GDPR six years on: Is the EU law still fit for purpose?

gdpr2GDPR might be six years old, but those four letters are still enough to strike fear into many people working in business. Of course, since Brexit it has been UK GDPR but the rules remain the same and the penalties for abuse remain potentially eye-watering.

And, despite Conservative Government attempts to make UK data laws “less Brussels”, with the Data Protection & Digital Information (No2) being flushed down the plughole, UK GDPR is likely to be in place for many years to come.

With the legislation celebrating its sixth birthday over the weekend, Decision Marketing quizzes industry chiefs to gauge whether it is still fit for purpose or beyond its sell-by date?

For Making Science head of data and analytics Rodney Perry, the anniversary indicates success, but not perfection.

He adds: “It is a vital intervention for questionable data handling practices, increasing consumers’ awareness of how their data is used, and even inspiring the global implementation of privacy legislation.”

However, Perry believes GDPR has arguably focused too heavily on user privacy and neglected business needs. He continues: “The (now defunct) DPDI Bill seemed to take a more balanced approach to data collection and use – safeguarding consumers while allowing businesses to collect and use data to improve their products and services.”

Meanwhile, ViewersLogic CTO and co-founder Oren Poleg maintains there is still widespread confusion with many companies unclear on which data to share with consumers when they receive a GDPR data subject request (DSR).

He explains: “There is a large variance in both the data you get back and how you can request it. For example, Meta hasn’t aligned its data sharing standards across its social media platforms. Where Facebook provides data on any content that users interacted with but no ad data, Instagram offers both content data and ad data, but only on ads seen in the week up until the GDPR request.

“Unlike the ongoing delays of third-party cookie deprecation, there’s no room for manoeuvre when it comes to GDPR regulations. Businesses are legally required to produce subject data in a machine readable format. Currently only a handful of companies make this an easy process, whereas others either make it intentionally difficult or simply haven’t invested in the process at all.

“We need to be working towards a transparent data economy where consumers can access their subject data without scrutiny or difficulty, especially as we’re seeing growing concern from consumers about how their data is being used and stored. Businesses that don’t act in the spirit of the law, need to be held accountable for exasperating what should be a simple DSR.”

Even so, Covatic CRO Sarah Lawson Johnston recognises that GDPR has been a benchmark for data privacy over the past six years – inspiring other global legislation and prompting many businesses to rethink how they protect themselves and their customers. It has also raised consumers’ awareness of how their personal data was collected, stored, and used.

She continues: “In the advertising industry, we’ve seen some stalling in the adoption of new practices for this privacy-first era. Google may have pushed back its cookie deprecation deadline once again, but it’s important that the sense of urgency is not lost.

“Privacy credentials have become a competitive differentiator, as consumers gravitate towards companies aligned with their privacy values as well as their personal ones. Media owners and brands must therefore phase out outdated solutions while simultaneously expanding the adoption of effective privacy-first technologies (e.g. on-device ad-tech solutions). This will help foster positive advertising experiences and offer the additional advantage of future-proofing their businesses.”

Azerion UK sales director Angelique Whittaker, however, is surprised by the lack of progress in the advertising industry. She argues that privacy-centric advertising should be the norm by now but the industry still struggles to push forward with its own bold moves and many marketers are relying on outdated targeting methods and confused consent messaging.

Whittaker explains: “To go a step further than simply being regulation-compliant, advertisers should be embracing cookieless tools, with a combination of contextual and behavioural targeting, to dig deeper into the privacy-friendly data and power curation methods; this will deliver more effective targeting and build better brand connections for consumers.”

It was the publicity around the GDPR that increased consumer understanding of their right to control their personal data within the EU and in the UK, says InfoSum director of legal Nicola Newitt, who points out that the legislation has influenced regulators in many other jurisdictions; 75% of people around the world now have data protection rights enshrined in law, up from just 10% in 2020.

Newitt adds: “The GDPR has provided European legislators with a powerful framework with which to hold organisations who fall foul of its terms accountable; for example, when Meta received a €1.2 billion fine from the Irish Data Protection Commission (DPC) in May 2023.

“While this provides a huge incentive for businesses to ensure their privacy practices are in good order, it’s also part of a bigger mindset change; with companies beginning to see privacy as an opportunity to build platforms, processes and products that drive efficiencies, create new revenue streams and foster customer loyalty.”

Over at Ogury, UK country manager Lawrence Horne, recognises that, while the GDPR was an important milestone in the transition towards a more privacy-first online landscape, this shift is no longer simply driven by legislation, but by consumers.

He continues: “Around two-thirds (65.5%) of UK consumers have concerns surrounding data privacy when interacting with brands online, and it’s clear they are willing to exercise their right to avoid being tracked or sharing their personal information for advertising purposes. This has led to a consistent decline in opt-in rates since the implementation of the GDPR.

“For the advertising industry, being compliant with the GDPR, the CCPA or any of the other numerous privacy laws alone is not enough; consumers have spoken, and as a collective we need to tackle this issue at a global level. If the GDPR represented the first step towards a new privacy paradigm, the phase-out of the third-party cookie in Google Chrome is the final part of this journey. Brands must stop clinging to the old world and embrace a privacy-first approach if they are to continue to effectively reach their audience.”

For SBS director UK and EMEA Jason Warner, GDPR has sparked the formation of a new generation of technological data providers focused on compliance whose groundwork is now the basis that the post-cookie marketing landscape is being built upon. Ultimately, it has enabled data-driven strategies to be refined for even greater precision, effectiveness, while privacy compliant.

However, Warner warns: “The intricate and highly technical complexities of GDPR still catch out those unprepared technically. Currently, when a company’s legal team lacks a clear understanding of these mechanisms, the fear of potential investigations and fines can stifle technological advancements. This gap between theoretical rules and practical application poses a significant obstacle to progress.”

The final word goes to Seedtag UK managing director and international head of agency Marko Johns. He concludes: “GDPR has established the standards for data and privacy regulations, serving as a template for similar legislation that has since rolled out — or is in the process of rolling out — across the globe.

“Within digital advertising, it set into motion the transition towards solutions that do not rely on personally-identifiable information, though there are still corners of the industry that prefer to walk the knife-edge of what is legal to keep invasive targeting operating beneath a new coat of paint.

“GDPR may have been exhaustive at the time, but it needs to be updated to fill exploitable gaps in its reach, particularly around fingerprinting and AI, where a lack of guardrails around data handling puts both individuals and organisations at risk.”

Related stories
GDPR five years on: The death knell for lazy marketing?
GDPR four years on: €1.6bn in fines but issues remain
Data regulators wield big stick as GDPR fines top €1bn
Decision Marketing at 10: How GDPR changed the world
GDPR three years on: ‘The aperitif to a cookieless world’
GDPR two years on: EU chiefs finally admit funding issue
GDPR one year on: Data is now a major boardroom issue
GDPR zero hour: Now the hard work begins say experts

Print Friendly