Grant Coleman, EVP of EMEA at Emarsys, looks at why GDPR still isn't doing what it was introduced to do, despite us being one year on from its implementation
Cast your mind back to last spring. Those months leading up to the introduction of GDPR were the most frenzied for internet-based businesses since the Y2K bug loomed over the turn of the millennium. The May deadline came and went, with the industry collectively holding its breath as it shuffled up to and over the precipice of 25 May. But what happened then?
From a legal perspective, very little. According to a report from DLA Piper, from 25 May 2018 to the start of February this year, 59,000 incidents were reported to the various regional Data Commissioners. But just 91 fines have been imposed – with Google’s €50m fine by France’s CNIL accounting for almost 90 per cent of their cumulative value.
The reason for this is two-fold. Firstly, it is simply too soon for significant action to be taken and fines to be handed out. Even in simple cases, where it appears obvious that a company has breached the terms of GDPR, its national regulator is required to ask for a written response from the data commissioner, which could take up to a month to come through. A first-time response isn’t guaranteed either and regulators may have to ask again before receiving a response. Even then, the accused brand may ask for more time to present its case, which delays proceedings further. Lawyers must then collate all of the information for the case and develop a watertight argument before bringing it to court. So even in the simplest cases, any punishment for GDPR could take a minimum of six months. Even when it’s something like a subject access request (SAR), a month has to pass before the complaint can be made. This helps explain the lack of enforcement we’ve seen to date.
The second reason for this is the lack of clarity of what compliance actually looks like from a legal perspective. It strictly comes down to how the regulation has been interpreted in individual states’ legislatures. Although it was an EU regulation, the laws governing compliance and enforcement are actually determined by member countries themselves. Right now, most countries have not finalised their own interpretation of the regulation. That’s why a variety of studies since last May have shown that most organisations still aren’t sure if they are compliant or not. In the UK for example, the ICO still hasn’t come up with its own definition of what GDPR compliance looks like, meaning brands remain unclear on which systems and platforms should be implemented to help them deliver brilliant yet compliant marketing communications.
This lack of clarity has understandably hindered brands’ efforts to determine their longer-term marketing strategies. In the short term their more immediate focus has been on re-permissioning, but again, the lack of a clear framework to conform to – or precedent, in terms of how to adapt their strategy – has led many to get their strategies around consent wrong. Hundreds of brands sent needless emails to consumers requesting their sanction to remain in touch when they had already given it, meaning they ended up losing potential subscribers already within their wheelhouse. Likewise, many continued to contact consumers without them having opted in for communications, raising the risk of customers defecting from their favoured brands.
However, databases have by and large remained consistent, and consumers have continued to proactively engage with their preferred brands. One channel that has however been impacted is email, as predicted prior to GDPR’s introduction. In the immediate aftermath of 25 May, deliverability queries skyrocketed and many brands struggled to take the data they’d collected from their re-permissioning campaigns prior to the deadline, and apply it to their existing data sets. At a consumer level however, we’re yet to see the full impact of the regulation on behaviours, as many still aren’t clear on the data protection rights they are entitled to under the GDPR. A recent European Data Protection Board survey found that only a third of EU citizens are ‘well aware’ of what the GDPR entails – so expect longer-term changes in customer behaviour to impact the viability of this channel.
For firms looking for reassurance about the extent of their GDPR compliance, there are existing frameworks than can help to embed the type of best practice it mandates within organisational processes. The EU-U.S Privacy shield, for example is an international charter designed to help businesses comply with data protection requirements when transferring personal data from the EU to the US in support of transatlantic commerce. It provides a voluntary-self-certification process, which requires a public commitment to comply with its requirements. This commitment can then become enforceable under US law. In the UK, the Data & Marketing Association’s DMA Code also goes a long way towards providing an industry code of conduct which preserves adherence to GDPR, but right now there isn’t a comparable code for other countries under the GDPR’s jurisdiction.
Clearly, GDPR compliance will evolve as countries begin to interpret and enforce it more effectively. However, the preoccupation with this regulation overlooks another major regulatory change which may come in the next few years. The EU’s long-planned e-privacy regulation represents the next cliff hanger for ecommerce firms, because it is likely to fundamentally alter the laws governing B2B email marketing by providing clarification of the what the process of securing ‘soft op-in’ from consumers looks like. The existing regulation governing this area was last updated in 2008, and urgently needs updating to align with contemporary practices. While many aspects of data privacy and protection were integrated into the GDPR regulation, email marketing specifically was not covered within it. Brands must therefore pay attention to the impact the new regulation will have on their business when it’s implemented, given email marketing’s continued popularity.
Clearly, what constitutes GDPR compliance is not yet clear, and will differ based on local interpretation. Businesses therefore need a steadfast industry code of conduct that is principle-based, and creates a solid framework to help them navigate both the ambiguity which exists prior to its enforcement, and how it is eventually enforced in their locality.