GDPR First Anniversary (Is Your Data More Secure?)

EU Flag

As GDPR hit its first anniversary on Saturday, Microsoft once again called for a US privacy law which shifts the onus of data privacy from the individual to corporations.  Today, Americans operate in an opt-out regime which requires them to find and manage their privacy settings.

“This places an unreasonable — and unworkable — burden on individuals,” wrote Microsoft’s Deputy General Counsel Julie Brill.  “Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information.”

Microsoft prefers a single federal standard to piecemeal state-level laws such as California’s CCPA.  Brill said the legislation should be interoperable with the GDPR to help reduce the “cost and complexity of compliance.”  This framework should reflect ”the changing understanding of the right to privacy in the United States and around the world.”  The proposed legislation should “uphold the fundamental right to privacy through rules that give people control over their data and require greater accountability and transparency in how companies use the personal information they collect.”

“For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing—and even conflicting requirements—for privacy protection in the countries where they do business,” said Brill.

According to eMarketer analyst Ross Benes, the US ad industry has shifted from a call for self-regulation to supporting national privacy regulations, fearing ”a patchwork of different rules” as “legislation looks increasingly inevitable.”

A TrustArc/Ipsos survey of UK adults (16 – 75) found a 36% improvement in trust concerning personal data since GDPR went into effect.

Source: TrustArc / Ipsos GDPR Survey of 2,230 UK adults (May 2019)

A Snow study found that 39% of global business professionals believe their data is better protected since GDPR passed, with the biggest increase in the APAC region (48%).  40% of Europeans also believed their personally identifiable information is more secure, but only 30% in the US held the same belief.

74% of surveyed professionals believe that the technology industry needs more regulation with 83% of APAC and 72% of US respondents wanting additional tech regulation.

The EU has yet to strictly enforce the law with only one large fine ($56M) versus Google in France. However, Google and the social media and advertising companies are all subject to ongoing suits:

The latest investigation — the first by the Irish watchdog into Google — brings to 19 the number of open cases by the regulator targeting big U.S. tech companies. They include probes into Apple Inc., Twitter Inc., eight probes into Facebook Inc., plus one into Instagram and two into WhatsApp.

Los Angeles Times, “Google could face hefty EU fine over possible privacy violations,” May 22, 2019

“What is important to recognize is that the EU is taking GDPR very seriously, with fines being established for any breach,” said Ben Feldman, SVP of strategy and innovation at NYIAX.  “I would expect that the first six-to-nine months of any new regulation action would be spent working out the kinks and processes of implementation.  It is quite likely that we will see more fines in the coming months.”

Rhetorik: What Does GDPR Mean for B2B Marketing?

I’ve been looking for a good description of what GDPR (General Data Protection Regulation) means to B2B marketers and finally came across a session given by UK technology profiler Rhetorik.  There have been a number of issues that have muddied the waters, making it difficult to provide much more than general rules.  Amongst the issues are a focus on the implications to consumer marketers, the lack of a general law that spans the EU, and an emphasis on rumors and fears about what will happen to firms that fail to comply with the regulation.

Rhetorik Data Protection Officer Samantha Magee noted that GDPR covers how and why companies hold and protect data.  It is focused on internal processes rather than external communications, and is channel agnostic.

In around 18 months, the EU will pass uniform ePrivacy legislation which covers external communications in member countries.  Until then, rules will remain fragmentary.  For example, Opt-in or Opt-out protocols differ by country with the UK amongst the more liberal countries:

Opt-in / Opt-out workflow by country (Source: Rhetorik)
Opt-in / Opt-out workflow by country (Source: Rhetorik)

For the moment, GDPR has given teeth to local regulations.  In the UK, the PECR (The Privacy and Electronic Communications Regulations of 2003), overseen by the Information Commissioners Office (ICO), remains the applicable regulation for consumer, single trader, and small partnership communications.  It was drafted after the European Directive 2002/58/EC, otherwise known as the or ‘e-privacy Directive’, was implemented in 2002.

There are six bases for communicating with clients and prospects, all of which have equal weight: Consent, Contract, Legal Obligation, Vital Interest, Public Task, and Legitimate Interest.  Of these, Consent (e.g. opt-in) and Legitimate Interest are the most common for B2B marketers.  Support and service departments would most likely be covered under contractual relationships.

“Legitimate Interest aims to provide a solid and lawful basis upon which commercial communication can occur, allowing marketers to promote their products and services to a targeted and well defined audience,” said Magee.  “At its heart, is the desire to ensure that commercial practices and communications are relevant to the individual, offering the assurance that high standards of care are applied and that their essential privacy” rights are considered of the utmost importance.”


Part II continues with a discussion of the UK PECR law and additional details on Legitimate Interest.