After years of deliberation, “arguably the most complex piece of regulation the European Union has ever produced” comes into force on May 25th. Reaching far beyond Europe, the tough new privacy laws present a compliance challenge for businesses — and some will be hit harder than others.
Regardless of where a company is based, Europe’s General Data Protection Regulation (GDPR) will apply to any business that serves or monitors EU-based customers. If they breach the rules — which give customers more control over how their data is used — they’ll face fines up to 20 million euros or four per cent of annual turnover, whichever is higher.
Thanks to the international reach of the laws, not only do Australian businesses need to comply with GDPR, but legal experts believe it will become the de facto global privacy standard and set the tone for other countries in developing their own data protection rules and regulations.
- The C-Suite Needs To Treat Data As A Strategic Asset
- GDPR: Getting Started And Decoding Consent
- GDPR: Getting Started And Decoding Consent [Part 2]
- Facebook Outlines How It Plans To Comply With GDPR
“It is very likely that the more stringent level of compliance required for the GDPR will become the best practice standard for business in Australia in due course,” Katherine Sainty, Founder and Director of Sainty Law, told Which-50.
As well as raising the bar for businesses, the new privacy rules present new challenges for martech and adtech players working away discreetly in the background to collect data and target user profiles. GDPR requires companies to have a legal basis to collect and process personal data, including cookies, mobile advertising IDs and IP addresses.
“We think that GDPR is the single most significant regulation in the history of digital advertising,” said Doug McPherson, chief administrative officer and general counsel at ad exchange OpenX.
“It touches almost every company in adtech, and it will accelerate consolidation in the space around a smaller group of quality trusted partners that have a proven track record of investing in security and quality.”
And it’s already claimed its first scalp. German location-based mobile marketing firm Verve shut its European offices last week, The Drum reports. Verve International GM Ian James said GDPR wasn’t the only factor in the decision “but it’s a big contributor,” adding that it is now “challenging to have to operate any data-driven adtech business in a highly legislated market.” Instead the company is going to focus its efforts on the US.
A deep dive into data ecosystems
“You just can’t paper your way out of GDPR readiness. This is not about documentation, it’s not about policies. Generally, it will be about changing processes of how you operate if you are in any way targeting services into Europe or using personal data and possibly using tracking code in relation to the behaviour of EU residents,” Leonard said at a recent industry briefing on GDPR hosted by the IAB.
According to Leonard, GDPR is forcing organisations to take a “deep dive” into how how their data ecosystems work, including third-party providers. That has produced some “interesting reactions” and was affecting the publisher-adtech provider dynamic, according to Leonard.
“Adtech providers are trying to push responsibilities back onto the publishers, so that they are effectively using GDPR as a new global standard and seeking to impose, through contract, the same obligations on publishers outside Europe as probably apply to publishers in Europe post-GDPR.”
“What we are seeing is that the GDPR is setting a new high-water mark really for adtech across the world.”
The adoption of a global GDPR standard and the transferring of liabilities within data ecosystems is arising in Australia through revised contracts, said Leonard. “That requires a retooling of how and what type of consent is obtained by publishers,” which Leonard says is “something that is fundamentally different to Australian practice today.”
“Whether you are directly regulated by the GDPR, or whether you are just caught up in the wash of the contracts dealing with those people who are directly regulated by the GDPR, you’re going to find the GDPR affecting your business in some way.”
For marketers, the consequences are, Leonard says, a shift away from the bottom-of-the-funnel retargeting through ad exchanges in favour of contextual advertising and first-party, consent-driven, uses of data. Spend will, therefore, shift to mechanisms where data consent is more easily associated with an exchange of value.
“Were I investing today, I’d be investing in demand management platforms and reducing my exposure to ad exchanges … and maybe creating some new loyalty schemes.”
In January ad exchange OpenX announced it was fully compliant with GDPR. Chief administrative officer and general counsel Doug McPherson told Which-50 it began the process over a year ago by establishing an internal working group to drive the compliance effort, as well as calling in the lawyers in both the US and the EU for advice.
“This group focused on things like building out a comprehensive data map, reviewing the policies we have in place that are relevant to data protection and collection, developing new policies, updating our technology and product roadmaps and deploying a company-wide training program,” McPherson said.
One of the challenges GDPR presents adtech players is the need to get consumer consent — a tough ask for technology tools that aren’t customer-facing. OpenX has gotten around that by relying on its publisher partners to obtain consent in their capacity as data controllers.
Ray Umerley, vice president and chief data protection officer, Pitney Bowes, said his organisation began preparing for GDPR in 2016, and says it “will be well positioned for compliance with the GDPR by its effective date of May 25, 2018.”
Pitney Bowes reviewed the agreements and obligations of each of its technology partners that have access to personal data.
“Any parts of the stack managing significant amounts of personal information, or managing the legal basis for the processing of that information (i.e. consent) which ultimately would be involved in fulfilling a data subject request and/or satisfying inquiries from an authority would have a more significant impact than others,” Umerley said.
“Depending on the sensitivity of the data being processed, we have conducted extended due diligence to ensure alignment of their controls with our policies, relevant data processing agreements, etc.”
So, who can we blame if it all goes wrong?
GDPR requires a level of collaboration between brands and technology partners (data processors and data controllers) to make sure compliance is achieved.
That means you need to choose your partners carefully, argues OpenX’s Doug McPherson.
“Under GDPR, data controllers and data processors are legally and financially liable for the actions of one another. So, more so than ever, companies should choose their partners carefully,” he said.
“Every company in the ecosystem will need to monitor regulatory progress and make adjustments as needed, and the shared liability means that companies need to feel confident that their partners are doing the same.”
Umerley said the data controller and the data processor will share the responsibility for any GDPR breaches, “but the impact will be highest to those at the top of the chain — the business deploying the technology.”
“It’s important that all of the players work collaboratively to ensure their compliance obligations are met,” Umerley said.
“In order to comply, a brand needs to ‘follow the data’ — from wherever it is sourced and to whomever it is shared — to ensure that the obligations, end-to-end, are being fulfilled. The monetary penalties, ability to operate within the European market, and potential impact to brand and reputation if not compliant are too great to ignore.”
According to Mike Pym, CEO of Gordian Lawyers, trading partners or clients may force GDPR compliance on your business as a requirement of doing business.
“Even if an organisation is not directly affected by GDPR, then it is likely that one of its customers is. They, in turn, will be demanding that you become GDPR-compliant so that they can continue to use your services,” Pym told Which-50.
“Furthermore, forward-looking companies are seeking to use their own GDPR compliance as a competitive advantage, not only to build trust with their customers, but to have competitive edge in their customers buying preferences.”
Katherine Sainty from Sainty Law had an similiar take on the issues. “All companies should make an active effort to ensure compliance with the GDPR,” she said.
“Equally important will be the need to comply with the GDPR because of the requirements of trading partners. As well, some businesses will choose to make a virtue of compliance, publicising this to enhance their competitive advantage.”
The cost of compliance
With the very real possibility that GDPR becomes the global standard, it would be fair to expect organisations are taking compliance seriously. However, research from Forrester suggests fewer than one in three firms globally were claiming compliance in February.
In Australia, there appears to be an awareness problem. A survey of Australian businesses conducted late last year by research firm Telsyte found the level of consciousness of regulations, which includes GDPR, was surprisingly low. Only 61 per cent of businesses were conscious of privacy and regulatory concerns around big data, even with the Notifiable Data Breaches scheme that came into effect in February 2018, and the GDPR coming into play in May.
According to Pym, this is problematic as compliance is a costly and time-consuming process.
“[Compliance] requires complete organisational change and re-think of your business to consider your business through the lens of privacy protection, including updated marketing practices, IT security policies, employment agreements and policies, and updated agreements with customers and suppliers.”
The cost and lack of understanding have pushed many Australian firms to adopt a “wait and see” approach to GDPR, particularly smaller organisations. However, this is also troublesome, according to Sainty.
“While smaller Australian firms are not likely to be high on a European regulator’s watch list, the liability exists and the risk should be recognised and managed. For a small or mid-sized company, a fine this large could essentially wipe out business. All companies should make an active effort to ensure compliance with the GDPR.”
With the enforcement date just one month away, assessing GDPR compliance for Australian businesses should be a very high priority today, argues Kamani Krishnan, IAB’s Regulatory Affairs Director.
Krishnan noted that GDPR and the Australian Privacy Act share many common requirements. However, she recommends taking the following steps:
- Map your data practices Begin taking steps to evaluate your information handling practices and governance structures, to understand what changes you need to enact before commencement of the GDPR.
- Immediately revisit your consent requirements Under the GDPR, consent requirements are stricter than under the Australian Privacy Act and many other national laws. If you rely on consent to process personal data, you will need to ensure already obtained consents will still be valid. You may have to collect new, replacement consents. You must ensure consent is documented.
The IAB also provides guidance and resources for Australian businesses as does the Office of the Australian Information Commissioner (OAIC). And finally, consult the experts who are qualified to provide guidance on GDPR.