Happy 5th Birthday GDPR – How times have changed
It’s hard to believe that the General Data Protection Regulation (GDPR) is about to turn five years old next month. To mark this milestone, we decided to focus our blog post this month on how much has changed in the data privacy landscape since May 25th, 2018, and where it might be heading in the next five years. To help us delve into this critical area, CustomerMinds CEO Jonny Parkes recently had a conversation with Rob Corbet, a leading expert in Europe on data privacy, who we have known and worked with for many years. This article is based primarily around that conversation and you can listen to the full audio in the latest version of our Which50 Works podcast.
The First 5 Years of GDPR – How times have changed
It’s interesting to think that when the GDPR was first announced in Europe, the rest of the world (and in particular the US) looked on in horror, thinking that the Europeans were going to strangle all online businesses because they were going to make it so difficult to process data. And yet here we are in 2023, and the Americans are campaigning for a federal privacy law that would match up with what the GDPR has done in Europe. The reason for this shift in thinking is that most businesses have now realised that whilst data may well be the oil that drives the whole global economy, the individual who actually owns the data also has a basic human right to the privacy of that data. What is needed, therefore, is a globally accepted standard on how data should be managed, and that is challenging to achieve when privacy laws differ from one jurisdiction to another. As Rob points out in our chat, the only people who will win in that scenario will be data privacy lawyers like himself!
So what we have seen happen in reality is that a new global standard is starting to emerge based around the GDPR, which sets expectations for how consumers’ personal information should be treated, and how businesses should configure their products and services to comply with privacy laws. The game changer with the GDPR was that the new regulation was brought in at a ‘federal’ European level and it replaced the Data Protection Directive that had been in place since 1995. Although this previous Directive was broadly harmonised around Europe it was at a much higher level and didn’t get deep enough into the detail to create a true standard. The GDPR on the other hand got right into the weeds of some of the thorny data privacy issues, and this was the really brave step that was taken by the EU.
Whilst the GDPR is not perfect by any stretch of the imagination, what it did create was a global acceptance that privacy should be regarded as a fundamental human right and needs to be minded. Consumers should be able to actively manage the use of their data and should have knowledge about what’s happening to their data. Critically, any company that has access to that data owes a duty of care to each and every consumer in terms of what they are doing with their data. So although many may have initially viewed the GDPR as an overly bureaucratic play by the EU that would result in businesses being hamstrung with red tape, in hindsight it has already totally transformed the privacy landscape around the world.
The Thorny Issue of Consent
So let’s dive into the weeds for a bit and take a closer look at the thorny issue of consent. One of the key reasons the GDPR defined consent so granularly was based on the fact that consent has always existed under data protection laws. Even in the US, they have the FIPPS (Fair Information Practice Principles) dating back to the 1970s, which are largely based on issues such as transparency and consent, and these have always been fundamental issues that are common to most privacy laws. However, the EU recognised that an ill-defined or loosely applied definition of consent wasn’t working. The concern was that the idea of implied consent had emerged during the 90s and 2000s, and individuals were not always fully aware of the extent to which their data was being used.
So, what the GDPR decided to do was to take away the idea of implied or inferred consent. Consent is now defined as something that requires a statement, an affirmative action on the part of the person giving the consent. This was a deliberate move to regulate the specific concept of consent to the point that it bears no resemblance to the pre-GDPR concept. There are several articles that specify how consent has to be specific, informed, freely given, and as easy to withdraw as it is to give, all predicated on the idea that control of personal data should rest with the individual. The GDPR places the onus back on the data controllers who are collecting the data to meet not only the requirement of affirmative consent but also to inform people about the specific basis on which they are asking for their consent. The GDPR gives the power back to the individual data subject to withhold their consent or, even where they have given consent at the outset, to change their mind and withdraw it at any time.
For business models that were built based on implied consent, this was a monumental change. In fact, what we have seen it do is, in effect, torpedo the ad tech industry in the EU. A lot of the ad tech ecosystem in the EU was based on the implied idea that things like cookies in your browser and settings that were applied by default to your online activity constituted a GDPR level of consent. This was never going to cut the mustard from a GDPR perspective, and the regulators have now come to that conclusion themselves. As a result there has been very significant disruption in the ad tech industry. While Apple has taken the lead on some pro-privacy initiatives, the other GAFAM* tech giants such as Google, Amazon, Facebook, and Microsoft are also redefining how they can lawfully use data, especially in cases where obtaining consent requires significant engineering effort. Even for simpler companies that just want to maintain a marketing database, the issue of properly managing consent can be really challenging on a number of levels, particularly if there data is stored in multiple different systems or ‘silos’.
GAFAM* : The acronym has changed over time with Google becoming Alphabet and Facebook going all Meta!
So what about legitimate interest?
Consent is not the only game in town however when it comes to direct marketing as the GDPR also supports other ‘lawful bases’ for communicating with individuals under certain circumstances. In particular, the regulation confirms that an organisation can have a legitimate interest to process personal data for direct marketing purposes when the processing takes place within a client relationship. This concept of ‘legitimate interest’ is a lawful basis under the GDPR that is equally as valid as consent, and there are other lawful bases such as contractual necessity and public interest.
In order to carry out direct marketing under legitimate interest, there are a number of tests that an organisation must carry out, which essentially involves a balancing test that weighs up the business interests of the organisation against the data privacy rights of the individual.
Key Balancing Tests to use Legitimate Interest
- What is your legitimate interest?
- What are the rights and freedoms of the individual concerned and have you appropriately managed them?
In the case of direct marketing, the recommendation is that an organisation should use a Legitimate Interest Assessment (LIA) to record the balancing test that has been completed. In the event of a challenge in the future, they can show a regulator or complainant who receives direct marketing communications that they have done a fair analysis of why they included that person for that category of direct marketing communications.
How can technology help with data privacy?
Throughout our chat, Rob mentioned some key areas where he felt technology could play a role in meeting the higher data privacy standards now expected by both consumers and regulators. His view is that individuals should be empowered to freely exercise whatever choices are available to them across each of the communication channels provided by an organisation. He points out that while some customers may be happy to receive relevant marketing communications via their preferred channel, others may get annoyed when they receive messages that they don’t expect or don’t want, or have chosen not to receive on a particular channel. He asks whether companies really want to be resolving the latter problem in front of a regulator, or whether they want to use a digital platform that combines the management of consent and communication, and hopefully reduces the need for lawyers like himself.
Rob points out that building a system that’s compatible with all customers requires careful consideration of how it’s engineered and managed at the back end. Everything goes back to the need for a system that manages consent automatically via unsubscribe links and provides tools for internal staff and compliance teams to manage and report on all of their customer communications. It’s about best practice, including the customer in the engagement process, giving them the choices and preferences they need, and building a sustainable and compliant framework that will meet the data privacy standards of tomorrow.
What does the future hold for data privacy?
Which brings us on to ‘what happens next’ and as the GDPR marks its fifth birthday, it’s clear that the regulation has made a significant impact on the way that organisations handle personal data. While some may have initially considered it overly bureaucratic, Rob actually believes that in the next five years, we will look back on this period as actually being “a quaint period of under regulation of tech”. His predictions are that over the next couple of years, the level of enforcement of the GDPR will become more rapid, more key legal decisions will be reached, and more fines will be imposed. But overall, he feels that is a good thing as it means that data privacy and digital regulation standards will continue to increase in Europe and ultimately across the globe.
Looking ahead, there is already a range of new regulations being proposed and developed that will further shape the digital landscape and the way we handle data. Particularly in Europe, there are new regulations coming through the European Commission at various different stages including the Digital Services Act, the Digital Markets Act and the Data Act. Once again the EU looks like it is blazing the trail in relation to regulating technology as it has proposed the first ever legal framework on Artificial Intelligence with the proposal for an AI Act. There will also be new regulators set up in each EU jurisdiction called Digital Services Co-ordinators (DSC) which will have regulatory powers around the whole digital agenda in addition to the current powers that the Data Protection Commissioners in each country have in relation to the GDPR.
So as Rob says “he can’t see privacy lawyers being bored anytime soon” and he believes that leveraging consent management platforms and respecting the choices of users is going to become the minimum viable legal strategy in the future. He suggests that organisations might as well get good at it now and build systems that have got long-term sustainability from a legal perspective.
At CustomerMinds, we have worked with Rob for over fifteen years and truly value his unique insights on data privacy and the role that technology should play in keeping our data safe. Due to his advice and suggestions years before GDPR was even introduced in 2018, we embraced key privacy themes such as Privacy by Design and Consent Management. We embedded features in all communications sent from our platform that allow consumers to easily edit their consent and communication preferences, and we built a Compliance Portal into the Which50 Platform that provides staff with a centralised view of all member consent details. These features have all been purpose-built to support the regulatory and reporting requirements of the GDPR.
If you are interested in reading more about our views on the importance of Data Privacy you might be interested in our previous post which covered 5 key data privacy points for organisations to consider as they look to address the challenges of data privacy and customer communications.
If you would like to read about how the Which50 platform can be a solution to some of the challenges discussed above, check out our website right here: Data Management and Security | Which50 | CustomerMinds
If you would simply like to find out more about the digital solutions that we provide, please sign up for our Which50 Works newsletter below or contact us to arrange for an introductory call.
The above article is based primarily around a conversation between CustomerMinds CEO, Jonny Parkes and Rob Corbet, Partner and Head of Technology & Innovation at Arthur Cox. You can listen to the full audio in the latest episode of our Which50 Works podcast right here. Don’t forget to like, share and subscribe.