The General Data Protection Regulation (GDPR) will be implemented across the European Union (EU) exactly a month from today. The introduction of the regulation will change the way personal data is handled by businesses that have operations right across Europe and give the EU population far more control of their own information.
With these changes to how data is handled, the implications and fines associated with failing to adhere to the regulation could cause some damage come 25 May. Despite this, there still remains a fear that many businesses will fall short of being compliant this time next month. So, with a month to go, where do we stand and is the world actually ready for GDPR?
What is GDPR?
GDPR is an EU regulation surrounding data protection and privacy of all EU citizens. Adopted on 27 April 2016, it will be enforced from 25 May 2018. The regulation is aimed at giving people across Europe more control and safety when it comes to their data by replacing the 1995 Data Protection Directive with a set of new rules.
One of the criteria under the vast set of rules is that organisations will be required to prove they have a lawful basis for handling people’s data. This can be proven either through direct consent or because the data is in the ‘legitimate interests’ of the business, a third-party, or society as a whole – thus overriding the rights and freedoms provided to the subject.
Direct consent is defined under the regulation as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. Meanwhile, a legitimate interest can be anything including data being required to complete a contract, for security or legal reasons, or for direct marketing purposes.
The idea of consent and legitimate interest doesn’t actually differ too greatly from previous Acts within the space. An area where things do change significantly, however, is within the control that people have over the above consent and the overall use of their data.
Under what is commonly known as the ‘right to be forgotten’, EU citizens will be able to request that their data is completely erased by a business. The caveat to this is that these citizens can only request for their data to be deleted under certain conditions, such as the data no longer being necessary for its original purpose, and them objecting to the processing or withdrawing their consent.
“Prior to GDPR, savvy marketers decided what customer data was appropriate and how much of it they wanted to use – often to the consumers’ detriment. After GDPR goes live, the consumers decide what data the marketers get to use and how much of it they get to keep. This is a good thing for both the consumers and the businesses, although it represents the biggest immediate challenge for the latter,” said John Timmerman, global industry evangelist at Teradata.
“With GDPR, the business has to give the consumer a reason to want to share their data. As consumers opt-in, the businesses have to prove that they’ll be professional and secure stewards of that entrusted data and will only use it to give the consumer a better experience.
“It’s somewhat of a virtuous circle. But, it starts with the business being very specific about what data they want and why it’s ultimately beneficial to the consumer for them to have it. Then the consumers will start to share more of their data as the businesses have proven themselves and consumers have realised more returned value from their data.”
Other rules which fall under GDPR include increased accountability for organisations, whereby they are required to show how they are compliant with GDPR via documentation, training, staff awareness, and more. In addition, business will be required to assess the risks that processing personal data could pose to the rights and freedoms of EU citizens.
The final major bit of criteria relates to what happens in the event of a data breach. In such an event, data processors are only required to report breaches to the data controller. The controller must then notify the appropriate authorities within 72 hours. If said breach could pose a high risk to the rights and freedoms of people, they must be notified with minimal delay.
“These added levels of transparency and controls are a vital part of earning a consumer’s trust. The more an organisation can do to demonstrate that they are being responsible and transparent about collecting, storing and using consumer data, the more willing consumers will be share it to enable a richer experience,” said Matt Bertenthal, senior privacy counsel at Medallia.
“GDPR creates a model for more responsible data collection, but following these general principles, regardless of regulation, is a best practice for creating and maintaining long-lasting relationships with customers.”
Failure to adhere to the rules set out by the regulation can result in a fine of up to €20m (£17.5m), or four per cent of global revenues, whichever is higher.
Though businesses have – or at least should have – known about GDPR for a very long time now, many are still struggling to meet next month’s deadline for compliance.
A recent study released by Crowd Research Partners found that 60 per cent of companies around the globe are not ready for the regulation’s implementation. Just as worryingly, just seven per cent of firms surveyed said they are fully prepared, with the remaining 33 per cent well on their way toward being compliant by 25 May – though that’s not to say they will all make it in time.
Many of those in danger of not being compliant cite a lack of expertise in their ranks, along with a lack of budget, as the reason for not yet having their business in order. Amazingly, 25 per cent of organisations still have little or no knowledge of GDPR.
With statistics like these, it is no wonder much of the industry is uneasy about the fast-approaching regulation and many may feel like GDPR represents their own Thanos, their own Infinity War. But, with the fate of the entire data and marketing world in the balance, is there anything to truly be worried about? Jason Palgrave-Jones, managing director at Textlocal, doesn’t think so.
“The industry has seen its fair share of scaremongering warning of businesses’ under-preparedness. And whilst, of course, one should never be lax about data protection, most companies will have found that becoming compliant with the new laws isn’t such a monumental task,” said Palgrave-Jones.
“What is of the utmost importance, however, is the treatment of legacy data – that which has been procured before the new changes. Time and attention must be put into informing current customers of changes, and confirming how and why they would like to be contacted in the future.”
In fact, the implementation of GDPR should be seen as an opportunity for the industry to conquer its own monstrous mutant in this war because “in the midst of chaos, there is also opportunity,” according to Julian Saunders, CEO and founder of Port.im, quoting legendary Chinese military strategist Sun Tzu.
“On one hand, customer databases will inevitably shrink as many people refuse to proactively provide their consent to be contacted. Third party datasets will rapidly fall out of fashion given the risks involved in proving the providence of their data. Unsubscribes and requests to 'be forgotten' will rise as people assert their data rights - making the margin of error for marketers much smaller,” said Saunders.
“On the other hand, smaller marketing databases will increase marketing effectiveness, with a self-selecting pool of highly-engaged customers emerging. Brands will have to invest more in personalisation and higher value marketing content to earn and retain the right to contact customers. This should raise standards across the board, with spam essentially outlawed and brands engaged in an arms race to produce the most innovative marketing material. In time, this will restore the email marketing industry's reputation.”
Location, location, location
One of the big changes that the implementation of GDPR will make is what piece of legislation location data falls under in the UK. Previously, location data fell under the Privacy and Electronic Communications Regulations (PECR) but from 25 May it will fall under GDPR.
Under PECR, consent to access location was usually granted when accepting the terms and conditions when opening an app for the first time. However, now data collectors will have to seek explicit consent to actually analyse, process, or profile location data.
The nation found to be most trusting when it comes to revealing their location is the UK so, despite location data being moved to a different regulation, not much is likely to change for the apps that want to know where people are - at least not in the kingdom anyway.
“They are the most likely of all nationalities to share their location with their apps. Almost a third of people living in the UK said that they always or very often share their location data despite not really knowing what it does or what it means. This compares a global average of 21 per cent. Japanese consumers were found to be the most cautious with just 13 per cent sharing their data with apps,” said Will Anthes, managing director at W8Data.
“The study also found that despite being unhappy with the current privacy practices of apps few people in the UK take the initiative to adjust the privacy settings of their apps, except social media apps. This shows that organisations that use locations data need to be more educational and transparent with consumers.”
What about US?
Some businesses based in the US may think that they all of the above the regulation. How wrong the organisations that think like this are.
GDPR, despite being an EU regulation, has a bearing on any business with operations in any one of the EU member states. Due to this, there is a huge number of US companies that are required to make sure they’re GDPR-compliant by 25 May, or they too will face sanctions.
“Though the regulations will only impact EU citizens for now, US businesses that reach any of these users will need to be compliant too. So, it's essential that these businesses pay attention and seek out ways to responsibly use data and ensure users’ data security. As the demand for greater control over individual data continues to heat up, there’s a good chance that similar regulations for US citizens could occur. Ultimately, given the global nature of business, every organisation should work to comply,” warned Theresa O’Neil, VP of marketing at Showpad.
“From a technical perspective, companies that deal with personal data will need to make sure that their platforms are designed with privacy in mind. They’ll have to take into account relevant data security principles as foundational elements of these changes. This can be done through more in-depth offerings that give users specific options for when businesses can use their data (i.e. to inform the sales process or to personalize offerings), and by improving the company’s technological infrastructure to ensure that systems are safe and not corruptible.
“Organisations need to focus on GDPR compliance not only to avoid fines, but also to ensure that they don’t lose business.”
Compliance? Completed it mate
Of course, despite the general kerfuffle surrounding GDPR, there are a few businesses out there that have already got their acts together.
Facebook has begun attempting to get things in order, with the recent Cambridge Analytica scandal pushing its hand a little more; and Apple has publicly shown is dedication to consumer privacy.
“Apple is one of the first high profile companies to take the GDPR provisions for customer privacy very seriously and very publicly,” said Ian Woolley, CRO at Ensighten, discussing Apple’s approach to consumer privacy. “While almost all online businesses today collect data, only a handful of firms process data at Apple's scale. Tim Cook, CEO of Apple, stands out for his unequivocal commitment and advocacy of consumer privacy.”
Meanwhile, sales enablement platform Showpad and ad exchange network OpenX are just a few of the other names that are already GDPR-compliant.
“We’ve always made it clear how user data is collected. Customers have the ability to take control of how – or if – their personal data is being used. The advantage of having European roots has put us ahead of many US-based companies since these regulations have been an impending reality for a longer time for us,” said Showpad’s O’Neil.
“We've updated our platform’s privacy features to tie directly to GDPR regulations so that all of our clients, around the world, can be compliant when using our platform. We've done this by adding enhanced privacy settings for users and prospects that make sure consent is given ahead of data usage, and giving our users the right to be forgotten and their data anonymised.”
Like Showpad, OpenX has put a lot of time and effort into making sure it is ready in time for GDPR’s implementation, setting up an internal working group over a year ago. This group saw the exchange work on “developing a comprehensive data map, reviewing all policies we have in place relevant to data protection and collection, developing new policies, updating our technology and product roadmaps and deploying a company-wide training program,” according to Doug McPherson, chief administrative officer and general counsel at OpenX.
“For companies that aren’t compliant yet, no time can be wasted. While there is still much to be confirmed, the key is to make sure they are not waiting for the final answers before they begin their compliance efforts,” continued McPherson.
“Mapping your data, better understanding the practices of your partners, reviewing all of your privacy policies to ensure alignment are all efforts that can and should be taken now while also making sure you remain flexible enough to adapt to clarifying rules.”
All things considered, businesses that aren’t yet compliant still have just about enough time left in the bag to get there – though it may be a close one. Following the approaches taken by businesses that are already adhering to GDPR, as well as keeping an eye out for late-in-the-day advice from the EU and the Information Commissioner’s Office, seems like the best way for organisations to succeed in being compliant in the short time left.
Despite the late pressure that is being piled on, businesses must also not panic and give into the idea that them not yet being compliant is the end of the world. Instead, the next month should be spent focused on educating themselves on the regulation properly and seeking out the very best way to become compliant with said regulation.