It is fair to say that data protection has moved on immeasurably since GDPR came into force on May 25 2018, with companies waking up to the fact that a strong customer privacy policy is not only a nice to have; it is now business critical.
Well, that is the theory. In practice, there are still many issues which have yet to be resolved, none more so than GDPR’s failure to bring “big tech” to heel and the ongoing row over the adtech industry’s data abuse.
According to Austrian lawyer and Facebook nemesis Max Schrems, who fronts the NOYB privacy organisation, the past four years have shown that a law alone does not change business models which are based on the abuse of personal data and a culture within the privacy profession that is often focusing on covering up non-compliance.
In a statement released to coincide with the fourth anniversary, Schrems said: “After a first moment of shock, a large part of the data industry has learned to live with GDPR without actually changing practices. This is mainly done by simply ignoring users’ rights and getting away with it.
“The fundamental right to data protection is not respected and perceived as a result of a long democratic process, but mocked as crazy or impossible to comply with. Authorities and non-profits that try to enforce the law as it stands experience open hostility and accusations, like that enforcement would kill innovation.
“Hardly any other area of law is politicised to that extent – at least I have never heard that building or tax codes were openly ignored with the argument that compliance would undermine the business model of a company. The privacy bubble accepts such narratives as a legitimate argument.”
NOYB is also among the fiercest critics of the role of data protection authorities, arguing that of about 50 cross-country cases that it has filed in the past four years, none have seen a final decision yet.
Even so, according to the latest figures there have been a total of €1.6bn (£1.4bn) in fines issued, although many are still subject to appeal, including the largest penalty of €225m which was slapped on Meta-owned WhatsApp in September 2021.
However, Schrems reckons we are approaching a situation in which the GDPR will be fully ignored – just like the previous EU Data Protection Directive of 1995.
He concludes: “Authorities will need to learn that no one likes enforcement bodies – but that their role is crucial for our digital societies.
“Companies have to learn that there are consequences. Industry lawyers will have to learn that their views will be challenged before data protection authorities and courts. Privacy activists will have to learn that just passing a law is not enough – but we need to enforce it too.”
MediaCom head of data, technology and analytics strategy Owain Wilson, meanwhile, reckons GDPR has not only transformed consumers’ privacy when it comes to managing their data, but it has given brands a way to capture first-party data and create personalised insights, all while being less invasive.
He adds: “There is still a long way to go before consumers can have 100% confidence that brands and publishers are using their data in ways consumers are happy with. This is the big question the industry is in the process of trying to find a resolution to at present. But the brands that embrace a transparent and personal approach will thrive through the lasting relationships they build with audiences.”
In post-Brexit Britain, GDPR is of course now under review, with the Government claiming the regulation is too complex and burdensome for small businesses.
The consultation, “Data: A new direction”, was launched last August and includes structural changes to the ICO, a fresh clampdown on nuisance calls, an overhaul of the so-called cookie law, a relaxation of accountability measures and cutting so-called “red tape”.
However, despite pledges that full details will be released “soon”, it is all quiet on the Westminster front. Privacy organisations are braced for a “bonfire of data rights”; others reckon there will just be tinkering round the edges.
Whatever the case, data protection legislation will be vexing the world of marketing for many years to come…
Related stories
‘In limbo’ industry demands full details of data reforms
Edwards brands ‘bonfire of data rights’ claims ‘bullshit’
Govt warned over plans to scrap human review of AI
Data reforms could lead to Govt meddling, ICO warns
Privacy group slams ‘bonfire of rights’ in data reforms
Will tougher fines bring victory in nuisance call war?
How will UK data reforms hit the marketing industry?
Data regulators wield big stick as GDPR fines top €1bn
Decision Marketing at 10: How GDPR changed the world
GDPR three years on: ‘The aperitif to a cookieless world’
GDPR zero hour: Now the hard work begins say experts
Now that GDPR is four years old, have things changed? Undoubtedly yes – and for the better. Direct mail, for example is now the most popular form of direct marketing amongst consumers, something that was unthinkable 15 years ago when ‘junk mail bombardment’ was the front page of many national newspapers. The reason for this sea change is in part down to greater compliance to Article 5 which maintains that customer data must be kept as up to date as possible. As a result, this means that targeting of direct mail has improved dramatically and people are receiving mail that is relevant to them. As a result of this ROI and engagement has grown a win-win for everyone. There might areas where organisations struggle with GDPR compliance, but from a data hygiene perspective GDPR has been and continues to be a powerful marketing enabler – and even more so when the ICO starts casting more of an eye over hygiene infringements!
Martin Rides, Managing Director, The Software Bureau