On 14 April 2016 something big happened in the European Parliament that will have wide-reaching implications for marketers and businesses across the world. For those in the know here in APAC, this ‘thing’ is a source of deep concern.
A recent survey by Veritas indicates 90% of businesses in Singapore are concerned and of those businesses 20% believe it may result in business failure.
This ‘thing’ is the General Data Protection Regulation, or GDPR for short. The GDPR is a live European Regulation, but it has a borderless scope which is causing problems for both European and non-European businesses. Within the next year the GDPR will be an enforceable regulation, so the global compliance race is on.
If you work for a business outside of the EU which holds or processes any form of customer data for any purpose, the next five minutes of reading may just help provide some clarity on why this matters and what action you should take.
GDPR: We have history
Despite being a new regulation passed in 2016, GDPR and I go way back as I was involved in lobbying and reshaping the regulation.
This all started in 2012 when the European Commission published the new General Data Protection Regulations. This event started the ball rolling on several years of fierce debate and lobbying by the European marketing and advertising associations. In my previous role as chair of an active and influential council of the UK DMA, I watched the iterative formation of the GDPR become the regulation which has now been served up by the European Commission for all marketers to enjoy… even the ones not in Europe.
In the interest of clarity, if GDPR is completely new to you, let me provide a quick overview before getting to the ‘fun’ stuff.
What is GDPR?
If you’re asking “what’s the General Data Protection Regulation?” you’re not alone. Here’s a rundown of the basics:
- The General Data Protection Regulation (EU2016/679) is a European Regulation passed by the European Parliament on 12 April 2016, which will supersede the Data Protection Directive 95/46/EC.
- The regulation has been designed to standardise the data privacy laws across Europe, providing data empowerment and protection to all EU residents.
- While the regulation has been in place for some time already, organisations handling the data of EU residents have until 25 May 2018 to comply fully with the new regulations.
- With non-compliance fines of up to €20m or 4% of global annual turnover (whichever is greater), now is the right time for businesses to evaluate their exposure and plan for the global impact of GDPR.
- If you’re interested, you can see the evolution of GDPR here.
Why non-EU companies should care
If you’re reading this from outside the EU, you’re probably thinking ‘big deal, this European red-tape won’t affect my organisation’. Think again, I have three words; increased territorial scope.
The GDPR encompasses a number of game changing concepts but increased territorial scope is arguably the most significant change to the data privacy regulatory landscape. In essence, this concept means the regulation could impact any business regardless of geographic location.
This is achieved by reframing the regulation around the location of the data subject (that’s a person), rather than the location of the data controller or processor. The result? Any business with European customers is affected by GDPR.
On the impact of increased territorial scope, Chris Combemale, group CEO of the UK DMA, stated: “GDPR applies to every company who has even one customer in Europe and therefore has far reaching consequences for multi-nationals and ecommerce businesses that trade across borders.” The global impact is echoed here in Australia, with Irene Halforty of the Association for Data-driven Marketing and Advertising (ADMA) saying “the GDPR will have a significant impact on the ways in which Australian marketers obtain consent for the collection, use and disclosure of personal data.”
This time it’s personal
There has been a lot of debate around what constitutes personal data. The GDPR provides some clarity on this topic, defining personal data as “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.”
While not explicit, under this broad classification you could include name, email address, telephone number, photos, videos, social media posts, or a computer IP address just to name a few. For B2B marketers, work contact details or information are identifiable data relating to a natural person.
Power to the consumer
When compared to previous regulation, the GDPR is significantly more empowering for the individual consumer. Rights for consumers fall into five main categories;
- information notices.
- subject access.
- rectification and portability.
- rights to object.
- rights to erasure.
- rights to restriction of processing, profiling and automated decision taking.
These rights are designed to transfer the ownership and control of personal data back to the consumer, providing greater ability to control how your personal data is used. However, it should be noted these rights are fraught with complexity and controversy, particularly data portability and only time will tell how practical they are in reality.
Under GDPR, obtaining data and the appropriate consent will be a big deal. The regulation is tackling head on the common tactic of consent-cloaking, this is where data processing consent is wrapped up in long illegible terms and conditions full of legalese. From 18 May, businesses will have to seek explicit consent to collect, hold and process personal data.
Consent must be clear, easy-to-access and distinguishable as a request for consent and, importantly, withdrawing consent should be equally as simple as providing consent.
Is GDPR an enforceable regulation?
With the regulation already in place and the deadline for compliance set (25 May 2018), the important question for many businesses is, how seriously should we take GDPR? For many, this comes down to one point – enforceability. The debate is gathering around this topic, with a number of arguments forming.
In relation to data automation processes, Professor Merlin Stone of St Mary’s University has stated “GDPR is partly unenforceable. The more you automate your data management and profiling, the less enforceable it is.” This supports the view of many that data flow and processing is too complex to be monitored and enforced.
An alternative argument supporting non-enforcement is the European Commission’s lack of enforcement of the EU cookie law. However, unlike the cookie law, which was part of a directive (E-Privacy Directive 2011), GDPR is regulation on personal data and is therefore likely to be given a sharp set of teeth to demonstrate enforceability. I would suggest it’s only a matter of time before we find out which company is the first to be fined – my money’s on one of the internet giants.
Is GDPR good for business?
Let’s put changes to complexities of the shifting privacy landscape and enforceability to one side for a moment and take an objective look at GDPR. Most people will agree the regulation is good for consumers, but is GDPR good for business?
An effective roll out of the regulation will set in motion a more coherent cross-border standard for the collection and application of personal data, which comes with benefits.
John J Wall, author, speaker and leading thinker in marketing, says “this is about streamlining – having one set of regulations around handling data, not 28 from all the countries in the EU. A big part of this is making it simpler to deploy tech in the EU.”
While acknowledging the scale of the task ahead, Chris Combemale of the DMA also acknowledges the opportunity presented by the regulation, saying “GDPR sets a high bar for data protection and introduces new ideas like giving customers control of their data. While this may seem daunting to many non-EU businesses, it is also an opportunity to raise standards overall and better serve your customers.”
GDPR is good for consumers and it definitely has the potential to be good for businesses. Raising the bar and standardising procedures will ultimately lead to simpler deployment and scaling of technology and business, particularly for multi-national businesses. This is an opportunity to be embraced.
Should you take action?
So what action should you take if you’re a non-European business? This is the €20m question (or 4% of annual global turnover, whichever is greater).
Frankly, whether your organisation is in Austria or Australia, Slovakia or Singapore, GDPR will affect the way your organisation handles personal data. However, GDPR is unlikely to significantly disrupt the value exchange or relationship between organisations and customers.
Despite this, GDPR does set the precedent for the future data protection laws around the world, so you need to take action now to evaluate, streamline and standardise data processes and procedures. The companies meeting the standards set by GDPR will be achieving a gold standard of data protection and it is more than likely that these companies will easily comply with virtually all data protection laws around the world.
If you require general advice to meet the GDPR compliance deadline, it is likely the Information Commissioner for your country will be issuing recommendations (this is the Australian AOIC guidance), however, it is more likely the UK ICO GDPR website will be a more comprehensive overview.
To support your preparation, I would also recommend asking any suppliers and partners accessing or processing data for confirmation of GDPR compliance by 25 May 2018.
To learn more about how to comply with the new regulation, book a spot on our GDPR training course or check out these other posts: