The GDPR: A Year in Brief

City skyline with text, Data has a better idea

Topics: Web Marketing

In a transitional and tumultuous first year, the GDPR has largely failed at its goal in reducing the amount of data breaches occurring in the EU. And its biggest (yet still modest) success lies in its ability to notify parties when breaches occur, Slate submits.  

Implementation has not led to the potentially high suggested fines levied against companies who unknowingly or haphazardly breach privacy laws in the GDPR. Ireland serves as the designated leader for the GDPR in the EU at large, with over 1,000 data protection officer (DPO) roles appointed by organizations across the country since GDPR took effect in May 2018, according to Silicon Republic. And the country has sympathized with tech companies in their efforts to accommodate the new laws while determining how to best preserve their data practices and comply.

The Potentially Problematic Data Proposition

The purpose of the GDPR results from a growing concern with the privacy and data used by tech companies regarding ordinary consumers. The regulations attempt to codify and unify privacy laws across the EU in response to consumer and government unease with collected personal information. And the GDPR’s ethics rebutted what some saw as an imbalance of power between data collection and the accountability of companies who would use private and identifying information, as recounted here by Forbes. However, measures to protect the privacy of users have proven difficult, even when robust efforts have been made to determine the effects and causes of breaches.

Lost in Translation: Enforcement is Complicated

Even disregarding countries who act to accommodate businesses who operate in the EU, codifying and unifying data and privacy has proven more difficult than anticipated. Factors like consent, transparency, and accountability have nebulous definitions without sharp agreement as to how they should function in the process of determining GDPR violations. Regulators and technology designers have made efforts to understand the causes of breaches while trying to determine what the exact impacts and costs of the breaches have been.

Year One: You Win Some, You Lose Some

The success of the GDPR largely comes from the standardization of notifications for when breaches occur (established by the EU.) The EU has collected vast amounts of data as to what kind of breaches have occurred. And this abundance of information for the nature of breaches may help future legislation, as the law is advanced to compensate for its small impact to date.

Ireland, the designated GDPR leader, has shown willingness to work with companies who establish a relationship and help them to adjust to the developing legislation. But some countries have not shown such leniency in their administration of the law. France fined Google roughly €50 million and bucked the authority of Ireland, capturing 90% of the total fines served to companies whom the law effects in the GDPR’s first year, indicated in this Politico report.

Even with France’s departure from Ireland’s authority and the heavy fine, other companies who have similarly faced fines have benefited from modest enforcement. There is an apparent apprehension to levy fines against companies governed by the GDPR. And its relative ineffectiveness at reducing data breaches falls short of succeeding in its primary purpose to change the handling of personally identifiable information (PII.)

Where Data Collection and Handling Stands

No longer can marketers use AI to voraciously harvest data in the EU. Instead, greater planning and strategizing for how to deliver marketing must be employed. Disclosure of data use now requires marketers to reframe data initiatives to explicitly inform consumers about where data is stored, for what purpose it is stored, which data has PII, and who has access to the data in question. Additionally, the final say as to how the retention of data occurs is determined by the user. If the user chooses, he or she can request that the data undergo deletion, for which marketers must comply (giving the user authority over any collected information.)

To be compliant with the GDPR, a company must submit notice to the ICO and the party whom a breach effects within 72 hours after the company becomes aware of the breach. For companies who have an employee base of 250 people or more, they must submit documentation for why the data undergoes processing, a description of the collected information, a timetable for how long the data will be stored, and a report on the precise measures a company has in place to secure information. Designated data protection officers also must oversee the data processes for companies and monitor data sets on specific users if the data used will expand and extend throughout a period of time.

Proactive Circumvention, Not Waiting for Enforcement

Sixty-five million euros were collected from fines in the 200,000 cases of breaches in 2018. But even with the absent heavy fines possible with the GDPR in the first year (potentially 4% of a company’s annual global turnover), oncoming 5G technology presents the possibility for tech companies to be further embroiled in the complex landscape of the GDPR, suggested in the report by Politico.  

Tech companies should heed caution while handling sensitive information and attempt to get ahead of potential pitfalls in the future (even with forgiving Emerald Island oversight and even with the minimal fines in the transitional first year of the GDPR.) The GDPR will continue to develop to meet the demands of new technology. And it will expand to account for shortcomings in the law in its current state.

Fair Data and People-Based Marketing

Although multitudes of data can assist marketers in how to proceed through a campaign, consideration for the people whom data collecting effects perhaps creates good policy for gaining the trust of consumers, as Marketing Land notes. More and more, the power for how to proceed throughout the customer journey lies in the hands of the consumer. And listening to customer desires and considering their experience is smart customer-centric marketing.

Savvy digital marketers, like those at Axis41, A Merkle Company, can apply expertise to assist companies in navigating the GDPR and help avoid the possibility of negative outcomes, which may increase over time. To learn more about how the GDPR has performed and how to best comply with regulations and support your customers, contact us today.