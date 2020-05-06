06 May 2020 | 11.48 am

GDPR has been in operation for two years. Steven Roberts picks through some of the key learnings for companies so far, and what’s next for privacy and data protection.

May 25 marks the second anniversary of the General Data Protection Regulation, or GDPR as it is better known. Its introduction sparked a domino effect across the globe as countries outside the EU quickly followed with their own legislation.

The GDPR garnered considerable media coverage, both before and following its introduction. This has generated increased awareness levels amongst consumers regarding their privacy rights.

One result is a growth in complaints to the Data Protection Commission. According to its annual report, 7,215 complaints were received in 2019, a 75% increase year-on-year. Data breaches saw a similar upward curve, with a 71% increase on 2018.

Companies must continue to invest in staff training, to reduce potential breaches due to human error, and ensure they have appropriate systems and procedures in place to deal with their obligations under GDPR. Attention should be paid to the timely responses required under the Regulation, particularly regarding access requests and breach notifications.

Surveillance Capitalism

There are wider consumer concerns regarding aspects of the 21st century digital economy and what has been referred to as ‘surveillance capitalism’. Large volumes of personal data are a component of this economic model.

Recent research from the University of Pennsylvania highlighted that consumers view the obtaining and processing of their personal data by businesses with a sense of futility. They are uncomfortable with its consequences, yet they see no way to avoid the transaction in exchange for digital services. Companies that place an emphasis on trust and transparency will be well positioned.

In the wake of GDPR, the AdTech or advertising technology model has come in for severe criticism from a number of European data protection authorities, most notably in Britain and France. They are concerned at a lack of transparency in how consumers’ data is obtained and shared amongst multiple third parties.

Coupled with this is a growing awareness of the level of advertising fraud that technologies such as programmatic advertising have created. It will be interesting to see how the marketing, advertising and media sectors respond and adapt their business models in light of this scrutiny. One trend may be a move away from the industry’s current reliance on website cookies.

Large Fines

We have started to see the first really large fines levied by EU data protection authorities under GDPR. In 2019, the ICO announced its intention to fine British Airways £183m (€210m) for a data breach affecting half a million of its customers, and Marriott International £99m for a breach of nearly 340 million customer records.

In March 2020, the Swedish authority fined Google nearly €7m for not complying with the right-to-be-forgotten. It is likely this trend towards larger, statement fines will continue in the coming years.

ePrivacy Regulation

Many countries have followed the EU’s lead, introducing their own new or updated data privacy laws. In the US, California, Maine, Vermont and Nevada are just some of the states that enacted new privacy legislation since GDPR was introduced. It is clear that the data privacy landscape has become increasingly complex, particularly for multinational companies and those with a business footprint within and outside the EU.

Inside the European Union, variances still exist in a number of areas. One example is the different approaches member states are taking regarding website cookie technology. The Commission is hopeful that its proposed ePrivacy Regulation will address this and a number of other concerns regarding online communications and e-direct marketing.

The legislation, originally intended to coincide with GDPR, is still delayed due to considerable lobbying and disagreement between EU countries. In the meantime, businesses must be mindful of subtle differences in the interpretation of European ePrivacy laws in countries such as France, Spain and Germany. Ireland’s DPC released its own guidance document in April 2020.

Summary

Privacy will remain a key challenge for Irish businesses. Firms must develop an ongoing culture of compliance, and have the ability to clearly demonstrate they meet the core GDPR principle of accountability.

Those that do not will be at risk from a range of factors. These include the monetary fines which may occur from a data breach but also the broader implications for their brand’s reputation and consumer trust.

The current decade will see further legislation as the EU and other jurisdictions seek to balance the requirements of the digital economy with the need for transparency and trust that their citizens demand. Close attention should therefore be paid to data privacy as one of the trends impacting business at both a micro and macro level.

• Steven Roberts (pictured) is Head of Marketing for Griffith College and a certified data protection officer. He is the author of the forthcoming book ‘Data Protection for Marketers: A Practical Guide’, which is due for publication by Orpen Press this summer