GDPR represents the beginning, not the end, of the data privacy journey
The EU’s General Data Protection Regulation (GDPR) celebrates its first anniversary on May 25th, a natural moment to reflect on its impact.
Share this post
GDPR has certainly made the headlines, with the most noteworthy of them concerning enforcement actions, such as serious fines by national Data Protection Authorities (DPAs). As Courts and regulators continue their work on interpreting how GDPR should be implemented, we will likely see more high-profile cases soon; DPAs alone are currently working through a backlog of nearly 100,000 cases.
At least seven of those DPAs have already been urged to investigate the core functions of behavioural advertising, with complaints aimed at the real-time bidding (RTB) system having been filed in Belgium, Ireland, Luxembourg, the Netherlands, Poland, the UK, and Spain. Of those seven, the Irish Data Protection Commission just announced that it is launching an inquiry into Google’s processing of personal data “in the context of its online ad exchange”. (Members can click here to download the overview of a recent Digital Governance Exchange (DGX) event featuring a discussion on the complaint).
So what does this all mean for marketers? First, while some may have hoped that GDPR compliance would be a ‘one-and-done’ deal, carefully following future court and regulator rulings will be vital to discover how the law is being interpreted and adjust best practices accordingly.
Second, it’s clear that compliance at the company level is not enough. As a recent decision by France’s DPA showed, ensuring compliance along the whole ad-tech supply chain is essential.
Thirdly, marketers need to be aware of not just GDPR but also related developments in terms of data privacy frameworks at national level, as differing DPA interpretations may bring a degree of regulatory divergence even while providing clarification.
WFA’s Global Privacy Map is available for members here.
Outside of the EU, GDPR has clearly inspired several developing legislations, including Brazil’s General Data Protection Law (LGPD, entry into force August 2020). Others, such as the California Consumer Privacy Act (CCPA, entry into force January 2020), are neither national in terms of their jurisdiction nor identical to GDPR but could still have a major impact on marketers.
One year in, it seems that GDPR is simply the starting point of a long, global journey towards compliance on data privacy. The language around privacy has shifted, with the discussion moving from mere compliance to interpretation and even prompting conversations on the ethics of data privacy.
WFA is now engaging in those conversations with its Data Ethics Board, bringing together experts from 13 global brands to look at what data ethics means for the marketing industry, identify and scale best practices, and develop guidance to share with the wider WFA membership.
Finally, as a diverse global regulatory landscape emerges, WFA will continue to help members keep up, starting with WFA’s Global Privacy Map which aims to identify and track some of the privacy trends emerging across a number of key markets.