By now, everyone should have at least heard of the EU’s massive data protection legislation.
It’s an overhaul of disparate and aging laws, to create a unified regulation.
The GDPR, put simply, is a playbook on how to govern the data your company needs to operate.
A more accurate name might be the General Data Governance Regulation due to its sweeping scope, not just internally, but through its application around the world.
The GDPR, while dense and seemingly impenetrable, is noble in purpose, giving power and control of personal data back to the people.
To do this, new rights and obligations are created, which businesses need to get their heads around. There is a lot of white noise and jargon already around this, so here are the basics.
The GDPR won’t prevent new ways of collecting data to be developed, but it will force companies to be introspective and take a good hard look at themselves to understand how and what data they collect, how they use it, and whether there are any privacy concerns to the consumer. That’s a tall order, but not unreasonable.
>See also: Is GDPR still a threat to post-Brexit data protection?
After all that is done, a company will need to become extroverted and be transparent about their data practices.
Linked to this, they will have to provide mechanisms for their consumer to be able to control their data. Again, a noble notion, and technically complex.
For example, a consumer will have the right to know what profiling (or ‘tracking’) is happening and be able to say no to that, or opt-out. Advertisers and everyone else in the ad tech stream, take note.
Basics aside, it is still important to understand the regulation in detail.
At the moment, it is not panic time, but it is time to think about the GDPR and what your approach should be.
For readers seasoned enough to remember Y2K, it was a global fear that began with a whisper that technology would screech to a halt, and ended in a panicked run for the fire exits in the approach to the turn of the millennium.
Mass shutdown didn’t happen, of course, but that was only because companies everywhere prepared in advance. This is what will happen with the GDPR.
As it will require a full year to get your house GDPR ready, 2017 will be the year of privacy.
The law becomes effective on 25 May 2018, and the first few months of 2018 will be spent testing and refining processes. Got it? Yep, there is really about a year to get GDPR ready.
Another noteworthy aspect of GDPR is that it is a global law.
It applies to any company that merely offers its wares to a EU resident, even if a deal is not closed.
>See also: Change is coming: the GDPR storm
Those in the digital marketing space, however, should pay close attention, as the law is triggered if a company is engaged in monitoring someone’s behaviour. That’s legal speak for tracking.
The myriad of intermediaries that stand between the website and consumer are going to be swept up by the GDPR. It is a borderless law to match the digital age. That is its genius.
The potential risk for non-compliance, especially as it pertains to tracking, are fines and penalties up to 4% of your annual turnover, or €20 million, whichever is greater.
That can be financially crippling for any business, large or small.
What’s not being discussed is that most if not all of adtech is going to need to designate a data protection officer, someone who will be the main point of contact with regulators, and who will have to report to the highest management level within the organisation.
As a privacy professional, this is something that warms my heart. But demand will far outstrip supply, and many privacy pros will naturally migrate toward the more traditional industries like financial services, retail and travel – those industries with a compliance heritage.
>See also: If you’re still not prepared, don’t panic: here’s a GDPR 101
Regulators are going to be aggressive in enforcement. They are telling us this. Let’s take them at their word.
There won’t be a grace period for compliance, as there’s a year and a half runway – that’s long enough.
The company that has made little or no effort in getting ready for the GDPR should be pitied. Even doing the basics, looking within and then pivoting outwardly.
The latter, in my humble prediction, is where early enforcement will happen. Why? Because it’s low hanging fruit.
Regulators can easily see whether you are being transparent about your data practices and getting consent for things like profiling. They’ll go to your website and look.
2017 is will be an exciting year. The GDPR will be a gift that keeps giving in many unexpected ways.
Sourced by Todd Ruback, chief privacy officer, Ghostery