The GDPR: Hype or Hyperbole?

25 May, 2018 – put it in the diary. On this fateful day, the General Data Protection Regulation (GDPR) will come into full force. ExchangeWire breaks it down for those still in the dark.

It’s hardly surprising that the mere mention of the GDPR causes one's eyes to glaze over and, if you do try to get to grips with any one of the 99 articles contained within the regulation, you would be forgiven for giving up and leaving it to the professionals. And you should. However, the implications are further reaching than you may think. What you might not be aware of, is that the GDPR is only one (admittedly large) element of digital privacy in the European Commission’s Digital Single Market – the other being the ePrivacy Directive, or the ‘Cookie Law’.

The devil is in the detail

GDPR has become a catch-all term for data compliance; but understanding the differences between it and the ePrivacy Directive, which comes into play at the same time, is crucial. “The aim of the GDPR is to give the consumer control over their personal data”, explained Todd Ruck, chief privacy officer, Evidon. “The ePR, in contrast, is distinctly different, as its purpose is to ensure the confidentiality and privacy of electronic communications.” So, the GDPR aims to protect consumers from being identified via data points that have been collected and processed by businesses, while the ePrivacy Directive, as part of that, deals with how the consumer is tracked and the data collected. “Marketers will be under intense scrutiny and should take care to provide enhanced notice when it comes to tracking technologies, and make sure they obtain consent properly”, confirmed Ruck. “This means they’ll have to get a firm grasp on their digital supply chain – from contracts to daily governance – and it won’t be an easy task.”

Matching & mirroring

If you’re in the UK, the vote to leave the European Union makes no difference. Paul Hickey, director of digital solutions, TwentyCi explained: “Following the vote, the UK government confirmed that when Brexit happens, all EU legislation will automatically become UK law until each piece of legislation is repealed.” He does, however, believe the GDPR will not continue in force for the UK much beyond 2020, due to the strong privacy laws that already exist in the country. According to Nicola Fulford, commercial, technology, and data protection lawyer at Kemp Little, the UK wouldn’t necessarily want to exist outside of the GDPR anyway. techUK, the representative voice for the UK technology industry, of which Fulford is a member, spent three years lobbying against the GDPR and, now that the UK is leaving the EU, they are lobbying to keep it. Why? The GDPR is not about where the data is stored or how it’s handled – it’s about the individual the data is used to identify, known as the ‘data subject’. With no GDPR in place, UK businesses with any connection to EU individuals could quickly find themselves in breach.

Privacy by design

But, is it all hype? Each European market has its own data protection laws. For example, in the UK, the ICO enforces the UK Data Protection Act 1998 and, more recently, the updated version, the Data Protection Bill, both of which share similarities with the GDPR; but the latter is much wider reaching and penalties are severe. The ICO would rather you be compliant than in breach of the regulations. But it’s not easy, and the majority of businesses aren’t ready, as Ruck highlighted: “The regulation contains 99 articles, written in legal jargon, and many businesses are unsure what to prioritise before the May 2018 implementation deadline.” Of the 99 articles, 39 require proof. So, where do you start? Evidon’s advice is to get consent right first, as it’s the most visible aspect of GDPR compliance, and likely to be where regulators target non-compliance first. Consent is complicated and not particularly clear within the GDPR and the ePrivacy directive within that. However, it must be verifiable and able to be withdrawn at any time. As the ICO states: “Silence, pre-ticked boxes, or inactivity does not constitute consent.”

Going Dutch

Under the current cookie directive, the Netherlands is one of the strictest European markets, where ‘privacy by design’, rather than assumed consent, has been the status quo since 2015. According to Tomas Salfischberger, co-founder and CEO of Netherlands-based Relay42, the cookie law did cause a lot of stress for businesses, and they actually had to delay the compliance deadline to ensure all parties were ready. However, in terms of marketing effectiveness, Salfischberger believes that nothing has changed. “We handle the opt-in/opt-out for the top 100 brands in the Netherlands, and the opt-in rate is 99%.” Salfischberger explained that brands did a lot of messaging optimisation and A/B testing to achieve this high rate but, with some work, consumers should be on board.

“With the GDPR, all of Europe will be like the Netherlands, with a sniff of Germany in it”, joked Salfischberger.

Non-compliance is not an option

Garante, the Italian Data Protection Authority, have sent a clear message, fining five companies over €11m (£9.67m) for the unlawful processing of personal data, and the size of the fine reflected the number of European data subjects affected. The potential fines are huge – up to 4% of global annual turnover for severe breaches (along the lines of the hack of one billion Yahoo accounts). Other less severe breaches, such as not informing authorities of a suspected data breach on time (indicating a potential cover up), can incur penalties of up to 2% of global annual turnover.

The GDPR applies to data controllers (controlling how and why data is processed) and data processors (processing the data on the controller’s behalf). Data processors have significant legal liability in case of a breach; but controllers don’t sit outside of the law either. They must ensure their contracts with processors comply with the GDPR.

What if your company both owns and processes data? Then, as is the case with life-event data company, TwentyCi, you are classed as both a controller and a processor: “We have a number of different managed and owned data sources used to qualify our audience”, said TwentyCi’s Hickey. Where TwentyCi acts as a data controller, they must ensure their processor partners are compliant. “Firstly, that they can be confident that our data meets all present regulations, and will continue to do so into the future, too. However, they also need to ensure that they are, themselves, properly prepared to handle personal data securely and in accordance with the requirements of GDPR.”

Contractual obligations

Advertisers and agencies may misstep, in the process of updating their contracts with third-party vendors that can access their EU personal data. More onus will be placed on third-party vendors to help with data breaches, as well as returning or deleting EU personal data; and these stipulations will need to be included in contracts. Vendors may find themselves going through pitch processes, if they aren’t yet at the same level of compliance as their data-controller partners.

A costly business

Compliance doesn’t happen overnight. Businesses aware of the GDPR have been preparing for months; and every time a GDPR article is added or slightly adjusted, more time and money is expended. TwentyCi, for example, has a dedicated task force of senior directors, in place since March 2016, who are constantly reviewing the latest interpretation of the GDPR, plus the guidance notes supplied by the ICO, and putting in place different measures and checks to ensure they will be ready well before the deadline.

This won’t come cheap. The number floating around the industry is a cost anywhere from USD$3bn (£2.4bn) and USD$9bn (£7.2bn) for the industry to become GDPR-compliant. Evidon’s Ruck cites an IAPP study that the GDPR will spawn the need for approximately 28,000 data-protection officers in the EU and US, which will incur additional costs for many.

Ah yes, the data protection officer. It is mandatory for both controllers and processors to appoint one, where certain types of data-processing operations are engaged in on a ‘large scale’, such as ‘behavioural advertising, online tracking, or fraud prevention’. The DPO doesn’t need to be an employee, so expect the development of a new cottage industry providing these services on a consultancy basis. Given the potential size of the fines, who knows whether insurance brokers are also sniffing around the GDPR under liability policies.

Tilted playing field

One might argue that the onset of the GDPR will help to level the playing field in the digital industry, where certain walled gardens have been less than forthcoming about the usage and measurement of personal data. However, if you think the likes of Amazon, Facebook, or Google were anything but prepared for the onset of the GDPR, then you’re wrong. They handle personal data on the largest scale; so the necessary steps they would need to take to up their compliance from current regulations to the new GDPR will be minimal. The smaller businesses will be hardest hit, with a much heavier compliance burden and an, arguably, significantly greater financial risk following a breach.

Was the GDPR compiled by people with an inherent understanding of the digital industry? No, not really. While there are many groups working with the relevant data-protection authorities to ensure their side of the story is heard and understood, ultimately, it’s a ridiculously complex legal document that has the potential to change the face of digital advertising. Or maybe it won’t. But either way, whatever you do, you’d better not ignore it.