In the last few months, weeks or days (depending on the procrastination level) leading up the GDPR’s May 25 enforcement date, there was a flurry of activity and preparation across the tech and marketing worlds.
Privacy Policies were changed and published, lists of emails were re-opted in, and some companies pulled their entire products from the EU fearing the still penalties GDPR could impose (fines of up to 20 million Euros or 4% annual global revenue, whichever is higher).
There were some that said this was going to be like Y2K, a flurry of work that inevitably lead to nothing, and others who warned this new regime would change the marketing and privacy worlds forever.
We are four months in now, who was right between those two points of view?
In my view, it is looking like with every passing day that the worlds of privacy and marketing have gone through a significant and impactful change. My reasons for coming down on that side of the fence are this:
- GDPR is catching, in the US and globally;
- Enforcement is coming;
- And the preparation has had its own long-lasting effects
GDPWhat?
Commonly referred to by its acronym, GDPR is the European Union’s General Data Protection Regulation. It becomes effective on May 25, 2018. We’ve produced quite a bit of information about the new regulation, including podcasts, blog posts, eBooks and webinars. Watch our on-demand webinar on GDPR compliance and marketing.
In a nutshell, GDPR:
- The key principle of GDPR gives consumers control of their data
- Applies to the 28-nation European Union’s 510+ million citizens, as well as any business doing business with them, regardless of where they are based
- Fines of up to 4 percent of total global revenue for violations
The privacy fire is spreading
Since GDPR was fully implemented, California, Vermont, Japan, Brazil, and India are all in process of either adopting or considering some version of similar legislation. All these efforts are different in scope and enforcement. Vermont’s scope is purely around data resellers. And Brazil’s law is as broad as GPDR.
The theme throughout all this legislation: Data Privacy Rights. Data privacy and the rights of the individual is something that different jurisdictions are holding sacred and not guarded properly by the industry.
This type of privacy regulation of the tech companies has been markedly absent since the advent of the internet. And they are fighting back as best they can against this coming wave, at least in the US. Here is a piece of AT&T’s response to the California legislation:
“The California legislation and similar initiatives … threaten to create a highly problematic patchwork quilt of privacy regulation. … state-by-state privacy regulation would lead all providers to tailor their practices … to the most restrictive elements of the various state laws.”
This lobbying tack has proved popular with the anti-regulation types in Washington, DC. Now, their argument is less effective for the giants of the tech, such as AT&T or Google who can segregate traffic based on state lines. But for smaller tech companies, that type of process is hard if not impossible without a massive expenditure and far too much work.
Given those challenges, small and medium businesses have to decide between two bad choices: withdraw from markets with these restrictions; or make their products and services comply with the strictest standard applicable law.
GDPR enforcement is coming
That breath you’ve been holding, keep holding it, enforcement is coming
There has been a quiet lull, not unlike the eye of a hurricane, since GDPR took effect from the Data Protection Authorities who administer the law. But this does not mean they are not actively pursuing and investigating claims. There haven’t been any actions yet, but as multiple sources have confirmed, this is more due to the need for hiring and training the necessary staff than to non-action. There were reports that the Irish DPA had nearly 100 job openings back in May. That is a lot of manpower that will be devoted to enforcement and investigations, once they are all hired, trained and onboarded.
Average onboarding for someone in an enforcement job of this nature (though this is somewhat a first of its kind) seems to be 3-6 months. And investigations are expected to take a few weeks for the smaller violations, and months for anything major. So, it being 4 months since GDPR took effect and not seeing any action isn’t that surprising.
Uncover that Tech Debt!
One of the more interesting side-effects in the lead up to GDPR for tech companies was uncovering technical debt that had gone unnoticed. For those unfamiliar, technical debt is the software engineering equivalent of your student loan; it needs to be paid back and grows with interest over time if you don’t work away at it. Tech debt is natural in any code-based or code-reliant business that often need quick-fix solutions (a short-term loan) to get a product to market.
Several of GDPR’s requirements were very difficult for software engineers to find solutions to with their current products. For example, the rights given by GDPR (Access, Portability, Correction, Erasure, Limitation) were often not something that had been built into the platforms and applications.
Inserting those now into a product took time and energy. But this work should be able to be used for things coming down the road, such as ePrivacy. Similarly, the newer and more accepted policies of security and privacy by design that tech is largely embracing required a lot of the same work. The efforts around GDPR have exposed the ease, or difficulty, with which a company’s systems of designed security and privacy can be implemented.
Tech companies are often reluctant to take these deep dives into their code, as its often work unrelated to the next product release. Having to do it for GDPR, or some future privacy regulation, is always a benefit; at least in the long term.