In April of last year, the European Parliament adopted the new GDPR data privacy regulations that will become effective May 25, 2018. This replaces rules drafted a generation ago in 1995.
Let’s think back to 1995 for a minute. Amazon was founded that year. That was three years before Google Search was launched. It was eight years before Myspace and nine years before Facebook. The digital world was in its infancy.
Data now drives the world economy the way oil once did. Personal data is a commodity, fueling the profits of the new industries. In this brave new world, digital privacy can no longer be an afterthought. In this light, it certainly makes sense to refresh the regulatory framework. Although the new requirements apply to European citizens only, the effects of this legislation will be felt world-wide.
The New Regs – an Overview
The overarching intent of GDPR is to give citizens the right, and the ability, to easily control their personal data. They can explicitly control what data is collected, what it may be used for, and when it must be erased. They are free to change their consent at any time. Parents must provide consent for the data of their children.
Further, the companies or civic entities that receive the personal data must be able to prove, at any time, that they do have explicit consent. This applies to any entities – even those outside Europe – if they receive the data of a citizen of the European Union.
Beyond the obvious information, "personal data" is defined to include a computer’s IP address, many types of cookies, encrypted data, and anything “…specific to the physical, physiological, genetic, mental, economic, cultural, or social identity…” of a person.
The European institutions have not been afraid to flex their regulatory muscles as Microsoft and Apple know well. It’s widely anticipated that the EU will seek high-profile cases to prosecute non-compliant companies, perhaps in 2019, although proceedings could even be initiated in late 2018. With penalties of up to 4% of global revenue, these regulations have teeth. The belief is that the European Parliament will want to demonstrate that they mean business.
However, here at Analytic Partners, we have noted a high degree of preparation and readiness among our clients, many of whom have ramped up compliance offices and will be ready by September of this year, well in advance of the deadline.
Personal Data Intermediaries
As is often the case, regulatory change can create whole new ecosystems and business opportunity. There are some interesting solutions emerging in the new “Age of the User.” Sandy Pentland of MIT and co-leader of the WEF Big Data and personal data initiative sees huge potential for blockchain technology for individuals to securely grant access to third parties. We’ve seen the emergence of third-party vendors who act as intermediary between corporations and people. Companies such as Hub of All Things, Citizen Me, and People.io promise to streamline GDPR compliance from both sides.
Services like these could potentially make it easy for people to use a single portal in managing their personal data consent across multiple companies. Likewise, they could make it easy for companies to secure, update, and verify consent.
The Marketing Perspective
It may be that the increased uniformity of the new European regulations could make things easier for companies. That uniformity is not necessarily limited to Europe. Despite Brexit, the United Kingdom has stated that it will adhere to GDPR. Existing rules in Canada and other countries have many similarities to the GDPR framework. One notable exception seems to be the current environment in the United States.
We don’t foresee market level analysis like Marketing Mix Modeling being materially affected, since it operates at an aggregated level where personal data details are not utilised. With Multi-Touch Attribution, however, we do expect a period of transition. If GDPR leads to an initial period of smaller digital sample sizes, that condition may be counter-balanced by greatly increased data accuracy within the consenting universe.
It’s also conceivable that consumers who are initially very private, may see their neighbors enjoying the benefits of greater consent. These might include exposure to promotions and new product news in areas where they have an expressed interest.
In any case, it does appear that Europe’s General Data Protection Regulations are catching up with today’s digital reality.
To learn more about…
Ten Steps for GDPR Compliance from Information Management
Despite Brexit the UK Goes GDPR from CommsTrader
Fair Information Principles from the Office of the Privacy Commissioner of Canada