GDPR Two Years On

The 25^th May 2020 marked the second anniversary of the General Data Protection Regulation or GDPR as it is better known. Prior to its introduction in 2018, marketing teams spent considerable time and effort auditing their data to ensure they complied with the new Regulation. In this article, we will look at some of the key learnings from GDPR’s first two years in operation.

The importance of accountability

One of the core principles of the GDPR is accountability. Under this principle, companies must be able to demonstrate compliance in a tangible way. This takes many forms. For example, clear retention schedules, detailed audits of existing data flows and documented processes that are adhered to and widely understood across the organisation. Processes can always be improved or expanded upon, but those organisations who cannot at least demonstrate an ongoing effort to comply with GDPR will be most liable for fines in the event of a data breach.

Growing consumer awareness

Consumers are more aware of their data privacy rights. A total of 7,215 complaints were received by Ireland’s Data Protection Commission (DPC) in 2019, according to its annual report. This represents a 75% increase year on year. Data breach reporting, meanwhile, saw a 71% increase on 2018.

Marketers and the brands they work for will come under more pressure to demonstrate transparency in how they obtain and process data. Those firms that can do so will benefit from increased levels of consumer trust.

Training is key

Many firms treated GDPR training as a once off. A preparatory requirement as the Regulation’s launch date approached. Continual training is needed for a number of reasons:

1. Human error is one of the key reasons for data breaches.
2. The churn in many industries, but particularly in marketing, means that companies are constantly hiring new staff.
3. Existing staff benefit from refresher training to keep data privacy top of mind.
4. To keep data protection a core priority across all levels of the organisation.

Criticism of the AdTech Model

The current advertising technology or AdTech model is under threat. Regulators in a number of European countries have prioritised a focus on this technology. At its core is a concern that AdTech lacks transparency in how personal data is shared with and processed by third party suppliers. Britain’s Information Commissioner’s Office has been one of the most vocal critics over the past 18 months. A similar stance has been taken by the French regulator. Compounding this, privacy experts such as Dr Johnny Ryan and Dr Augustine Fou have highlighted potentially massive levels of ad fraud related to programmatic and real-time bidding.

This focus on AdTech will remain through 2020. It may spur the sector to continue its slow move away from a reliance on website cookies to track and profile consumers.

Large Fines

The potential for large fines – up to €20 million or 4% of global turnover – was hyped by media in advance of GDPR. It helped focus many businesses on compliance. The first months of the Regulation saw relatively little punitive activity by data authorities. Since last year, we have started to see significant fines levied. Britain announced its intention to fine British Airways £183 million (€210 million) for a data breach affecting half a million of its customers, and Marriott International £99 million (€113 million) for a breach of nearly 340 million customer records. Google was issued with a €7 million fine by the Swedish authority in March, for not complying with the right-to-be-forgotten. These types of statement fines are likely to become more frequent in the next few years. It remains to be seen whether the Irish DPC will follow suit.

A complex privacy ecosystem

GDPR set off a domino effect globally, with many countries introducing similar legislation. In the US, the California Consumer Privacy Act was the most high profile; while lobbying continues for a federal law. This has resulted in an increasingly complex privacy landscape globally. A challenge for marketing teams with a multinational footprint.

Even within Europe, there remains considerable variance in certain aspects of privacy. For example, the British, French, German and Spanish authorities all take slightly different approaches to best practice use of web cookies. The Irish Data Protection Commission launched its own guidance on 6^th April, with a six-month grace period to comply. Marketers are strongly recommended to familiarise themselves with these guidelines, given the short lead in time. The timeline for for a pan-European solution, in the form of a new ePrivacy Regulation, remains unclear. EU member states have failed to agree on some of its key terms.

Summary

Looking forward, GDPR and data privacy will remain a key factor for marketing teams and the brands they represent. The potential downside from non-compliance – large fines, along with brand and reputational impact – is significant. The challenge remains substantial, particularly for those firms operating internationally. Teams that can demonstrate accountability and a continued commitment to a positive data protection culture will be best placed to adapt and thrive.