Six months on from the introduction of GDPR, perhaps the most important thing we’ve learned is that compliance with the rules isn’t an event or a box to be ticked, it’s a journey.
That’s the view of a number of experts spoken to by The Drum. Dela Quist, chief executive of email marketing agency Alchemy Worx, likened the activity before 25 May this year to that preceding Y2K and the threat of the “Millennium Bug”.
The era of compliance
“With a big change like this, there tends to be the idea that the world will end on the cut-off date, so everyone focuses on stopping the end of the world. Now we’re past the date and the world hasn’t ended, people are thinking more clearly.”
Lawyer Eduardo Ustaran, co-director of the global Privacy and Cybersecurity practice of law firm Hogan Lovells, has a similar view.
“I always thought the panic six months ago didn’t really make sense,” he said. “It’s a complex piece of legislation and we’ll be learning for years how to implement it.”
As a result, Ustaran described the current period as one of prioritisation, when companies are starting to see what the more difficult areas of compliance are. But he pointed out that some areas - such as basic compliance and the rights of individuals - are already well-known.
This view is shared by Ruth Boardman, who co-heads the International Privacy and Data Protection Group at lawyers Bird & Bird. She agrees that while not every aspect of GDPR compliance is clear, a lot of the obligations the regulations place on companies are now well-understood.
The grey areas
Unfortunately, that clarity either isn’t getting through to some businesses, or they’re choosing not to acknowledge it, according to Chad Wollen, CMO of mobile network data specialist Smartpipe Solutions.
“There’s definitely a thread that says GDPR is still really grey, that we don’t know what’s expected of us, that we need more advice. Those people think things will change when there’s a big court case. But the policy makers and regulators expect the opposite; they expect people to be taking responsibility.”
Richard Reeve, managing director of trade organisation the Association of Online Publishers (AOP), agrees that the way to approach GDPR compliance is to be pro-active.
“It’s not about having your hand held,” he says. “The law is quite clear and you need to build the processes to comply.”
In Wollen’s view, a big chunk of the marketing industry is not thinking about what GDPR signifies in terms of changing attitudes to privacy. Instead, he says, marketers have fallen back on layered consent approaches that suggest they think GDPR is purely a compliance issue.
“There’s a huge gap between the industry on one side and the advocacy groups and regulators on the other,” he says. “The regulators are expecting companies to move to a more ethical approach, to change from just thinking about compliance to following the spirit of the law. As marketers, we need to respond to the GDPR and build the kind of relationships with customers that they expect. We don’t want customer data to be the fracking of the digital world.”
But while there’s agreement that the broad outlines of the GDPR compliance are clear, there are still some grey areas, and some new areas of concern that have emerged.
One area that is causing problems, according to Ustaran, is when to notify the ICO about a data security breach.
“Small breaches happen all the time,” he said. “We’re seeing companies over-notifying, because they don’t know when to do so and they don’t want to get things wrong.”
An issue Wollen highlights as needing clarification is the question of how consent works for companies sharing data though their online advertising ecosystem.
“The advertising industry is sustaining massive supply chains, then building risky consent structures around them. These elongated, fragmented supply chains are why regulators say we need GDPR.”
According to Boardman, the E-Privacy Directive currently being developed should help here.
“It may help clarify if consent is needed for sharing data through online advertising” she said. “At the moment it’s clear that the organisation placing a cookie or similar device, or retrieving information stored on a device, needs consent to do this. It’s less clear if consent is needed to share that information and how any consent can be proved – hence the emergence of the IAB Transparency and Consent Framework, and the requests to data protection authorities to intervene in this area.”
Another aspect of GDPR that companies are finding challenging is the unexpected volume of requests for information from members of the public.
“We now know that people care about privacy and data collection,” Ustaran said. “They’re exercising their rights, and there’s been a lot of activity from individuals, which has taken businesses by surprise. Companies need to get up to speed with dealing this in a more systematic way.”
A further complication is that companies need to verify that the person making a request for information is who they say they are. Otherwise releasing data to them could be a breach of GDPR in itself.
“If you have registered, logged-in users, it’s straightforward,” Boardman explained. “If not, you can probably show they have access to a certain device, but it could be shared with other members of the family, so it’s very difficult.”
“We’ve seen companies go both ways, with some saying they can’t release information because they can’t verify the identity of the person making the request, but there are problems whichever approach you take. Privacy groups have picked up on this, and are challenging organisations that say they can’t verify identity. It may require organisations to change their approach.”
GDPR also gives individuals “the right not to be subject to a decision based solely on automated processing” that “significantly affects him or her”, as well as the right to have those decisions explained, and to challenge them. Quist pointed out that many companies haven’t got the systems or processes in place to respond within the time required.
“‘Right to an explanation’ requests mean you have to have the access to the data you hold so you can find out whether you did what you’re being accused of within 48 hours,” he said. “There’s a lot of companies who haven’t thought about what that means.”
See you in court
Boardman’s comment also highlights the fact that those companies waiting for the courts to clarify some of the questions around GDPR compliance should soon get their wish.
“GDPR provides for advocacy groups to bring litigation against companies where there’s public interest in doing so,” she explained. “These are coming through, and a lot of them are in the online advertising space. There are a lot of challenges to the industry that are starting to be pushed.”
Wollen cites the complaints submitted in September to regulatory authorities in the UK and Ireland by Brave Software, which allege Open RTB violates GDPR, and that the ad tech industry has not made any meaningful effort to comply with the regulations , allegations that could have a dramatic impact on digital advertising.
Ustaran expects that we’ll start to see enforcement of the regulations by the end of this year - or early next.
“People were panicking about the level of fines in GDPR out of all proportion before 25 May,” he said. “Now they’re asking whether there’s going to be any enforcement, because we haven’t seen any yet. My response is that it’s still early days, because investigation takes time, but that we will start to see enforcement around the misuse of data by the end of this year or early next.”
Warnings aside, Ustaran sums up the position for companies six months on from 25 May: “There’s no quick fix. Companies need to plan and budget for the long term. Learn what you weren’t prepared for and understand what you need to do. You have to look at this as a long-term project.”