What are the key issues facing data driven organisations today? And how should we tackle them? Experts from the fields of data governance, innovation and strategy gathered at our recent breakfast briefing in London to give their take. Here we'll reveal some of their best practice tips, starting with Robert Bond who gives his verdict on how to approach GDPR and evolving global regulation trends.
There’s an eerie lack of awareness about the impact of the GDPR on US businesses that target 500m consumers in the European Union. There are lots of reasons for this – complexity of laws, inadequate budget and too little time combined with the lack of qualified and trained staff have conspired to perpetuate this lack of readiness by US marketers.
I’ve been in conversations with senior US-executives who’ve boldly told me that the “GDPR doesn’t apply to them” and in any event they can rely on ‘legitimate interest’ to continue to market goods and services and monitor the behaviour of EU citizens as they’ve always done.
Well, they’re in for a nasty GDPR shock
US-based companies that have never set foot within the EU will face significant sanctions and fines – between 2%-4% of global annual turnover or €10-20m, whichever is greater, if they refuse to play by the new rules.
This may sound like a nightmare scenario but data protection, privacy and security laws across the world’s largest digital single market have got a lot tougher.
In fact, it’s less about ‘general’ and more about ‘global’ standards, so perhaps ‘GDPR’ should be an acronym for ‘Global Data Protection Regulation’. Other jurisdictions are following the European lead here.
There are several reasons for the evolutionary change in the global data protection landscape. And the big one, of course, is privacy.
The Facebook/Cambridge Analytica scandal that impacted 87m personal data records may be only the tip of the iceberg of what’s now known as ‘surveillance capitalism’.
Interestingly, the word ‘privacy’ doesn’t appear in the US Constitution, although the Constitutions of 10 US States – Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington – do have explicit provisions relating to a right to privacy.
Like the right to carry arms that so many Americans feel defines their version of democracy, millions of Europeans consider their right to privacy of their personal information to be just as sacred and a fundamental human right.
But this isn’t just a European thing. It’s a global thing. In a landmark judgement in August 2017, the Indian Supreme Court highlighted the fundamental and universal value of the right to privacy as an “essential facet of the dignity of human being”.
The EU Directive 95/46/EC (now repealed and replaced by the GDPR) had established a broad set of principles with respect to the protection of privacy and personal data. However, each EU Member State was given wide discretion to implement these principles at a national level, with the result that US companies faced a patchwork of data protection, privacy and security laws that made it extraordinarily difficult to work out how to run marketing campaigns across the EU, without the fear of falling foul of data protection and privacy laws that varied between different European jurisdictions.
The legacy is that today the patchwork quilt of different EU Member State laws is now vastly reduced to a few operational areas and, although not perfect and not without its critics, the GDPR is a bold and ambitious attempt at achieving a degree of harmonisation and consistency not achieved in the past 20 years.
Cross-border transfer of personal data between US and EU is now going to change
A critical commercial impact of these assorted data protection and privacy laws is on cross-border personal data transfers between the EU and other jurisdictions.
Only a small number of other countries, such as Canada (part) and Israel, had been viewed in the EU has having ‘adequate security’, so transfers of personal data from the EU to these countries isn’t generally restricted under the GDPR. The US struck its own style adequacy mechanism with the EU-US Privacy Shield. But how long this continues to be in place remains to be seen.
EU Standard Contractual Causes (SCCs) are an alternative to Privacy Shield. The Model Contracts are forms negotiated between the Commerce Department and the European Commission that are to be used when personal information is transferred from the EU to the US. These documents typically can’t be modified to suit the business transaction and this inflexibility can sometimes be a barrier to their use.
A very few US organisations have implemented ‘binding corporate rules’ (BCRs) that allow multinational corporations, international organisations and groups of companies to make intra-organisational transfers of personal data across borders in compliance with the GDPR. The rules must conform to strict protocols and be approved by multiple data protection agencies in Europe.
The time, cost and expense of enacting BCRs has slowed adoption by even very large companies, which is why the GDPR will become de facto the way in which personal data transfers will now be regulated with the objective of harmonisation across Europe and sweeping away the wide variety of rules and regulations among EU Member States; replacing them with a uniform set of data protection principles.
Why a single EU Regulation is a game-changer for US marketers
At first glance, the concept of uniformity is extremely attractive. Regulation 2016/679 has been regularly promoted as a means to simplify conducting business in the European Union and the European Economic Area (EEA).
However, the ‘devil is in the detail’ and especially with respect to how GDPR will be implemented. Here, we need to watch very closely how the European Data Protection Board (EDPR) responds to challenges it will face in the courts.
A central driver behind introduction of the GDPR is to affirmatively enhance protections for individuals and their personal data — which will entail an inevitable and, in some cases, potentially dramatic increase in the regulation of companies, not to mention very substantial increases in the potential financial penalties.
Big US companies will be the data controllers of personal data that belongs to data subjects and will also be responsible for directing the use of that data by data processors and sub-data processors anywhere on the planet. There may be situations where US companies will be working jointly with data processors for different purposes.
Legal liability for ensuring protection of personal data typically rests with the data controller (although data controllers may have claims against data processors for data misuse, breach of contract, etc). However, US data controllers will be jointly and severally liable for data protection, privacy and security at any point of the value chain. So for any breach or any unauthorised use and/or disclosure of personal data, the data controller’s neck is on the line including compensation claims made by affected data subjects.
From a commercial perspective, this new approach has the potential to immensely complicate routine transactions.
A vivid example of the impact on commercial operations can be seen in the Google Spain v AEPD and Mario Costeja González case in the EU Court of Justice that effectively established the concept of ‘the right to be forgotten’, now a data protection right under the GDPR.
US companies must carry out a data protection impact assessment and may well be advised to appoint a Data Protection Officer
US companies that are doing business with EU citizens right now need to get on and carry out a data protection impact assessment (DPIA) across their entire operations, not simply on a project-by-project basis, as well as appoint a data protection officer (DPO) or chief privacy officer who will effectively be the eyes and ears of the company in how it complies with the GDPR.
Under the GDPR, the DPO enjoys a very different status of senior manager, given that their primary responsibility is to protect data privacy rather than advancing the commercial interests of the company at any cost.
Under the GDPR, the data controller must report a personal data breach that could cause harm or damage to data subjects within 72 hours of knowing about it. This will pose a significant burden as many organisations are simply not geared up to respond to such contingencies in such a short time frame.
Impact of GDPR on internet marketing for US companies
Internet marketing, the very model that’s inextricably embedded in countless commercial practices and increasingly sustains commercial activity on the web, is at risk under the GDPR.
Specifically, ‘profiling’, the practice of developing a snapshot of an individual’s preferences, browsing history, purchases, etc, would be prohibited unless necessary to perform under an agreement, authorised by law or has been explicitly consented to by the individual.
Behavioural advertising, targeted marketing or re-marketing, email solicitations and other direct marketing practices will be less effective if they can’t be targeted using individual profiles, and therefore less valuable.
The collection of information on individuals as a basis for displaying personalised ads, one of the largest tools in the current toolbox of e-commerce, could suddenly disappear. The disquiet created by Facebook/Cambridge Analytica will effectively tighten the controls over such practices in the new e-Privacy Regulation (E-PR) to be adopted by the European Commission, possibly not until autumn 2019.
The GDPR Handbook by Ardi Kolah was published on June 3rd, by Kogan Page, priced £49.99. For more information visit: www.koganpage.com
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.
Please register below to unlock this article.
An email will be sent to you with your membership details.