24 Business Leaders and Data Privacy & Compliance Experts Share Their 3 Key GDPR Takeaways
The General Data Protection Regulation, commonly known as GDPR, went into effect in May 2018. While GDPR relates to the data privacy of European citizens, it has far-reaching effects, requiring any business around the world that collects, stores, or transmits personal data of EU citizens to comply. As a result, it forced businesses everywhere to reevaluate their data collection policies and their processes for getting consent prior to collecting data on any individual protected by the new law in order to ensure compliance.
Perhaps unsurprisingly, the impacts of GDPR didn't stop there. Thanks to widespread media coverage of GDPR, citizens around the world have started to pay attention to their data privacy. Laws in other countries and in U.S. states have begun to crop up, in many cases mirroring many important aspects of GDPR, such as the California Consumer Privacy Act.
While much of the frenzy surrounding GDPR implementation has died down now that it's been in effect for more than a full year, there's still much to learn and more progress to be made as the U.S. and other countries enact their own privacy regulations to protect consumer data. To find out what the biggest takeaways after the first year of GDPR have been for experts in privacy and compliance, as well as for businesses that have dealt with implementing new policies and processes for compliance, we reached out to a panel of data & privacy experts and business leaders and asked them to answer this question:
"GDPR has been in effect for over a year. What are your 3 key takeaways?"
Meet Our Panel of Privacy & Compliance Experts and Business Leaders:
Read on to find out what our experts had to say about their main takeaways from GDPR's first year.
Siddhartha Gupta
Siddhartha Gupta, Chief Executive Officer of Mercer | Mettl, a HR technology company and leading talent measurement firm that enables businesses to make precise people decisions in talent recruitment, management, and training across industry verticals.
“When you’re hiring a traditional workforce, you get them to sign a non-compete agreement in their contract…”
In exchange for reasonable value-addition and consideration of their legitimate interests. With the contingent workforce, the demarcation of contacts is diminished and there are huge risks and consequences associated with the leak of critical data like client lists, trade secrets, proprietary technology, and intellectual rights. There is no legalities, liabilities, and legislation that cover contingent workers or how they plan to use crucial company information, especially when the worker is working with companies of competing interests, certainly without the knowledge of competing parties. How that shapes up and evolves in the wake of GDPR and data regulations is also something that has to be figured out.
Companies need to buckle down the legislation around contingent workers and use of critical company data, bringing on board legal experts to frame their non-disclosure and non-compete contracts for freelancers and gig workers... Otherwise, companies can have a mix-workforce partly consisting of gig workers for tasks that don’t include a lot of crucial clients' and organizational data and proprietary technology information and partly of traditional employees for tasks where such information is involved.
Consent Management:
Companies must be on the lookout for ways to give their customers and clients a seamless authority and control over their data. Some effective ways to handle consent management and data privacy:
- Consent Forms: Before using any data, people must be informed why the data is being collected and how it will be used. Just like Google does. Also, get their consent on the same.
- Strong Processes: Install in place strong systems and processes which are also streamlined according to GDPR regulations. This way personal data of customers is safe with you and you are safe with regards to legislation.
- Data Security: There must be strong and robust data security measures in place along with effective storage and retrieval platforms. Not to mention, regulations regarding sharing it with any third-party.
GDPR Implementation by Large Corporations:
While 2018 marked the arrival of GDPR regulations, the coming years will pave the way for the first steps towards its administration on the ground. For large organizations – technical, operational, and organizational aspects have to be streamlined with stringent data regulation and monitoring processes, a foundation of the procedure for handling personal dtla, and SOPs literature which works as an organizational protocol – will be crucial and of dire consequences. SMBs would be wary of spending any share of their budget to GDPR till results or outcomes become apparent for them to follow suit.
Dan Goldstein
Dan Goldstein is president and owner of Page 1 Solutions, LLC, an Internet marketing company representing attorneys, doctors, and dentists. He has published numerous articles and is a frequent speaker on internet marketing topics. Goldstein is an attorney and is licensed to practice law in Colorado.
"Here are the top 3 takeaways..."
1. Business owners need to be aware of privacy laws in all of the places they do business, not just laws in their home country or home state. One aspect of GDPR that I think has most thrown business owners for a loop is the need for compliance even if their company is located outside of the EU. The regulation extends across borders, and I think we're going to be seeing a lot more of that.
2. Companies need to 'privacy-proof' their online operations and marketing. Consumers are becoming more sensitive to what data is gathered by the websites they use and how the people behind those websites use their information. Governments are moving in the same direction. GDPR has set the tone for what to expect, so business owners should continue investing the time and resources to comply with not only GDPR, but other privacy laws and regulations.
3. An American equivalent to GDPR is coming if tech giants don't straighten up and fly right.
The EU is already taking action against Facebook, Google, and other companies for violating the terms of GDPR. America is more pro-business, but California has already enacted its own law. Other states and Congress are also exploring options for more privacy laws. The more data privacy scandals we see (Facebook is the poster child for these controversies lately, but it's not the only one), the more likely we are to see more sweeping regulations on our side of the pond.
Balazs Hajde
Balazs Hajde is Content Manager at Authority Hacker. His primary responsibilities include maintaining the highest standards of content quality and the efficient implementation of projects throughout the numerous sites managed by the company.
“Though the hype and fear over GDPR was palpable around the time it came out…”
We quickly realized just how small its impact was going to be on our business.
GDPR gets progressively easier the less data you store about people. Since for most of our marketing efforts we only store emails, GDPR has had little effect on our day-to-day outreach. We already include opt-out links in our emails and make sure to not spam addresses, so we didn't really need to change anything.
Membership and customer information is a trickier issue. We set up a simple but effective manual procedure to deal with data-related requests. So far none of our hundreds of EU customers have inquired about anything regarding GDPR. This can either be because of disinterest or lack of information on what exactly they can do under GDPR.
Finally, from a personal consumer perspective, it was interesting to see how sites outside the EU decided to handle the GDPR question. Some simply had a few more consent boxes to tick when first entering. Others, especially US news sites with semi-local coverage – completely shut themselves off from Europe.
Simon Fogg
Simon Fogg is a data privacy expert and legal analyst for Termly.
"My three key takeaways after the first year of GDPR being in effect are..."
1) The GDPR’s one-year anniversary marks the end of regulator leniency.
Uncertainty and contradictions defined the first year of GDPR enforcement. Many companies tiptoed into compliance under threat of huge fines, with many major US publications choosing to cut off their EU customer base entirely rather than risk penalties. However, although Google was fined 50 million euros for lack of transparency and proper consent, the other fines levied were relatively minor.
The underlying message is that the first year of GDPR was only a transition period.
Just as businesses behaved tentatively, regulators were lenient. Privacy watchdogs predict that as authorities catch up on their backlog of data breaches, we’re in for a wave of new penalties.
2) The GDPR’s perspective on facial recognition technology is still blurry.
By replacing 1995’s Data Protection Directive, the GDPR was touted as a reflection of the modern digital landscape. However, it’s already struggling to keep abreast of new technology.
Several issues arise with the GDPR when facial recognition technology (FRT) is used for marketing or surveillance. The biometric information it collects is considered sensitive personal data, meaning the GDPR reserves special requirements for its lawful processing.
Implementing FRT to unlock a user’s smartphone is one thing, but monitoring a crowd of thousands of people is another – as Madison Square Garden has reportedly been doing in secret recently. Under the GDPR, all individuals involved must consent to their data being used – and be able to withdraw their consent at any time.
This is uncharted territory for the GDPR. Although its definition of consent is clear, how it will protect data subjects in practice with technological developments like FRT is highly ambiguous.
3) The GDPR is just the beginning of new global data protection laws.
When the GDPR was first introduced, most consumers only noticed an increase in the number of consent banners appearing on websites. However, 107 countries have now passed data privacy legislation similar to the GDPR, changing global data collection practices forever. With the CCPA on the horizon in the US, many companies will be forced to rethink how they do business with the world – or face new consequences.
If there’s one key takeaway from a year of GDPR it’s this: for users, it may not seem like much has changed. But in reality, everything has changed.
Dave Brunswick
Dave leads Cleo's pre-sales and solution support for North America. He brings more than 25 years of experience in technical sales, pre-sales, technology strategy, engineering, product management, and product development.
“The overarching theme regarding data privacy mandates is that…”
Governments and regulatory agencies recognize the growing need for expanded data security, data privacy, and corporate transparency. In the wake of GDPR, some states are already working to shape their own privacy policy. For example, the California Consumer Privacy Act (CCPA) was signed into law this year and will kick off in 2020. Similar to GDPR, CCPA expands personal data protection for today's increasingly connected world, including the right to be forgotten, a right to portability, and a right to access to data.
There is a careful balance to be struck between protecting the privacy of individuals and making it impossible to do business. Many organizations have spent a lot of time and effort figuring out how GDPR impacts them and putting in place the right systems and controls to ensure compliance. Unless there is consistency between states, it will become increasingly difficult for companies to comply with all the different policies out there. If regulation is too restrictive and variable across state boundaries, it could create a significant barrier to expanding businesses. On the flip side, if the regulation is too loose and doesn't have real teeth when organizations don't comply, then there is little point in having it since it will not materially affect behavior.
GDPR already raised the bar on data privacy standards, increasing emphasis on respecting individual rights by giving back control of personal and sensitive information, and enforcing heavy financial penalties for businesses that fail to do so. State IT organizations will inevitably face a higher bar – CCPA, for example, gives Californians unprecedented access to their data, while still making it possible for for-profit companies to collect and sell consumer data within established guidelines.
Victor Fredung
Victor Fredung is a seasoned fintech innovator with multiple years of experience from the payment sector. He joined Shufti Pro as CEO in 2018 and has led the company towards growth and success. In his time at the company, he has helped build a fraud prevention platform that allows businesses to verify their customers in real-time.
"As a company that deals vastly with European clientele and users, we adhere to strict GDPR guidelines..."
In the year following the GDPR regulations, we have seen that the focus for us has shifted from what to how and why. The focus of it has become more widespread and involves thorough education of both the management (executive and mid-level) as well as the workforce. GDPR regulations have taken the authority to collect and share data from companies to individual users, allowing them to control how a company can collect, use, and share their information. Pursuant to these regulations, companies must chalk out a detailed GDPR compliance game plan in order to meet these regulations.
David Reischer
David Reischer is a practicing attorney in New York City in the areas of civil litigation, commercial litigation, education law, and business law. David is also the founder and Chief Executive Officer of online legal services website LegalAdvice.com.
"A year ago, the idea of a federal data privacy law in the U.S. was unthinkable..."
In 2019, the prospect of such legislation has suddenly become very real. Right now, telecommunication carriers (such as cell phone service providers) are simply not held to a strict standard from selling their customer data but be prepared for that to change as data privacy begins to be taken more seriously in America. In Europe with passage of the 2016 General Data Protection Regulation (GDPR, the EU is leading the charge to take data protection more seriously. It is inevitable in my opinion, that eventually a similar federal law will come to regulate how big businesses protect personal data and hopefully there will be a greater protection of an individual's right to privacy in the near future. Very few states recognize a broad interpretation of an individual's 'right to privacy' with a notable exception being California. California recently passed the California Consumer Privacy Act (CCPA), but that does not go into effect until 2020. In the wake of ongoing scandals involving Americans’ digital privacy, there is a growing sentiment among Americans that our federal laws need to reflect restrictions on how companies use customer data.
Nicole Rohde
Nicole Rohde has been leading the international expansion for the luxury leather brand Maxwell-Scott. She is responsible for all media partnerships and the worldwide PR activities.
"Here are my 3 key takeaways after a year of GDPR..."
1. It has become harder for companies to build out mailing lists. By asking for an opt-in from customers, promotional emails have become less user friendly and many customers have dropped off the mailing list. Considering that 20% of our sales come from our email marketing that is a worrying trend.
2. Collaborations with media partners have become more difficult as the data can't be easily shared anymore. It makes it more complication for brands to build out target audiences.
3. The divide between the 'good guys' and the 'bad guys' has become substantial. Many companies rather risk being fined instead of abiding by GDPR rules. They continue to send emails to customers that have not signed up and use the data for aggressive promotion that often even leads to financial success. As a company that abides by the GDPR rules, it can be hard to compete with that if you want to make sure that your customer data is protected and nobody is signed up to any promotional emails that they don't want to receive.
Carolina Abenante
In her role at NYIAX, Carolina Abenante leads the company’s funding, business strategy, legal and investor relations. Ms. Abenante has been in the New York tech and advertising scene since 1999, holding numerous leadership positions focused on mergers, acquisitions, strategic partnerships, and business development. She sits on various New Jersey Bar and ABA committees (Tax and Media) and is also a Certified Privacy Officer (CIPP).
"The main three takeaways on GDPR, based on findings from the DLA Piper GDPR Data Breach Survey: February 2019, include..."
1. Data breach reporting has been the main focal point over the last year. From the DLA-Piper report constructed by the company’s cybersecurity team in February of 2019, we know that GDPR allowed for a uniform method and designated regulators to report data breaches that did not exist prior to GDPR in the EU member states, thereby allowing for streamlined data compliance. A DLA-Piper survey demonstrates over 59,000 reports of data breaches from minor email breaches to cyber attacks. A uniform reporting structure and designated methods to report data breaches have been extremely helpful as a result.
2. Regulators are country-specific and stretched thin for reporting and compliance. The prior countries and companies within the countries that have been successful in reporting data breaches were the Netherlands, Germany and the UK. We see these three countries with the highest compliance to data breach reporting and GDPR. Most other EU countries are lagging. These countries include France, Italy, and Spain. Therefore, implementation and compliance are not country, GDP, or population specific. This is likely due to the fact that regulators are stretched very thin and data compliance in underreporting countries has been affected by the lack of regulatory compliance.
3. On average, fines have been low and based on pre-GDPR amounts, with the exception of Google with the French Data Protection Supervisory Authority (CNIL) on data consent. Finally, the fines are implemented from the old data privacy requirements which were inherently on the low side, averaging around 5,000 Euros as opposed to 10M Euros or 2% of global revenue. This is one large case-in-point from CNIL regarding Google based not on a data breach but on informed consent for the sale of data. Therefore, how regulators are imposing large fines has been few and far between.
Aleksandr Maklakov
Aleksandr Maklakov is the CIO at MacKeeper.
"The two main takeaways from GDPR after a year are..."
The main thing about GDPR implementation is to change the focus of the entire IT security ecosystem from corporation-focused to customer-focused. Previously, company security was in the center of everything, now company security processes are based on customer protection. This required a change in the processes across all our departments as well as the creation of the new that we've never had before – in marketing, customer support, and product development.
Another learning related to this is that you should inform each and every person in your company about GDPR implementation: what, when, and how you’ll do what you’ll do, never forgetting the all-important ”why.” At the start of the implementation process, we led a series of workshops and knowledge sessions for different teams, where all the complex requirements and their effects on work were explained. If you want GDPR to be implemented properly – it’s important for everyone in the company to know the effect it will have on their work.
Ray Walsh
Ray Walsh is a digital privacy expert at ProPrivacy.com with vast experience testing and reviewing VPNs and online security software. He has been quoted in The Times, Washington Post, The Register, CNET, and more.
“GDPR has created a lot of new challenges for businesses, and even a year after its implementation, it is…”
Clear that firms are still coming to terms with the intricacies about what it means to be compliant. One big takeaway from GDPR is how simple human errors can open up businesses to noncompliance and can easily result in consumers' GDPR rights being breached.
While GDPR is a massive step in the right direction, it still allows for a lot of data to be collected from consumers on an opt-in basis. While consent for data retention is a vast improvement over the ability to opt-out, opt-in fatigue can lead consumers to haphazardly agree to invasive data collection practices. Consumers need to be aware that where personal data can be used to provide a service they agree to, consent is usually enough to allow those firms to control and process their data legally for as long as the service is being provided.
As it stands, GDPR states that the lead regulator is the country where tech firms have their “data controller.” In most cases, firms have opted to make this Ireland. Ireland’s position as chief GDPR enforcer for those firms has been brought into question, because it is thought to be possible loophole that is allowing firms to continue collecting invasive amounts of consumer data.
A year after GDPR came into effect, Ireland has failed to bring any enforcement action against any large tech firm. In fact, some firms such as Microsoft and Facebook have actually re-instated some invasive data practices since GDPR came into effect. Facebook, for example, has reintroduced its facial recognition tool, which was previously banned in the EU because it was believed the photos could be used to track consumers without their consent.
This is leading privacy experts to question Ireland’s commitment to enforcing GDPR, and is raising concerns that Ireland may be enabling some degree of corruption.
It is feared that Ireland is not economically powerful enough to stand up to large tech firms, whose business it is desperate to attract to its shores.
For GDPR to be effective, Ireland’s position as chief enforcer (and other countries in a similar position) needs to be monitored carefully. And, if it is serving as a loophole for large tech firms to continue with invasive data collection practices, the EU must seek to provide direct oversight to ensure those chief regulators are doing their job correctly. Failure to do so could render GDPR ineffective and could open the door for other nations to begin courting tech firms for their business – in exchange for similar – or perhaps even more troubling kickbacks.
Sweeney Williams
Sweeney Williams is Vice President of Security, Privacy & Compliance at Vision Critical. A security and privacy leader with more than 10 years of experience managing complex, globally dispersed cloud compliance operations, he provides best practice guidance to business stakeholders and customers to assist, advise, and educate on all aspects of data privacy and security.
"My three key takeaways for the effect of GDPR over the past year are as follows..."
1) GDPR has dramatically changed the public’s view of data privacy rights.
The single most significant and beneficial impact of GDPR, both within and outside of the U.S., has been its influence on the public due to the strong data subject access and transparency rights it features. While the underlying concepts contained in GDPR are not new, awareness of data privacy rights has skyrocketed as a result of the unprecedented amount of press the regulation has generated since its introduction. Individuals now expect to receive the same level of transparency, data access, and control rights as those contained in GDPR and regulators around the world are facing significant pressure from their constituents to enact GDPR-like data privacy legislation in their own countries.
2) GDPR has changed how companies around the world do business in the EU.
Prior to GDPR, companies with no physical presence in Europe could operate with little or no regard to EU privacy requirements since the reach of enforcement was limited, and potential fines low. The GDPR has forced companies not only to take notice of EU requirements, but to actively enact and enforce those requirements in their own operations, often at great expense. Thousands of companies have hired data protection officers, created complex data flow maps, implemented data subject access processes across dozens of disconnected applications, and made significant upgrades to their data security and privacy operations. On the other hand, a number of companies have chosen to shut down operations that were either located in the EU or were providing products and services to the EU, believing that the cost of lost revenue would be lower than the cost of compliance and potential fines. Some have even gone so far as to block European IPs from connecting to their websites.
3) GDPR is influencing new data privacy regulations around the world, forcing businesses to change how they interact with customer data.
In the U.S., the rate of newly proposed data privacy regulations is at an all-time high and is likely to culminate in the creation of the first ever U.S. federal privacy law which some deemed impossible just a few short years ago. We have already seen two notable examples in the California Consumer Privacy Act (CCPA) and the proposed, but currently stalled Washington Privacy Act, which contain heightened data access and control powers for individuals, among other provisions. Countries such as Brazil and India have also introduced new data privacy laws. Businesses will need to closely monitor these rapid changes in the regulatory landscape and adapt accordingly, which means that the concept of one-off privacy compliance activity is a thing of the past. Privacy and security programs will continue to mature and gain traction within organizations as a central, critical component of business operations. From a business perspective, the textbook challenge of data privacy is utilizing personal data while respecting the individual's right to privacy and managing their evolving privacy preferences. To succeed going forward, businesses must embrace the importance of transparency and earning consent not just to comply with regulations, but to foster deep trust that helps produce exponential mutual value for both the brand and its customers.
Alexis Irias
Alexis Irias is a Digital Marketer at Spire Digital.
"During my previous position with a domain registrar, we took GDPR very seriously..."
The fines for GDPR non-compliance are as much as €10 million or 2% annual global turnover, whichever is higher which can be enough to put a relatively small-mid sized registrar under. As a result, software and web developers ensured there are no possible glitches with the collection and exposure of European customers' contact information.
The three take-aways from this are the following:
1) From a registrar perspective, GDPR complicated the process for domain investors, both selling and buying domains. The traditional process is to find the domain reseller's contact information through the Whois database and inquire about the purchase of that domain. GDPR prevented this from happening, therefore registrars are starting to rethink this process.
2) The high fees associated with GDPR non-compliance are making web and software developers extra cautious with the collection of personal information across the board.
3) The expectations for Internet privacy have increased across the board since the implementation of GDPR.
Jeff Campbell
Jeff Campbell is the owner and main content creator at Middle Class Dad in addition to other websites. When he's not writing about parenting, relationships, or blogging, he can be found with his family, cooking, or practicing martial arts.
"The 3 big takeaways after one year of GDPR being in place are..."
1. It probably wasn't as big a deal as everyone was making it out to be a year ago.
Ultimately, the law was put into place to prevent very large companies from doing unethical things with people's personally identifiable information.
It was not designed to go after the average blogger, small business owner, or content marketer. Many of the laws were on the books already; the May 25, 2018 deadline was just given to put a little heat to it.
But at the end of the day, a blogger with 100,000 monthly visitors, 3% of whom come from the EU has almost nothing to worry about, especially if they are doing a reasonable job of being clear, honest, and ethical in the first place.
2. It was good in terms of pushing all webmasters to be more transparent about when and how people were being added to email marketing lists and what being on a list actually meant in terms of receiving future emails.
Many content marketers in the past would give away some type of freebie, usually called a lead magnet, in exchange for someone entering their email address.
But to the person getting the freebie, it wasn't usually clear that they would then be getting follow up emails in the future about other products, promotional items, etc.
GDPR brought some needed clarity to that, which is probably resulting in fewer unsubscribes and better open rates on those emails since people are less likely to be surprised by them now.
3. It has probably hurt readers in the EU who just want access to content and freebies as some webmasters choose to scrub their lists (i.e., delete) of visitors from the EU to avoid possible future complications.
Some may also continue to be removing visitors from the EU from their email marketing campaigns for the same reason, and virtually all email marketing providers added features on or before May 25 last year that allow us to identify email addresses from the EU by IP address.
Steven J.J. Weisman, Esq.
Steven J.J. Weisman is a lawyer who teaches Media Law at Bentley University and an expert in identity theft. He also writes the blog Scamicide.com, where he reports daily on the latest developments in scams and identity theft schemes.
"A year after going into effect, the European Union's GDPR is still a work in progress..."
According to a study by the security testing company ImmuniWeb, many companies are failing to meet the required standards, with 51% of the sites tested failing to meet the easy to comply with standard of having a readily accessible and clear privacy policy. GDPR requires disclosures regarding securing cookies and disclosing if cookies are being used. According to ImmuniWeb, 80% of the tested sites failed to provide a clear disclosure regarding cookies or using insecure cookies that put users' information in jeopardy. A good statistic is that the large majority of sites tested used strong content management systems (CMS) to help protect against data breaches. GDPR is a good first step toward educating consumers and protecting of privacy, but it still has a long way to go.
Anne P. Mitchell
Anne P. Mitchell was one of the first internet law and policy attorneys in the U.S. She is an expert consultant on GDPR and other internet policies, author of part of the U.S. Federal anti-spam law, and the CEO of the Institute for Social Internet Public Policy, which provides email reputation certification.
"My three key takeaways on GDPR after one year are..."
1. U.S.-based companies still don't think or believe that they have to comply with GDPR – they are wrong. GDPR specifically states that it will be enforced against anyone, anywhere, who violates it, and there is no 100% sure way to identify customers or online visitors who are covered by it (see takeaway #2).
2. Organizations outside the EU believe that they can avoid complying with, or being at risk from, GDPR if they take measures to not do business with EU residents and citizens. Many are going this route by stating on their websites that they only do business outside the EU, and even by going so far as to block EU-based IP addresses (which in and of itself is a violation of GDPR). However, nowhere does GDPR use the terms 'resident' or 'citizen.' It only says in the EU which, until clarified by amendment or a court, can mean someone visiting in the EU, or even just flying over the EU at the time that they interact with the organization.
3. Non-EU based businesses frequently rely on their general counsel or business attorney for GDPR advice, which is what often leads to the inaccurate beliefs about GDPR that are outlined above. GDPR is an extremely long (over 100 pages including the prefatory language) and complicated law, and to be sure that you are actually doing what you need to, and to minimize your risk of having GDPR enforced against you, you need to consult with an attorney who specializes in this area of law.
Michael Wiegand
Michael brings 17 years of marketing experience to the table. He’s done everything ranging from design and direct mail to development and multivariate testing. He currently leads the Analytics team at Portent – a Clearlink Digital Agency, where he founded the analytics division. He enjoys sharing his knowledge and has been able to do so at various conferences, including MozCon, SMX West, and AAMP.
"Here are my 3 takeaways, over a year removed from GDPR..."
1. Major players still aren't compliant.
Plenty of European-based businesses like British Airways and Sky News, to name a few, are not complying with the spirit of the legislation in their website cookie collection practices.
Sure, they have opt-in banners, which read 'Accept,' but they are firing loads of first-party and third-party tracking cookies before you confirm with a click.
To make matters worse, some websites are still using simple acknowledgment cookie banners that say something like 'Okay,' which are not proper opt-ins as required by the GDPR.
2. When companies are compliant, users are opting in at meager rates. Anecdotally, our clients who do business in Europe are seeing opt-in rates of around 40%, meaning that companies who do comply with the letter of the law are losing data on up to 60% of their visitors in Europe.
3. GDPR still does almost nothing to solve user privacy on the internet. GDPR and similar legislation are just mechanisms for governments to wrist-slap large corporations, most of whom are prepared to take the hit in fines rather than lose precious user data.
To effect meaningful change in consumer privacy on the Internet, legislative bodies need to focus on data gathered at the point of access, like cellular phone and Internet service contracts, rather than the browser.
Most people don't know they've already signed away their data to large telecom providers before they ever visit an app, search engine, or a website. Opt-in banners on individual web properties aren't going to fix that.
Jessica Thiele
Jessica Thiele is the Director of Marketing at VL OMNI, an iPaaS point-to-multipoint serverless data integration platform able to capture business rules for a fully automated supply chain and technology stack partnered with Shopify Plus.
"Here are our three key takeaways from a Canadian data integration company..."
GDPR, unlike the older Canadian equivalent CASL, has teeth. All it takes to prove that EU citizen privacy is real and enforceable is Googling 'GDPR Fines,' and you'll be hit by pages of big-name companies going through the motions towards what seems like inevitable penalties and fines.
But how has EU-GDPR impacted the average company?
As a data integration platform, we saw GDPR coming about a year before it came into effect, and we were fully compliant well before the May 25, 2018 deadline. But not all approached GDPR the same, especially in North America. Here are three takeaways from the past year of GDPR that VL OMNI has observed just by lieu of participating in the data processing and multichannel commerce verticals:
1. EU-GDPR caught almost all North American-based companies off-guard. All it took was looking at all the content, webinars, and more launched during the two weeks before GDPR came into effect. It was astounding how much of this content was geared around the central question of what is EU-GDPR?
2. Some of your partners might be GDPR-compliant; others may still not be. This is especially true for North American companies; again, they feel a measure removed from GDPR and many have a poor understanding of what the penalties or purpose is. As a business who actively partners, works with, or has data processed by a North American company, it's your due diligence to ensure all of your platforms are fully compliant.
3. Many businesses still don't understand how EU-GDPR affects them. Again, this is especially true for North America. Still, over a year out from GDPR coming into effect, we speak with companies that misquote what GDPR covers and does not cover.
Ultimately, EU-GDPR has encouraged our business to create contingency plans and detailed documentation to ensure all avenues that VL OMNI is responsible for under the law are fully covered and documented. Because we work internationally, we see a lot of appreciation from our customers for the GDPR language included in our contracts, but every now and then we get pushback from our North American contacts on 'why the GDPR language is necessary'. At the end of the day, absolutely make sure your business is fully compliant and has documentation to prove it: if you can't make sure everyone else in your network is GDPR-complaint, the least you can do is protect your own business.
Mark Pacitti
Mark Pacitti is the founder and managing director of Woozle Research, which specializes in conducting thousands of interviews every month with subject-matter experts globally to help institutional investors gain an edge.
"My three key takeaways from this first year after GDPR went into effect are..."
Compliance with GDPR is Now a Commercial as well as Legal Imperative
Although a relative drop in the ocean for a firm like Google, the 57 million euro fine levied against the search engine by France's data protection officials shows that regulators mean business! GDPR requirements have not only raised the compliance, adminstrative, and technical costs associated within scope, but the PR backlash and negative press from penalities is also having a longer-lasting negative drag on consumer perceptions and brand advocacy. Most businesses have the misconception that GDPR is solely an issue of legality. Although there is a legal dimension to this, it is also important to understand that the implications of ensuiring businesses are transparent and compliant with storing, processing, and protecting customers' personal data is also about buidling consumer confidence and trust in the company's brand. This is vital, because more important than the large fines being doled out (the max being 4% of global annual revenues) is the reputation damage of losing the confidence and trust of customers. This is the true risk of non-compliance, and many businesses have yet to fully grasp this fact. GDPR is now not only about protecting data privacy and avoiding penalties, but it's now a commercial imperative!
GDPR is More than Just CyberSecurity
Most businesses have viewed cybersecurity as synomymous with data privacy and protection. Data breaches and security make front page news (look no further than Dixon's Carphone's data breach on June 13, 2018, whcih impacted more than 10 million customers). However, data security is only one part of the puzzle when it comes to GDPR compliance. In fact, most small businesses have the misconception that by investing in more stringent infrastructure security they are making themselves less exposed to penalties, when in fact that isnt necessarily the case. In fact, the largest fines to date (including Google) have been levied not on the basis of data breaches, but on the basis that firms have been unable to present the personal data that they hold on file when a cusotmer has requested it withtin the 30 day time (the so called subject access requests).
It's Not Just Customers & Employees That You Need to Worry About
The overwelming majority of professionals we interviewed indicated that the majority of their policies and procedures aimed at remaining compliant with GDPR legistation was focused on how they handled sensitive data relating to customers and employees. Most businesses are failing to take appropriate measures to safeguard and manage personal data gathered up and down the supply chain. The main reason for this appears to be related to a lack of adquate knowledge or resources. In either respect, not enough businesses are regularly auditing their third-party vendors to ensure their procurement processes are within scope.
Alexandra Marin
Alexandra Marin is the design expert that leads CodeCrew's development and success. She’s been designing websites and improving the way you interact with emails for over seven years, and her passion for customer satisfaction is tireless. In her spare time, she loves taking photos.
"The 3 key factors to note after having GDPR around for over one year are nothing if not the complete opposite of what businesses were expecting..."
1. GDPR has done more good than harm to businesses.
Pretty much any ecommerce owner was scared to their core about GDPR, CASL, and more recently CCPA, but the reality of it is that it did more good than bad to businesses that were true at heart. Spammers got what they deserved, while businesses with a true mission and a clean marketing approach reaped the rewards of having more real estate in their clients' eyes, hearts, and email inboxes.
2. Common sense won!
Were you buying lists off the Internet? Were you using black-hat techniques to essentially steal those email addresses? Chances are that you either listened to the wrong folks, or you need to check your principles. In the end, the common sense approach where you only contact people who want to hear from you won.
3. Fret not – just look for help.
We did a case study on the matter, and it seemed that before GDPR everybody was scattered looking for answers on what GDPR is and how to get ready for it. AHrefs, a popular SEO and keyword research tool, showed a crazy spike in searches for the term with just a few days away from the rule going live. If more US states decide to implement this, don't get scared, just prepare, adapt, and overcome. If you've done your part right until now this can be the best thing that ever happened to your business!
Stacy Caprio
Stacy Caprio is the Founder of Growth Marketing.
"My 3 GDPR takeaways are..."
1) Every site needs a GDPR-compliant privacy policy in order to have some layer of protection.
2) People are really confused and scared about GDPR, and if you're a lawyer or someone selling GDPR templates or services, you'll be able to cash in on all the fear. Whether that is taking advantage or not, I'm not the judge of.
3) Governments can pass laws that are too intrusive, and I personally do not support GDPR. 99% of websites use cookies and other types of information gathering, and if you don't want to visit sites that use cookies then you shouldn't go on the Internet. All it changed was making sites put up more in-depth privacy policies and gave the government the ability to sue large corporations, and it did nothing actually productive.
Ian McClarty
Ian McClarty has over 20 years of executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services. PhoenixNAP employs a staff of over 600, operating in 9 locations worldwide.
"Three key takeaways from GDPR now that we’re a year into it..."
1) If you didn’t think you had data silos – think again.
This is a simplistic statement that encompasses a whole lot of heartache, as a full year has passed and most organizations find themselves discovering (more like re-discovering) caches of data they’d forgotten about thanks to the data scouring exercises they’ve conducted over the past year. 2019 and beyond will require forward planning to not only deal with these ancient data silos but also ensuring that any such ‘forgetfulness’ doesn’t occur in the future.
2) The public doesn’t fully understand GDPR – be prepared to educate them. It became clear, from day 1, that the general public thought they could simply request that their data could and should be deleted without question at the drop of a hat, simply because they requested it. In many cases, that’s what the law requires. However, GDPR allows for a multitude of exceptions (data obtained as part of the execution of a contract, for example) that the general public simply isn’t interested in understanding or appreciating. They want their data deleted, and they want it done now. Period. If you turn their requests down without any explanation, you’re going to become very unpopular. Organizations have had to accept the fact that educating the public is part of their GDPR remit – or else.
3) Lack of enforcement doesn’t mean the law is DOA. We haven’t seen any robust GDPR enforcement from the European Data Protection Commission. Why? Because GDPR is new and the majority of organizations out there weren’t prepared for it. There seems to be a very welcome grace period in effect. But woe to those who assume that the lack of any bite means that there aren’t any teeth. This law will be enforced eventually, so be prepared.
4) Bonus takeaway: The expectation gap is growing – GDPR is just for EU clients, right? Well, yes and no. Sure, the law only applies to the personal data owned by EU residents (regardless of where that data resides). However, the expectations of a global client base have been growing. GDPR has whet the appetites of US consumers too, and they’ve seen their European counterparts getting all these new rights and control over their data. Oh, you don’t offer that service just yet? Let’s see how long they remain your clients when your competition catches on to the fact that data protection can be a competitive advantage.
Sam Orchard
Sam Orchard is the Managing Director of Edge of the Web. He began his career as a developer always staying at the forefront of the latest trends and technologies. Over the past 10 years he’s taken a lead role in all creative strategies, from initial project conception, through design, development, and on to marketing management.
"My three key takeaways from the first year of GDPR are..."
1. It wasn’t the marketing disaster that a lot of people were predicting.
Back in the first quarter of 2018, it seemed like there were an avalanche of articles predicting the end of email marketing. People having to actually opt-in to receive marketing emails seemed like a death sentence to some. The reality was a lot less eventful – and good marketers already knew that if you’re tricking your users into signing up for marketing, or you’re signing them up without their consent, then they were extremely unlikely to convert into customers anyway.
A year on and email marketing is as strong as ever – in fact, a lot of marketers are reporting an improved conversion rate from emails, because – get this – they’re now emailing users that want to be emailed!
2. People are more aware of their rights.
With the massive influx of re-consent emails and GDPR being big news for most of May and June last year, people suddenly became a lot more savvy about their rights when it came to online privacy.
As a result, regulators reported a huge spike in the number of data-related complaints. For instance, the regulator in France – CNIL – saw an enormous 50% increase in complaints when compared to the same period the previous year.
3. It’s not just an empty threat.
Back when GDPR legislation was announced, and even until it was introduced, the skeptics were claiming that rulebreakers would be given indefinite warnings, or a small slap on the wrist.
Google found out that wasn’t the case when they received a record €50 million (£44 million) fine in France in January 2019 for lack of transparency, inadequate information, and lack of valid consent regarding ads personalization.
Sue Andrews
Sue is a Business and HR Consultant with over 25 years’ experience gained across various challenging sectors. She is a Fellow of the Chartered Institute of Personnel and Development and has worked closely with business leaders to design and deliver strategies to promote business growth.
"The three things we've learned after one year of GDPR are..."
Compliance is a continuous process.
Complying with GDPR is not just about setting up policies and procedures; it’s an ongoing process that needs to be at the heart of your business and integrated into everything that you do. Many organizations have approached data protection as a task to be undertaken and completed rather than realizing that compliance can only be achieved by maintaining a continuous focus on the issue. If companies are going to achieve and maintain compliance, they need to focus on implementing data protection by design, making sure all new processes take account of GDPR requirements from day one and that effective monitoring is in place.
Staff are your biggest risk.
It’s people, not processes, that pose the greatest risks to organizations when it comes to GDPR compliance. Organizations have tended to focus on ensuring that they have appropriate policies in place and that data is processed in accordance with the regulations. However, whether it’s done intentionally or by accident, there’s always a chance of staff misusing or losing data, and companies need to take steps to minimize this risk.
Providing one-off training to staff is not the answer, as regular refreshers are needed to help embed their understanding of GDPR and how it relates to them. Effective checking and monitoring processes are also essential to pick up any behaviors that pose a risk and to catch anyone with malicious intent. Implementing controls, such as removing the ability for staff to externally download data outside of your systems and introducing automated monitoring of printing, will reduce the risk of data being removed without permission.
Handling data access requests needs to be done with care.
The rise in the number of data subject access requests over the last year means that it’s essential for companies to have a clear process for dealing with these. All the publicity around the introduction of GDPR means that people are much more aware of their rights when it comes to their data. This has led to an increasing number of ‘fishing trips’ by people making a data request simply to see if they can bring a claim. We’re also starting to see the beginning of data protection ‘ambulance chasers,’ that’s legal firms who are focusing on helping people to take action against alleged data breeches.
Data requests by former employees can go back many years and can be time consuming and difficult to respond to, but you run the risk of litigation if you don’t handle the situation appropriately. There’s also been a rise in requests from organizations like Privacy International, acting on behalf of individuals or groups. These can be legally complex, and you may need to use an experienced data protection lawyer to make sure you respond correctly. Therefore, having a clear and efficient systems for responding to data requests is becoming increasingly important. I also helps to reduce the chance of regulators taking action against you if they can see that you are taking the matter seriously.