Impact of the GDPR After Almost a Year

I wrote about the GDPR just before it went into effect. Almost a year has passed and it’s time to look at the actual impact it is having.

How Important is the GDPR 10 Months In?

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. That statement is from the EU’s own information portal, which goes on to say that, The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond. What that statement doesn’t say is that it will also fundamentally reshape the way in which data is handled in countries outside the EU including the US. If you want a quick overview of the sweeping changes mandated by this law see the Key Changes page on this site. An earlier post reviewed the implications of the law from the perspective of US brands.

What Are the Main Issues of GDPR Compliance?

The GDPG mandates a strong set of protections for consumers and their data as shown in a section of the original infographic. Publishers were expected to comply with these requirements by the time the law went into effect.

https://www.pinterest.com/pin/342273640423081936/

The GDPR took effect in May 2018 so its impact on marketing organizations is becoming clear. In order to plan their compliance with the GPDR organizations were advised to:

• Conduct a complete audit to find out how much customer data was collected throughout the organization. Most were surprised by how many data items were being collected and how many different groups in the organization were collecting them.
           o This led to the identification of much ROT (redundant, obsolete and trivial) data. By one estimate 70% of data in most organizations is ROT and should be eliminated.
• Appoint a data protection officer. That is a requirement of the law.
• Review and update privacy policies and statements. That includes an assessment of how permission is obtained and managed.
• Review data security policies for compliance with the law. That includes not only keeping customer data safe but also making it accessible to review and correct.
• Have procedures in place to promptly report data breaches.
• Make sure that everyone in the organization who has any contact with data is fully informed about GDPR requirements.

This short list indicates that compliance with GDPR is no small issue. As stated in the earlier post most companies were not prepared and have had to spend the last 10 months scrambling to catch up.

What Happened When the GDPR Was Implemented?

As had been predicted since its passage, relatively few businesses were fully compliant when the law went into effect in May 2018. As shown in the eMarketer chart it may not be surprising that the fewest firms in the US were fully compliant and the most hadn’t even started.










My personal favorite headline: “Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law,” from Gizmodo.  Since then:

• France fined Google $50 million for violating requirements for obtaining explicit consent.
• The EU fined Google $5 billion for anti-competitive activities involving the way in which it required manufacturers to install Google apps on Android phones.
• Germany alone has issued 41 smaller fines charging Google with various GDPR violations.
• Facebook was fined $644,000 for leaking data in the Cambridge Analytica scandal.
• A data breach that affected the access tokens of more than 50 million Facebook users could result in a fine of $1.63 billion.
• In February 2019 ITPro reported that Facebook was the subject of 10 major GDPR investigations.

The amounts of the potential fines vary by type and location. The largest can be $23.6 million at the time of writing or 4% of the total worldwide annual turnover (sales). That accounts for potential fines in the billions of dollars. Smaller companies obviously will not face fines of this magnitude but they can still be devastating. Perhaps even more important for small firms, they do not have the legal and IT resources the larger businesses can rally to comply with the law and to fight charges of violations.

The effect of GDPR is felt in more ways than fines, and some of those could have major impact on marketing activities. Digiday lists 5 marketing impacts and has charts to support them. They are:

1. The use of third-party cookies has decreased. The study covered only news sites.
2. Marketers are concerned that their martech applications may not be compliant with the requirements.
3. Contextual targeting has increased due to issues of using third-party targeting data.
4. Smaller companies, including techs, are struggling with the requirements.
5. US publishers are still holding back, waiting to assess the impact of the law.

Business applications that depend on AI, from self-driving cars to customer service, may find their efforts frustrated by data issues. Innovation across the board could be inhibited. Digital business models may be invalidated.

Customers may find the opt-in requirements frustrating and may see free services, supported by their data at present, disappear. At the same time, customers are becoming more aware of privacy issues and the value of their data.

The GDPR may stimulate more data protection efforts. California and Vermont have already passed data privacy laws that have broad implications. These efforts may affect consumers and data protection efforts in other states. Tech companies and publishers alike would find it difficult to comply with a patchwork of different laws in different states.

What Does the GDPR Future Hold?

The only thing that seems entirely clear is that there are potential positive impacts of GDPR and potential negative impacts for both business and consumers.

EU Competition Commissioner Margrethe Vestager has strong words for consumers: "There is no such thing as a free lunch. You pay with one currency or another—either cents, or you pay with your data, or you pay with the advertisements that you accept. And I think people are becoming more and more aware of the fact that their personal data do have a value."

A European security publication has another great headline that pretty much sums it up in these early days--The Future of GDPR - Dead, Diluted, Detested or Accepted? It could die “a slow, bureaucratic death,” be modified by the regulatory agencies, become the focus of voter ire, or gradually become an accepted part of the regulatory landscape; seen as necessary, perhaps even desirable

So the future is unclear with many battles to be fought on behalf of both businesses and the public. One thing is clear: it would be a great step forward if the discussion of data privacy issues could begin with the best interests of consumers and society as the central focus, but that may be too much to expect.

In this context it might be useful to review earlier posts about the data-related issues faced by the duopoly:
• Facebook
• Google

Related Updates:
Amazon also under scrutiny about use of partner data
Results after a year from Slate
Pros and cons from CNBC
Where GDPR goes from here
Cookie use, email marketing and PECR

How the General Data Protection Regulation (GDPR) Will Impact U.S. Companies

http://ec.europa.eu/justice/data-protection/index_en.htm

The European Union’s 1995 Privacy Directive had strong protection for the privacy of personal data for EU residents and the movement of data across borders. The directive required all EU nations to establish their own laws under its framework. All companies with businesses that collect EU customer data, wherever they were headquartered, were covered by its provisions. The US and the EU established a Safe Harbor agreement to certify that US member companies were complying with EU regulations. The 1995 directive provided strong privacy regulation for many years but now that is changing.

What is the GDPR?

In 2016 the EU passed the GDPR with an effective date of May 2018. The regulation updates the existing procedures under the 1995 directive. Most important, it is a regulation with the force of law, not a directive that directs member companies to establish laws. Industry group Third Certainty (so named because observers believe that today’s third certainty after the traditional death and taxes is identity theft) describes the regulation as follows:

GDPR isn’t a suggestion that companies institute best practices for customer data privacy; it is a directive that could result in fines of €20 million or up to 4 percent of annual global turnover. Not only will all companies in the EU be required to meet the new regulations, but GDPR also is in effect for all organizations that hold or process the data of customers who live in the EU.

In addition, the GDPR site identifies major changes as:
•    The unambiguous inclusion of all companies that process the data of people residing in the EU no matter where the companies are located.
•    Consent to be obtained in a clear and accessible way, free of legalese, and the purpose for processing the data must be explained. It must be as easy to withdrawn consent as it is to give it.
•    Data breaches to be revealed within 72 hours of the company first being aware of the breach. Data processors are also required to notify of breaches without undue delay when they become aware of the breach.

According to the Information Commissioner’s Office in the UK the rights of individual data subjects are:
•    Right to be informed by means of privacy notices
•    Right of access to their data and information about how it is being processed
•    Right to rectification of inaccurate or incomplete data
•    Right to erasure of data where there is no compelling reason for continued processing
•    Right to restrict processing of personal data
•    Right to data portability, allowing subjects to move, copy or transfer personal data easily from one IT environment to another.
•    Right to object to certain types of processing
•    Rights related to automated decision making and profiling that protect against potentially damaging decisions made without human intervention.

Cookie Notice from https://ico.org.uk/

The ICO Guide has more detail on these provisions and a “What’s New” page that highlights ongoing analysis. Notice that this information is being provided for UK organizations post Brexit on a site that has one type of cookie notification. The home page of the Financial Times shows another type of notification that is being used under the provisions of the regulation. Notice that this is the U.S. version of the London-based publication that is showing the same notification that is shown on the U.K. and World editions.

 Cookies Notice from https://www.ft.com/world/us

The individual rights under GDPR are based on the Fair Information Practices Principles discussed in Chapter 17. These specific rights update the 1995 directive by being clearer and more specific.

How Should U.S. Companies Prepare for the GDPR?

It seems the question should really be, “Are U.S. companies preparing for the GDPR?” A study by NTT Security, quoted by Thompson Reuters, found that many decision makers around the world were unaware of the regulation and how it would affect them. Switzerland had the highest preparedness level at 58% of businesses. The U.S. had the lowest level of awareness of the regulation with only 25% of companies believing the regulation would affect them.

The Thompson Reuters post says that the regulation:

attaches to any data concerning an individual residing or present in the EU. Thus, if data is connected to an individual in the EU, the GDPR applies — regardless of where such data is processed. They add that it requires that, “organizations be able to justify their reasons for holding or processing every piece of data in their possession."

Those are sweeping statements, especially in view of the large fines that can result from non-compliance. Steps that U.S. firms should take to comply are outlined by Information Week:

•    Determine whether the firm is a controller, a processor or both. A controller is the entity that determines the purposes and conditions under which personal data will be processed. Since processing includes anything as basic as collecting and storing data, that means that any brand that collects personal data is a controller. That definition is the same as under the 1995 directive. The definition of a processor also does not change; a processor is an entity that processes personal data for a controller. Both controller and processor(s) are responsible for compliance with the GDPR but primary responsibility lies with the controller

•    Audit personal data to ensure that there is a single view of each data subject. This is necessary to be able to “forget” a data subject under the regulation.

This can be a huge task, but Steve Forde of Britain’s ITV advocates viewing it as an opportunity. He finds 3 principles of data collection—transparency, control and value exchange—to be essential in creating trust with customers. Preparing for GDPR is a way to instill this philosophy throughout the organization with the result that customer trust should increase.

•    Redesign what consent looks like for your customers. They must explicitly consent to each use of their data and pre-checked boxes or opt-out requirements are not adequate. The range of data covered and special issues like collecting data from children have been make tighter and more explicit under the regulation.

•    Audit service providers to ensure they meet the requirements for processors. Otherwise the processing they do for a U.S. firm on its data for European subjects will be illegal.

•    There are other requirements like choosing a member state as the supervisory authority, appointing a data protection officer and locating data centers that are legal or technical in nature, but marketers need to be sure that all requirements are being met. Failure to do so could result in loss of access to data of European subjects—everything from contact information to CRM data. For many U.S. brands, that could result in a significant loss of business.

What is the Role of Privacy Shield?

Privacy Shield prototype

Under the 1995 directive, the Safe Harbor program certified that U.S. companies were compliant with its provisions. That compliance framework has been superseded by the Privacy Shield program. Developed by the Department of Commerce, the service is open to all organizations that are under the jurisdiction of the FTC or the DOT. The framework allows companies to self-certify that they have met the requirements of the GDPR for both the E.U. and the separate Swiss framework.

Companies that wish to certify must have a Privacy Policy that is compliant with the GDPR. Current privacy policies will not conform to the new requirements, which are essentially the rights of individual data subjects listed above. The company must provide an independent recourse mechanism from an approved list that includes agencies like the Better Business Bureau and TRUSTe. The company must provide for verification of its compliance and designate a contact for the Privacy Shield program. Companies that certify under the Privacy Shield program will automatically be removed from Safe Harbor and must remove all references to it from their privacy policy and website.

U.S. Companies Should Move Quickly to Comply with the GDPR.

If this all sounds like a great deal of work, it is. At the same time, remember the advice of Steve Forde from ITV. Trust is essential to ecommerce businesses and being transparent about the way a brand handles the personal data of its customers helps create that trust.

So the best advice to U.S. companies is to move quickly so they do not lose access to the data of their E.U. customers and to do so in a way that creates trust with their customers all over the world.

See the infographic here 

Related Updates

Post-cookie (also called zero data) advertising 
Privacy attitudes vary by country 
Businesses still not ready for GDPR with EU consumer data
Analysis from HBR
How the GDPR is affecting advertising 
Look-alike audiences under GDPR
ePrivacy regulation is a broader approach
Important French ruling on partners and data privacy