By: Paul Hewett, Data-driven Strategist, and Client Service Director, In Marketing We Trust
Data protection legislation faces a major shakeup when the European Union ‘General Data Protection Regulation’ (GDPR) becomes enforceable in mid-2018. But what are the changes – and why do they impact marketers and companies across the planet?
The GDPR is the EU’s new framework for data protection regulation. It was adopted by the European Parliament on 16 April 2016, replacing the 1995 Data Protection Directive - although businesses have until 25 May 2018 to comply with the new regulations.
The two main objectives are to boost Europe’s digital economy, by harmonising the regulatory environment for international companies; and to give more powers to ordinary citizens over their personal data.
Crucially, these laws will apply to any business processing data for EU citizens - regardless of whether they have offices in Europe.
Penalties for non-compliance with the GDPR are potentially huge, at up to €20m (or 4% of global turnover, whichever is greater).
A Veritas survey recently showed that 90% of businesses in Singapore are concerned about GDPR; 20% of which feel that business failure could be an outcome.
If your business handles any kind of customer data, then it’s important you understand how the GDPR could affect it – so read on to find out.
Shaping-up the GDPR
My involvement with the GDPR goes back long before its 2016 adoption by the Council of the European Union and European Parliament - as I helped lobby for and shape these data protection regulations.
EU data protection reform was initially put forward in 2012, when the European Commission published the draft General Data Protection Regulation - triggering several years of debate and lobbying by European marketing and advertising associations.
As chair of a prominent UK DMA council, I’ve seen the GDPR transition from its early draft, into the data regulation which has already been adopted and will officially become enforceable in 2018 – for marketers around the world to enjoy.
GDPR – a brief introduction
If the ‘General Data Protection Regulation’ is news to you, don’t worry – here’s a quick overview.
• The GDPR (EU 2016/679) is a European Regulation, which the European Parliament voted to adopt in April 2016 – replacing 1995’s Data Protection Directive (95/46/EC).
• As a ‘regulation’, the GDPR is a binding legislative act that all EU countries must apply, without changes. In contrast, a ‘directive’ (for example, the EU consumer rights act) simply sets out a goal - which individual countries are free to achieve by devising their own laws.
• The GDPR’s goal is harmonised data privacy regulations in the EU – giving residents data empowerment and protection.
• Organisations that handle the data of any EU residents have until 25 May 2018 to ensure they fully comply with these new regulations – two years after they officially came into force.
• Non-compliance fines can be up to €20m or 4% of global turnover (whichever is greater) – so evaluating the exposure of your business and strategy for the GDPR is important.
• This general data protection regulation timeline shows the evolution from proposal, through to adoption and enforcement.
GDPR and non-EU companies – why should we care?
If you’re based outside the European Union, I imagine you’re wondering why a European regulation could be of any interest to you?
Increased territorial scope is potentially the biggest change GDPR will make to the regulation of data privacy. Reframing legislation around the ‘data subject’ (person) and their location (instead of the data controller or processor) means that any business with customers in an EU country is affected by GDPR.
In the words of Chris Combemale, CEO of the UK DMA Group, ‘GDPR applies to every company who has even one customer in Europe and therefore has far-reaching consequences for multi-nationals and ecommerce businesses that trade across borders.’
GDPR’s impact in Australia is confirmed by Irene Halforty, at the Association for Data-driven Marketing and Advertising (ADMA), who says ‘The GDPR will have a significant impact on the ways in which Australian marketers obtain consent for the collection, use and disclosure of personal data.’
The GDPR will get personal
‘Personal data’ needs a robust definition - and the general data protection regulation text provides some clarity; describing it as ‘Any information related to a natural person or “Data Subject”, that can be used to directly or indirectly identify the person.’
Although somewhat ambiguous, someone’s name, phone number, email address, IP address and any photos, videos or social media posts could be included.
B2B marketers should note that contact details or information about someone’s place of work are also identifiable data.
Take the power back - to the consumer
Consumers enjoy significantly more power with the GDPR, compared to older regulations
Let’s look at the five main consumer rights categories:
• information notices.
• subject access, rectification and portability.
• rights to object.
• rights to erasure.
• rights to restriction of processing, profiling and automated decision taking.
The plan is that consumers will be given ownership and control of their personal data, empowering them to control its use. Unfortunately, regulations of this nature are inherently tricky to interpret – particularly in regard to data portability – so how well this works in reality remains uncertain.
Obtaining data and consent is a key focus of GDPR. Straight in the firing line is ‘consent-cloaking’ – a popular trick that involves hiding consent for data processing deep within complex terms and conditions, which consumers are unlikely to find easy-to-read.
Under the GDPR, any business with EU customers must secure their explicit consent to be able to legally collect, retain and use their personal data. This process has to be easy for customers to understand, access and identify as being a request for consent. Crucially, any procedure for withdrawing consent must be as straight-forward as initially giving consent.
How enforceable is GDPR regulation?
GDPR is coming – but will its regulations be enforceable? The data protection regulation brings substantial changes to the table, which some companies will require significant investment to comply with. Naturally, this begs the question as to whether failing GDPR compliance will have any real consequences.
Data automation processes are a potential game-changer, as moving and processing data is arguably too complicated to track and enforce. This view is held by Professor Merlin Stone of St Mary’s University who argues, “GDPR is partly unenforceable. The more you automate your data management and profiling, the less enforceable it is.”
The EU cookie law and subsequent failure of the European Commission to enforce this piece of privacy legislation might be interpreted as evidence of the GDPR being unlikely to be enforced – but the cookie law is only a directive (E-Privacy Directive 2011).
In contrast, the GDPR is a regulation, which therefore must be adopted across the EU – and it’s likely to be equipped with strong enforcement capabilities. I think fines are inevitable and would bet on one of the big internet companies being the first to get one.
Will business benefit from the GDPR?
Knowledge of how data protection regulation will change with the GDPR is useful; but an understanding of whether the overall impact on business will be positive is the bottom-line that many leaders are interested in.
John J Wall – a respected author and marketing leader - says “This is about streamlining – having one set of regulations around handling data, not 28 from all the countries in the EU. A big part of this is making it simpler to deploy tech in the EU.”
Chris Combemale of the DMA reflects on the opportunities that gaining GDPR compliance offers a business, “GDPR sets a high bar for data protection and introduces new ideas like giving customers control of their data. While this may seem daunting to many non-EU businesses, it is also an opportunity to raise standards overall and better serve your customers.”
Aside from the obvious consumer benefits, the GDPR’s harmonised, cross-border data regulation policies can both improve customer service for consumers and encourage more rapid deployment and scaling for technology and multinational businesses.
How do I become GDPR compliant?
For non-European companies, this is the 20-million-euro (or 4% of annual global turnover) question.
It’s safe to assume that wherever your company is based, GDPR will impact how your business manages and processes personal data. That said, you probably won’t experience major changes in value exchange or how you interact with your customers.
General data protection regulation text is also likely to influence and set the standard for any new data protection regulation drawn up, anywhere on the planet. Acting to engage with the GDPR’s standards and achieve compliance puts your business ahead of the curve and makes it highly probable that you’ll comply with almost all data protection regulations, anywhere on earth.
Achieving GDPR compliance also ensures that you’re providing your customers with a high level of service and protection; and positioning your business to enjoy enhanced scalability potential.
For guidance on meeting the deadline for GDPR compliance, your country’s Information Commissioner will probably issue advice (this is the Australian AOIC guidance), but the UK’s ICO GDPR website is likely to have a more detailed overview.
Remember to check with any suppliers and partners that access or process data, to check they’re compliant with GDPR, ahead of the deadline on 25 May 2018.