Google hit the headlines last week for all the wrong reasons, earning itself a £44 million fine from the French data protection authority CNIL. While Google has announced that it will appeal, the reasons for the ruling are significant. CNIL argues that Google had not been sufficiently transparent with its users that it is their consent which forms the basis on which their data will be processed, not the search engine’s legitimate interest.
Perhaps the only organisation to be grateful for the fine was Facebook, if only because it gave the social network a break from being in the media for all the wrong reasons. From Instagram to YouTube, targeted ads to keyword-triggered search results, what the digital giants have discovered is that compliance with the General Data Protection Regulation (GDPR) is not easy.
Today’s annual celebration of Data Privacy Day - an idea conceived by the Council of Europe back in 2007 - serves to underline just how much things have changed in that time. Not least the rebalancing of power within the data-value exchange between brands and consumers.
For any business which does not have the engineering and legal teams at the disposal of Google and Facebook, the new direction of travel by regulators might be a cause for concern. After all, if these dominant and highly-resourced operations can not get it right, how can you? Perhaps just as significant is a question even major brands have struggled to come to terms with - if we are using the digital marketing eco-system, including Google and Facebook, but also any other digital or cloud-based platform, what does that mean for our own GDPR compliance?
"Complex data supply and support underpins modern business."
Few organisations now operate without some degree of involvement with third-party service providers, especially in the data arena and particularly for digital marketing. It may be the use of a cloud-based HR app in which the personal information on employees is stored or a customer data platform operated in Amazon Web Services. All of them involve activities that need to be examined for conformity with the Regulation, from how data subjects were informed (and if necessary gave their consent) about data processing to data transfers in and out of the European Union.
It is this complex data supply and support which underpins modern business that is proving particularly challenging to understand and manage. You only need to look at the delays caused to the new ePrivacy Regulation as a result of its complexity to understand the scale of the problem.
But that does not mean you can not make a start or even get your own organisation ready for compliance.
DQM GRC offers a six-step process for managing the risks and threats to compliance with GDPR that third-party services can cause. Making use of this not only provides a reassurance to your organisation that is has a proper understanding of those risks, it also helps to meet the accountability principle of GDPR through documenting your data infrastructure.
Many of the service providers within this data supply and support chain have recognised that they need to be able to demonstrate their own compliance. So they have appropriate measures in place, including standard clauses in contracts that have been pre-approved and even anticipate that they may be audited. It is those you discover who resist any of these measures that rapidly identify themselves as a threat. One major upside of GDPR has been to force such marginal operations to change - or force them out of business.
For your own organisation, a critical question is how to operate on a privacy-by-design basis. Pivoting towards this model may actually prove easier for you than it is for the likes of Google or Facebook, whose origins are in the pre-Regulation world where data controllers set the terms of engagement and data was considered a free resource. That is slowly changing for them - your own progress can be more rapid, not least once you understand exactly where you stand with regards to the eco-system.
What is changing fast is the way consumers themselves view their relationship with privacy and data protection. In research carried out by DataIQ in association with DQM GRC (available here on the DQM GRC website) in 2018, there was a clear foreshadowing of an era in which engagement with services (initially, at least) should be anonymous and not require the sharing of any data (see chart). With a majority saying they would prefer not to provide any personal information when using the services provided by the likes of Google and Facebook, it is clear that privacy is the new normal. What remains is to ensure your organisation is on the right side of this deal, especially today of all days.