This past week, the European Union’s General Data Protection Regulation (GDPR) initiative kicked in. But what does it mean for businesses that operate in the EU region?
And what are the prospects for GDPR-like privacy coming to the USA anytime soon?
First off, let’s review what’s covered by the GDPR initiative. The GDPR includes the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The “right to be forgotten” means data subjects can request their information to be erased. The right to “data portability” is also a new factor. Data subjects now have the right to have data transferred to a third-party service provider in machine-readable format. However, this right arises only when personal data is provided and processed on the basis of consent, or when necessary to perform a contract.
Privacy impact assessments and “privacy by design” are now legally required in certain circumstances under GDPR, too. Businesses are obliged to carry out data protection impact assessments for new technologies. “Privacy by design” involves accounting for privacy risk when designing a new product or service, rather than treating it as an afterthought.
Implications for Marketers
A recent study investigated how much customer data will still be usable after GDPR provisions are implemented. Research was done involving more than 30 companies that have already gone through the process of making their data completely GDPR-compliant.
The sobering finding: Nearly 45% of EU audience data is being lost due to GDPR provisions. One of the biggest changes is that cookie IDs disappear, which is the basis behind so much programmatic and other data-driven advertising both in Europe and in the United States.
Doug Stevenson, CEO of Vibrant Media, the contextual advertising agency that conducted the study, had this to say about the implications:
“Publishers will need to rapidly fill their inventory with ‘pro-privacy’ solutions that do not require consent, such as contextual advertising, native [advertising] opportunities and non-personalized ads.”
New platforms are emerging to help publishers manage customer consent for “privacy by design,” but the situation is sure to become more challenging in the ensuing months and years as compliance tracking the regulatory authorities ramps up.
It appears that some companies are being a little less proactive than is advisable. A recent study by compliance consulting firm CompliancePoint shows that a large contingent of companies, simply put, aren’t ready for GDPR.
As for why they aren’t, nearly half report that they’re taking a “wait and see” attitude to determine what sorts of enforcement actions ensue against scofflaws. Some marketers admit that their companies aren’t ready due to their own lack of understanding of GDPR issues, while quite a few others claim simply that they’re unconcerned.
I suspect we’re going to get a much better understanding of the implications of GDPR over the coming year or so. It’ll be good to check back on the status of implementation and enforcement measure by this time next year.