Here’s an interesting question - is the General Data Protection Regulation already law and, if so, should we be complying now? I have been asked this a number of times in recent weeks and it reflects a degree of uncertainty which has been exacerbated by the information gap left by the ICO until very recently.
In fact, GDPR entered the statute books on 24th May 2016, replacing the Data Protection Act, which means it is the legal standard to which all data controllers (and now data processors) need to comply. The corollary is that there is a two-year transition period to allow organisations to prepare. Think of it as seeing new speed limits having been imposed on a road, but traffic cops waiting to see how drivers adjust before they start issuing fines.
Seven of those 24 transition months have already expired, of course. Which means any company still asking a basic question about the law is behind the curve and will need to get moving in order to be ready. When DataIQ asked companies how long it took to change an internal process (which is what will be necessary to get ready for GDPR), the average was nine months. That assumes the challenge has been recognised and the solution identified, of course.
Two areas seem likely to cause a lot of problems in the transiton - third-party data and digital media. We are already seeing a retreat by many marketers from the use of external data sources driven by concerns about its compliance. The grey market in list trading - as revealed by last year’s exposure of data swapping by charities - is unlikely to meet new requirements around consent and certainly transparency. GDPR mandates much greater clarity about the purpose for which data is collected and what else will be done with it (which is fundamental to winning permission for third-party sales).
Where marketers appear to have a blind spot is around digital media, specifically the tracking and analytical techniques which are fundamental to these channels. GDPR expands the definition of personal information to cover IP addresses, tracking techniques, digital fingerprinting and the like. It also focuses on companies engaged in the large-scale tracking of consumers. As has been widely noted, it also places new obligations on data processors, as well as data controllers.
For ad networks, tagging vendors and digital data aggregators, this is going to be tough. Although they only provide anonymised or pseudonymised data to advertisers, the raw data they are collecting is now regulated. These companies have no direct relationship with consumers and are therefore unlikely to be able to win consent for their data usage.
Whether the ICO has these businesses in its cross-hairs for enforcement in May 2018 is an open question. It seems likely that hitting a big target on day one would be desirable to demonstrate GDPR is alive and kicking. Who better to go after than a foreign-owned tech company? Elizabeth Denham has history in doing this when working for Canada’s data protection commission and is likely to repeat the act in the UK.
Avoiding being the company confronted with a 4% fine means getting to work now. Especially, it involves changing data-driven processes to ensure they are sustainable under the new regulatory framework. Like driving within a new speed limit, even when there are no traffic police around, compliance should be as much about self-governance as it is about enforcement.