Back in 2018, when GDPR first came into force after a two-year grace period and a barrage of apocalyptic scare stories, industry chiefs were keen to stress that implementation D-Day was the “beginning, not the end”, and that complying with the regulation would be a work in progress.
Three years on and the UK has finally left the EU but we are still tied to GDPR, while enforcement of the law across the bloc has been patchy at best.
Only yesterday, Decision Marketing reported that MEPs had voted overwhelmingly in favour of a resolution calling on the European Commission to start infringement procedures against the Irish Data Protection Commission – the lead regulator for nearly every US tech company.
At the last count, the Irish DPC had over 60 official investigations under way, with over more than two dozen statutory GDPR inquiries into multinational tech giants. However, it has still only issued one GDPR fine; a €450,000 (£410,000) penalty against Twitter for data breach failings.
After a slow start the UK’s Information Commissioner’s Office went large with two headline grabbing fines, when it issued “notices of intent” to fine British Airways £183m and Marriott International £99m for cyber security failings.
In the end, BA secured a reduction of nearly 90% to £20m, while Marriott hammered down its penalty to £18.4m. Still, they remain two of the top five biggest fines ever dished out after Google (€50m), H&M (€35.3m) and Italian telecoms provider TIM (€27.8m).
Dun & Bradstreet UKI & Europe legal managing attorney Nicola Howell believes the regulation no longer sends shivers down the spine of business. However, many firms are discovering that GDPR compliance has more utility than simply avoiding a nasty fine – it is a marker of an organisation that invests in accurate, up-to-date and secure data processes.
She adds: “For all of the change experienced by businesses in the past few years one thing has remained constant, that data privacy has time and time again been put in the spotlight. High profile organisations have shown us that there aren’t simply financial repercussions, but reputational consequences to failing to adhere to GDPR.
“As consumers put an increasing reliance on data privacy and how their personal information is used, businesses that invest in their own data approach by ensuring they have access to clean data will come out on top in the end.”
However, MediaCom head of data strategy Oliver Betts says GDPR now feels like an aperitif to what will be the main course, the cookieless future.
He explains: “Data has been at the heart of both the media and marketing industries for a long time; but with GDPR having restricted the ways that personal data can be collected and used, and Google reducing the ability of cookies to collate user data, the industry is set for a seismic shift from a third-party-centric model to a first-party centric one.
“Already, GDPR has created an increased reliance on first-party data, and brands that struggle to collect this data on the same level as they could purchase third-party data will face huge ramifications.
Betts believes that the brands with the biggest chance for success in a GDPR and post-cookie era are data rich advertisers and retailers – such as Sky and Amazon – with the means of capturing large amounts of personal data directly from consumers.
The data from these companies – and particularly the walled gardens of Facebook, Google et al – are going to be a lot more valuable than before, Betts insists, and those without the means to collect customer data directly from their sites or platforms will find it much harder to acquire data which gives them valuable insights into consumer behaviour.
He continues: “These technological changes in how brands can collect data will have a far larger impact on how the industry operates than just GDPR alone. What we can expect to happen next is that in exchange for more of consumers’ data, brands will incentivise consumers so that they can actually use their data.
“Whether that’s a retailer offering customers 20% off their next sale or even loyalty points, consumers will likely part with their data if there is a compelling reason to. This is what we call “zero-party data”, and is likely the future of customer data collection.”
For Howell, it is vital that organisations stay updated with the latest policies. She adds: “We are beginning to see companies invest in a clean data approach. What comes next remains to be seen; the ePrivacy legislation was always seen as the next logical step after GDPR but has been repeatedly delayed. And then you have the rapid adoption of technology and more specifically AI, which has flourished during Covid-19.
“How do organisations ensure they adhere to regulations such as GDPR and ePrivacy if a robot processes streams of data for them? What if the AI learns to process the information quicker but it doesn’t meet regulation? These are the very complex questions that organisations need to be looking into.”
So, it seems, even three years on, data-driven marketing businesses are still at the “beginning, not the end”.
Irish DPC faces new showdown as MEPS vote for action
EU regulators mull €50m Irish GDPR fine for WhatsApp
Exposed: Row over ‘paltry’ Twitter fine threatens GDPR
Marriott hammers down GDPR fine from £99m to £18m
Deceptive data processing sparks biggest GDPR fines
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Germans issue 27th GDPR fine as H&M is hit for €35m
EU told to block UK data deal due to ICO’s dismal record
Google hit for €50m as French issue first GDPR fine
GDPR zero hour: Now the hard work begins say experts