GDPR: One Year On

It's been twelve months since GDPR came along and changed everything. It feels like far longer. Businesses spent most of the first half of 2018 preparing for the EU's privacy regulations, without any idea of what the new law actually meant in practice or what their long term impact would be. A year later, and that uncertainty still persists.

For a law intended to harmonise privacy regulations across Europe the variety of interpretations was remarkable. In this respect, the law has not worked as expected. Businesses did generally align their compliance mechanisms at the regional level, but every company I worked with had a different interpretation of the law and their own reasons for choosing their particular GDPR and data protection policy. Some businesses adopted a legitimate interest clause to continue their outbound marketing activities after GDPR precisely as they did before it, perhaps with a slight tidying up of their database and new opt-out processes. Others adopted an opt-in policy for one of many different reasons. These included:

• An IT security vendor who settled on a strict opt-in policy as a core value to align with the expectations of their audience.
• A Chinese owned company who decided to adopt an opt-in policy over concerns that regulators might adopt a stricter attitude towards them than other companies as a result of geopolitical tensions.
• A company who suffered a major data breach so adopted a strict opt-in policy to regain customer trust.

Some of these companies have since relaxed their policies due to concerns about the number of opt-ins, whilst others have tightened up after seeing national data protection authorities applying penalties to Google, Facebook and others over non-compliance. There is no sign of any convergence in corporate policies though, with some brands sticking to a strict opt-in policy, others relying on legitimate interest and the majority somewhere in between. Even at the Adobe Summit last week, I was having discussions with companies confused by the requirements of GDPR and how to implement it within a marketing environment.

The expectation was that case law and rulings from national data protection authorities would sort the situation out. In the immediate aftermath of the GDPR deadline, there were a flurry of complaints from privacy advocates against high profile tech firms, as well as other businesses that potentially were in the firing line. At the start of the year, high profile fines were levied against Google because their method of collecting consent to track users for advertising wasn't clear enough. Consent for tracking cookies was one area where there was a lot of activity in the run-up to GDPR. This didn't necessarily affect marketers because cookie consent in GDPR is generally interpreted as only being required for cookies used for personalised advertising. This hit media publishers who now display very prominent opt-in banners before reading an article on their sites. It is claimed most people click through on cookie opt-in banners, but that is probably because opting-out is often very difficult, if not possible which is in breach of both the letter and spirit of GDPR. In fact, it's this breach which led to Google being fined.

So far, punishments levied for GDPR breaches have been light. This includes any high profile hacks and data breaches. GDPR was intended to change business models so that companies started to consider consumer privacy as part of their products and go to market strategy. Facebook's high profile privacy woes dovetailed well into this at exactly the right time by raising consumer awareness of the potential risks inherent to any business which doesn't value data protection. There has been a definite sea-change in consumer attitudes towards corporate use of their personal data in Europe and across the world. Governments are now scrambling to catch up, and have been looking to GDPR as a blueprint for their own data protection legislation.

First off the mark was California, which passed the CCPA last June. This is due to come into force at the beginning of next year. Its implementation has been dogged by battles between privacy advocates and tech businesses in Sacramento to water down the requirements of the new law. As such, a series of exemptions have been carved out for small businesses. The focus of the law has also shifted from consent gathering to information disclosure. It does not give any new opt-in rights to Californian consumers. Instead, it extends the existing right of opt-out in CAN-SPAM to the sharing of personal information and introduces a requirement for any sharing of personal details to be disclosed on the company website through a page that is accessible from the home page. In general, if you're compliant with GDPR you're probably compliant with CCPA.

Brazil has also passed a version of GDPR called LGPD which adheres quite closely to the original European law, but with a few small differences. Due to come into force at the end of August 2020, LGPD has a slightly looser definition of legitimate interest and adds four additional legal justifications for data processing most of which are intended for Brazilian government agencies.

Brazil will not be the last country to follow the EU's lead on data protection legislation, with draft data protection legislation based on GDPR already under discussion in both China and India among many other countries. Elsewhere, Japan and South Korea have tightened up their already strict data protection laws to achieve regulatory equivalence opening up the possibility of cross border flows and local data processing of EU citizens data.

GDPR has become the gold standard by which data protection is judged and not just in Europe. Businesses need to be prepared to extend its provisions to countries outside the EU as they adopt their own versions of it. They also need to remember that compliance is an ongoing effort rather than a one-off event. Valid consent for data processing needs to be obtained for every contact, so data collection processes require constant monitoring. Managing data retention is also an ongoing process, as GDPR imposes limits on how long data can be kept.

Then there is the ePrivacy regulation, this planned update to the EU's consent and cookie laws was supposed to enter into force at the same time as GDPR but has been stuck in limbo for the past 18 months due to disagreements between member states. When it does eventually get passed it will clarify many of the uncertainties within GDPR, but don't expect that to happen anytime soon. In the meantime, the questions about what GDPR exactly means will persist. National data protection authorities are aware of the issue, and are looking to help businesses making a serious effort to comply with the regulation. The fines allowed by the regulation are hefty, but so far severe penalties have only been applied to firms who try to ignore the law or bypass it. Businesses who have been trying to comply with the law have been let off minor punishments, even in the case of serious data breaches. The uncertainty around what GDPR actually means in practice is a potential business risk, but the bigger risk is ignoring the law entirely and attracting serious regulatory scrutiny.