. Tech companies and publishers alike would find it difficult to comply with a patchwork of different laws in different states.
What Does the GDPR Future Hold?
The only thing that seems entirely clear is that there are potential positive impacts of GDPR and potential negative impacts for both business and consumers.
EU Competition Commissioner Margrethe Vestager has strong words for consumers: "There is no such thing as a free lunch. You pay with one currency or another—either cents, or you pay with your data, or you pay with the advertisements that you accept. And I think people are becoming more and more aware of the fact that their personal data do have a value."
A European security publication has another great headline that pretty much sums it up in these early days--The Future of GDPR - Dead, Diluted, Detested or Accepted? It could die “a slow, bureaucratic death,” be modified by the regulatory agencies, become the focus of voter ire, or gradually become an accepted part of the regulatory landscape; seen as necessary, perhaps even desirable
So the future is unclear with many battles to be fought on behalf of both businesses and the public. One thing is clear: it would be a great step forward if the discussion of data privacy issues could begin with the best interests of consumers and society as the central focus, but that may be too much to expect.
In this context it might be useful to review earlier posts about the data-related issues faced by the duopoly:
Related Updates:
Amazon also under scrutiny about use of partner data
Results after a year from Slate
Pros and cons from CNBC
Where GDPR goes from here
Cookie use, email marketing and PECR
