As we move closer to the GDPR compliance deadline, I've noticed a good deal of information online and in print about these new regulations. So much chatter often brings confusion. Questions concerning who is involved, who will be affected, and what it means for the future of data collection and protection may still exist in many people's minds. Given this, I'd like to take a moment to break down the broad idea surrounding GDPR, and how it will impact businesses and consumers in the EU, as well as its impact on a global scale.
A Bit of History
Since the advent of the Internet age, consumers have been providing large amounts of data and personal information for advertising companies and data storage organizations, usually unwittingly.
You might be thinking, "well, that's the deal", consumers allow access to their information in return for 'free' use of applications such as search engines. However a problem is that this data has been harvested and collected without the consumer actively giving permission, which can be (construed as) an invasion of privacy.
Europe has tended to be less relaxed than Americans when it comes to privacy, no doubt because of its recent history of profoundly abusive states – indeed Germany has often been the prime move in this defense of privacy. In 1998 the EU developed regulations for data collection called the Data Protection Direction. This regulation was intended to address the privacy of consumer data, consumers' access to their own information, and automatic permission given by consumers to collection databases. The new regulations, which come into force in Europe in May, are an intensification of previous attempts to protect citizens.
What is GDPR?
The new law, General Data Protection Regulation (GDPR), is adding an essential urgency for businesses to ask consumers for permission to access and use their personal information – and to do it in a more explicit and granular way. With so many questions surrounding when and where data is being harvested and by whom, the EU has decided to create a new level of transparency amongst consumers in the EU and businesses. Many countries in the EU already enforce data privacy laws, but GDPR will replace any existing rules and provide a uniform system by which all participants will be required to abide. Failure to comply by any organization operating within the EU could lead to very significant fines: up to 4% of annual global turnover or €20 Million (whichever is greater).
What is the consumer impact?
With an influx of social media, smart devices, and other facts of modern electronic life, consumers are already providing enormous amounts of data to corporations, often without knowing it. This data includes information collected from official government documents and personal information shared online from emails, photos, and home addresses.
With the advent of GDPR, residents of the EU will be empowered with more control over their personal information and which entities are able to store and use that information, and at what price. It's unlikely that most internet users will pay huge attention at first, but the movement for change is gaining momentum and the environment can only change in one direction. Nor will this be limited to the EU – many countries outside of Europe are saying they too will adopt similar regulations.
What is the business impact?
Businesses have earned vast profits from collecting, selling, and making use of consumer data. In order for businesses to protect such profits, they will need to adapt quickly to meet the new GDPR requirements. The new laws are not always clear on what is allowed and what is not, and that may be deliberate: the regulators, who are not well resourced to enforce their rules, are hoping that the potentially huge fines and reputational damage will mean that the big risk-averse players will lead the way in establishing higher standards.
What does this mean for non-EU entities?
GDPR restrictions will apply to any businesses, EU-based and beyond, conducting personal data activity within the EU. And non-EU firms that don't comply with GDPR protocols when transacting in the person data of EU residents, will likewise be at risk of suffering the consequences at the hands of EU enforcement. And with jurisdictions outside the EU contemplating their own new regulations around the use of personal data, it may only be a matter of time before regulations akin to GDPR are established world-wide when it comes to consumer data protection and permission.
Looking ahead, I believe the future of advertising will have to embrace the new mood not only of increasing interest in protecting consumer data and respecting the privacy of web users around the globe, but of active resistance by the young who are treating advertisers as snoops and are taking sophisticated technological steps to block advertising altogether. The industry will have to change not only by ticking the boxes of overt compliance but by fundamentally changing the way they think about their audiences.