4 things we’ve learned in GDPR’s first year
One year ago, the introduction of the General Data Protection Regulation (GDPR) in Europe was a game-changer for brands and retailers.
Some outcomes were largely predictable. As last year’s launch date approached, companies were always going to be scrambling to get their houses in order. No crystal ball was needed to forewarn of a steep rise in reported data breaches once the legislation was in place. And it was a fairly safe bet that someone was going to be slapped with a big fine – Google, as it happened.
So much for the expected; what about the unexpected? Here are four ‘who-would-have-thought?’ revelations from the first year of GDPR.
- Retailers in other countries actually want GDPR
We’d always anticipated a ‘domino effect’ once GDPR launched in Europe, with other countries adopting equivalent legislation. What we hadn’t expected was retailers in non-GDPR countries approaching us for help in adhering to the new rules.
Some simply want to get ahead of legislation that’s in the pipeline within their market. Others view adoption of best practice data privacy as an essential brand value – part of building their reputation. But interestingly, it seems that the EU’s GDPR has provided the rest of the world with a handy pick-up-and-use set of rules that gives businesses a defensible position for their handling of data privacy.
- With privacy, there's no such thing as done
Privacy isn’t a milestone to be cleared and then forgotten about. In EU terms it is a fundamental human right requiring an ongoing ecosystem of policies, processes and controls that businesses need to manage. Risk assessment in particular has to be continual – even if you’re good today, are you good tomorrow? Putting this ecosystem into practice systematically across an entire organisation is hard even for those with the most resources, and anecdotally, it seems many organisations are experiencing challenges.
Two areas that businesses really need to stay on top of are:
- Moving goal posts: The law will keep evolving, especially as case law emerges and regulator guidance is published. Processes and controls have to move in step with these changes.
- Basic governance: Every change you make to your technology and services, even the mundane – a tweak to your loyalty programme, for example – means you’ve got to ask, ‘How does this affect privacy?’. You need the controls in place to spot these changes and then the resources available to assess them quickly.
- Privacy tech isn’t a magic bullet
According to iapp’s 2018 Privacy Tech Vendor Report, the privacy software industry has more than doubled over the past year. But these tools are still in the development stage, at best. And companies who’ve invested in them are finding that either the software lacks functionality, or their teams are struggling to use it effectively. Good privacy compliance relies on good processes, and there’s no short-cut for it.
- The ad-tech industry is now stuck between a rock and a hard place
GDPR doesn’t fully cover ePrivacy – the EU rules governing permission-based online marketing through channels such as emails and cookie-powered internet ads. Updated legislation in the form of an ePrivacy Regulation is anticipated but could take another year or more to be finalised. Until it arrives, companies are unsure whether to use GDPR as the yardstick, follow the latest draft legislation (which is the subject of heavy lobbying and could undergo significant change), use industry-created compliance frameworks– or wait and see what happens. To add further complexity, there have been some tricky privacy complaints made to regulators about the industry; both the UK and Irish data protection authorities are now investigating. All in all, it’s a time of deep uncertainty for the digital ad-tech market.
Overall, it’s clear we’re still very much at the start of the GDPR journey. Before GDPR, many organisations had never felt forced to look in real detail at how they use data. Good data stewardship was typically the responsibility of security and technology teams, with some input from HR, Marketing and Legal. Now, it needs all these functions to work effectively in glorious union. And that means serious cultural change.
So it’s probably safe to say that it will be two to three years before most companies are fully up to speed. Many happy returns, GDPR.