Nine months on from the introduction of Europe’s General Data Protection Regulation (GDPR) and the first major fine has been handed down to Google for not being transparent and clear enough with consumers about how their data is being used.
While Google says it plans to appeal the €50m fine, the ruling from the France’s data protection regulator signals the grace period in which companies can adjust to the strict new privacy rules is coming to an end.
Aaron Jackson, managing director, international of global data marketplace Eyeota says the move from the French watchdog is a reminder to all businesses dealing with European data that the legislation is enforceable and brands need to understand the steps their vendors have taken in order to comply.
“My advice to anyone in the Australian market is to put privacy by design at the forefront of your business. That is one of the most important things you can do,” Jackson told Which-50.
“Think about the consumer, make sure you really put yourself in that mindset and respect the privacy of the consumer.”
Jackson was leading Eyeota’s EMEA business prior, during and after GDPR came into force on May 25, 2018.
Its introduction brought with it a complex set of challenges for Eyeota, which sits in the middle of data ecosystem of publishers, agencies and data providers.
Eyeota aggregates data from multiple sources including online publishers and offline data providers so agencies and brands can use data to target their campaigns and reach the right consumers with the right message at the right time.
The company, which was established by founders based Australia, Singapore and Berlin, adopted Germany’s stringent privacy laws from day one. Nevertheless the gap between Germany’s privacy laws and GDPR was substanial.
For example the business needed to through a process with every single data source it uses to audit how they were collecting data, ensuring they complied with consent rules.
Another core principle of GDPR is that European citizens have the right to know what information a company has on them as well as have that data corrected or completely erased.
The requirement has meant companies need to adopt new processes and technology to automate those requests. If they don’t the potential cost could be as high as €20 million, or 4 per cent annual global turnover – whichever is higher.
While Eyeota doesn’t hold any personal data like names or email addresses at any time, it still must be able to tell consumers what it knows about them, Jackson explained.
“We need to be able to run diagnostics on everything we know about them and then send that to them in a usable format. That was something we never had to do before,” he said.
To do that Eyeota gets user permission to drop a cookie on them which then recognises what is known about that user.
Jackson says it is more common for people to ask to have their information complately erased rather than report what Eyeota knows about them. He says Eyeota is receiving around three or four requests per week from citizens asking for their data to be deleted.
“It’s enough that we needed to build an automated process because we need to run them through the system in a matter of hours.”
Jackson thinks most of the requests are from people in the industry who have an understanding of the issues and are testing out how the process works.
Overall Jackson says GDPR has been a positive force that has helped “clean up the industry”.
“Yes, it was a big process, yes it was a huge undertaking and yes it pulled a lot of resources from a lot of the business to make sure everyone was compliant,” he said.
“But I think it really provided and moved people towards privacy by design which I think is particularly important and something we’ve always adopted from day one.”
“It really lifted the lid on transparency as well as the need for data provenance. More and more brands and agencies are becoming educated on the source of data and needing to know where that comes from and, I think anything that does that is particularly important.”