The General Data Privacy Regulation recently passed in the United Kingdom; ushering in a new impactful mandate for any companies collecting information about UK users.
The New Normal: Increased Data Privacy
A push for user protections, and sweeping concerns about personally identifiable information (PII) took hold of many different social circles within the business world, in the wake of the Facebook – Cambridge Analytica scandal, which saw a data breach for over 50 million users.
GDPR Compliance was a mad dash to the mandatory implementation date: May 25th, 2018. However, as this date has come to pass, the implementation date is not the end all or be all for web user privacy going forward. In the UK, an additional piece of proposed legislation, EPrivacy or ePR, is on the table to further regulated user data collection and more specifically outlines the rights of internet users to their own privacy.
In an overwhelmingly digitally dominant age of marketing, new regulations and impositions make data analytics and targeted advertisements increasingly difficult to successfully learn about a given user’s interests, identity characteristics, behavior, etc.
Implications and Important GDPR Specifics:
GDPR can be viewed as a form of legal precedent in the data privacy debate, setting the standard for a digital market controlled by the whims of users at the expense of targeted marketing materials. The general direction of increasing data privacy regulations amounts to an overall significantly less accessible marketing world, especially when it comes to utilizing analytics, discovering information / trends about consumers, and delivering relevant targeted marketing materials to users.
If the legal trend of increased digital autonomy for users continues, the field of digital marketing will transition toward being almost entirely driven by user opt-ins. This result will render many of our current tools and strategies in digital marketing useless without user consent to solicitation.
Failure to comply to GDPR and any regulatory violations carries the penalty of either a $20 million
GDPR outlines PII as, “any data that identify a specific individual”. Those tasked with ensuring the safety of sensitive data information are delineated between either of two groups:
Data Controllers and Data Processors.
GDPR places equal liability on both types of data utilizing parties, in the event of a data breach. Additionally, GDPR expressly describes a 72 hour reporting window to alert relevant parties of a data breach.
Data Controllers are described as businesses who determine why data is processed.
Data Processors are described as businesses who store and process data.
(Ad Agencies are an example of a business type that is uniquely positioned as both a controller and processor)
Types of Private Data Protected under GDPR:
- Basic Identity Information: name, address, ID numbers
- Web-Based Data: location, IP address, cookie data, RFID tags
- Health and Genetic Data
- Biometric Data
- Racial and Ethnic Data
- Political opinions
- Sexual orientation
Areas of Ambiguity: For Marketers Attempting to Tailor Their Content Strategy
A lack of outlined structure to what constitutes, “[Data Processors & Controllers] demonstrating a reasonable level of protection for personal data”.
This puts pressure on businesses attempting to utilize the previously unconstrained power of targeted user market data and analytics.
“Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.“
(Liz Denham, UK Information Commissioner: On GDPR fines)
In response to this legal language present in the GDPR, there are concerns over how any fines will be assessed, which remains largely unanswered. Specifically, how a foreign government authority would pursue legal action against a business operating out of a different country. However, one aspect pertaining to enforcement on a company size basis has been answered.
“Companies operating below 250 employees are required to hold internal records of processing activities, if the processing of data can risk an individual’s rights or freedoms, or if it pertains to criminal activity.”
(GDPR, Art. 30)
GDPR can be viewed as a form of legal precedent in the data privacy debate, setting the standard for a digital market controlled by the whims of users at the expense of targeted marketing materials. The general direction of increasing data privacy regulations amounts to an overall significantly less accessible marketing world, especially when it comes to utilizing analytics, discovering information / trends about consumers, and delivering relevant targeted marketing materials to users. If the legal trend of increased digital autonomy for users continues the field of digital marketing will transition toward being almost entirely driven by user opt-ins. This result will render many of our current tools and strategies in digital marketing useless without user consent to solicitation.
Digital Marketing, Data Analysis, & Forecasting for the Future of Content Marketing:
The passage of GDPR marked the formal beginning of complex internationally impactful privacy laws and standards changing on the internet, specifically in terms of any form of widely agreed upon basic rights of digital consumers. This legislation has attempted to significantly open the internet up for increased user anonymity, at least as far as private enterprise can legally dictate tracking user information.
Conversely, this legislation also marks the opening of the flood gates for other globalized countries to push their own updated amendments and new mandates of internet privacy laws. The UK Parliament is currently pushing EPrivacy as their additional piece of privacy legislation. Canada is working to implement their own updated legislative iterations for internet privacy, as their current laws do not easily align with new GDPR requirements. Safe to say, the United States will not be far off from our own GDPR equivalent to follow suit with our global political allies.