In the two years since the General Data Protection Regulation (GDPR) was made law, it’s been the subject of intense conversation, wild conjecture and in some cases, broad misconceptions.
GDPR is a sweeping set of new data privacy rules that govern the handling of EU members’ data no matter where it occurs. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.
Compliance solutions have been proliferating like rabbits, and in the past couple of months, big data-based companies like Google and Facebook have offered their plans for GDPR — plans that have been met with no shortage of controversy.
But throughout all the confusion in the runup to today, one fact remained incontrovertible: that on May 25, 2018, GDPR would become enforceable. And so, today it is.
Even though it feels like the end of a race, it’s really just the start.
Jessica B. Lee, a lawyer in advanced media and technology at Loeb & Loeb, says we will now see enforcement of the regulation — which in turn will help shape companies’ compliance efforts.
“For most companies, May 25 is the just the beginning,” Loeb said. “There will be enforcement, additional guidance, and lessons learned from putting new policies in place. I anticipate we are several months (and that may be generous) away from this becoming normalized.”
Lee sees eforcement as a necessary step to clarification on compliance. Though unfortunate for any companies that find themselves in the crosshairs, she notes “…enforcements may be helpful in providing some color to the gray areas that remain under the GDPR. Particularly for the ad tech and martech industries, there is still a lot of frustration at the lack of clarity in certain areas. Enforcement actions may clear some of that confusion.” She added specifically that “We may gain additional insights on the use of legitimate interests as a lawful basis for certain advertising/marketing activities.”
Fear of that €20 million fine drives much of the concern by platforms and publishers. But Venkat Rangan, chief technology officer of AI sales company Clari, says enforcement of financial penalties will not be immediate. He asserts regulators are more interested in providing incentives for correction than administering fines – especially for minor violations, noting “The regulators have already said that they will evaluate each case carefully and provide incentives for minor violations to be corrected, and not focus on levying fines,” adding that “the UK Information Commission’s office has stated publicly: ‘But it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm.’”
Another gating factor that minimizes the chances of an all out assualt on non-compliant companies goes to the availability of enforcement resources. Rangan suggests:
Regulators will be ready to receive complaints from the supervisory authorities, but will not be ready to do the investigation and determine the extent of an infringement. This will lead to large backlog of cases, and only the top ones will be prioritized for further action.
The last number of months have been especially frenetic — with companies across the spectrum of products and services suddenly rushing to address today’s deadline. Travis Ruff, chief information security officer at customer data platform (CDP) Amperity, says no one can really predict what will happen — until enforcement kicks in.
While organizations have spent billions of dollars becoming “GDPR-compliant” in the past year, no one really knows what that means. Consultants, advisors and lawyers all believe that they had the answer, and many positive changes regarding privacy have been put in place, however, there is no answer as to if it was enough. Until the first regulatory actions are executed … or the first lawsuit is brought and resolved, there is no way to know.
Ruff echoes Lee’s sentiment that clarity will only come from the first (unfortunate) examples of non-compliance and recommneds that “The best thing we can do now is pay attention to the real repercussions of GDPR, and hope we can learn from others.”
Roles and responsibilities will come into clearer focus
One area in particular that remains a point of disagreement among martech & adtech providers and publishers goes to the question of who is a controller and who is a processor. And the distinction is important when it comes to full compliance. Rangan said that now that GDPR is in full force, the relationship between these key roles will take shape. He anticipates “As the realities of GDPR compliance sink in, most enterprises will struggle to get a firm handle on how to transfer their responsibilities as a data controller to their data processors. Many have crafted specific data processing addendums to codify what they as a controller expect from a processor.” And warns that “in the rush get these agreements executed, invariably a few critical areas (such as whether consent is properly obtained before processing) will be missed, and we can anticipate a significant uptick in maneuvering between companies.”
The uncertainty around interpretation of many of the GDPR articles leaves marketers to determine their own “version” of compliance. As a result, Rob Glickman, chief marketing officer of CDP Treasure Data, said marketers will be challenged. “It’s going to take a while for issues of doubt to be made clear. The potential of administrative reviews and stiff fines from GDPR will cause many to tread lightly.”
Compounding the problem of uncertainty around implementation is the uncertainty around enforcement. Glickman notes, “No one knows how strict the new European Data Protection Board (EDPB) will be with companies that run afoul of the new law. And, if that’s not enough uncertainty, consideration must be given to local EU data protection authorities — who may not all act in the same manner. Taken together, there’s plenty to keep marketers up at night.”
But Glickman says it will also be an opportunity for marketers.
But marketers, by nature, are not a cautious lot. They tend to be fearless, not fearful. Marketers need to be bold in order to seize opportunities in today’s hyper-competitive, ever-changing marketplace. That confidence cannot be shaken. It’s crucial that marketers trust that their teams have prepared properly for GDPR and are ready to learn from mistakes – theirs and others. Marketers are at a watershed moment — striving to deliver hyper-personalized experiences to consumers while simultaneously respecting and protecting their privacy.
There are more rules to come
Now that GDPR has become law, the EU’s new e-Privacy regulation is right behind it. The companion data privacy rule is focused on electronic communication.
“For the ad tech and martech companies, lurking behind the GDPR is the new e-Privacy regulation,” Loeb & Loeb’s Lee said. “Once the GDPR hysteria (hopefully) subsides, we will need to address the implications of that regulation, which is arguably poised to have a larger impact on this industry than the GDPR.”
Maciej Zawadziński, chief executive officer of marketing software house Clearcode and marketing platform Piwik PRO, said that the response of data protection authorities (DPAs) to GDPR will have an impact on the ePrivacy regulation, which is now in draft form but is expected to be approved by the end of this year.
ePrivacy will be the “lex specialis” of the GDPR, meaning that when the two regulations cover the same situation or when a case isn’t specified in the GDPR, ePrivacy will take precedence. A lot could change when it comes into force.
We should also observe how other regulators react. There are predictions that GDPR will go global. Countries signing trade agreements with the EU will be required to introduce measures similar to GDPR laws. In the US, the Consent Act is being prepared. For those already striving for full compliance, we just have to patiently observe the DPA and do our best to comply with the letter of the law.
We’re at a turning point
Jenn Horner, email strategist at DEG, said that GDPR will usher in a sea change for marketers. “Five years from now, we’ll look back on the enforcement of GDPR as the turning point in how we view data protection. Between the tightened definitions and enforcement under GDPR and the consumer backlash from the Cambridge Analytica data scandal, everyone is becoming more aware of what data is available for possession and how it is used.”
The United States is already seeing steps toward state legislatures enforcing how consumers’ personal data is used, with bills in committee such as the Data Broker Protection Act in Vermont and the Consent Act led by senators in Massachusetts and Connecticut. Meaning this discussion isn’t going anywhere soon.
Better or worse?
Mac Delaney, Merkle’s SVP media investment and innovation, sees the GDPR era as a net positive for marketers. “There is much discussion around whether GDPR will negatively impact how businesses market, as if marketing is suddenly taking a step backward. The fact of the matter is – the future of advertising is people-based and GDPR actually validates that.”
While many in martech and adtech have questioned whether GDPR will make advertising and marketing a worse experience for customers, Delaney concludes the opposite, “Modern marketing requires marketers to use data to be relevant, and this gets even better with PII. GDPR fills in all the grey space that had previously been filled with various entities’ interpretations of how data driven should work and how best to target users. These new regulations now put the control back in the hands of the user/person. When people-based is truly at scale, it will be the highest form (from a quality perspective) of advertising in history.”
Though no one anticipates an immediate wave of enforcements, there will certainly be some. The e-Privacy regulation will come into play. And data privacy will continue to be a source of discussion for some time to come.
Questions about GDPR? Download our free guide, The General Data Protection Regulation: GDPR — A Guide for Marketers.