May 25 2018 is a date firmly stamped in everyone’s diaries says Lindsay McEwan, VP and and managing director EMEA, Tealium.
The day the EU’s General Data Protection Regulation (GDPR) comes into force is just months away and marketers are stepping up their preparations. According to AvePoint’s global GDPR Readiness Benchmark Report over half of businesses are increasing GDPR budgets, while a third are adding headcount allocation to prepare for the regulation.
The GDPR has far greater reach than previous data privacy laws, impacting any business that collects and processes the data of EU citizens, even if that’s just a single customer. The regulation puts control of personal data into the hands of the consumer and obliges businesses to be more transparent about what information they capture, as well as how it is used, introducing fines of up to 4% of annual turnover for non-compliance.
The global nature of the GDPR means it will impact the vast majority of large businesses, so how prepared are companies for the impending regulation? Are European countries ready, or are they merely spectating as Germany takes the lead, and what steps are businesses worldwide taking to ensure compliance?
Europe prepares for the GDPR
While only 8% of European business leaders feel their organisation is already compliant with the GDPR, preparations are clearly underway as the majority expect to be compliant by the May 2018 enforcement date.
As the first country to finalise its national legislation Germany is leading the European charge, passing a new Federal Data Protection Act (FDPA) ready to come into force on the same day as the GDPR. As far back as February, a survey revealed 44% of German businesses felt ready for the implementation of the new rules, the highest percentage of any European country. This confidence may be due to the prior existence of stringent data laws. For instance data protection officers have been a legal requirement in German companies since 1977. And of course the country also plays host to dmexco, which this year provided marketers with the ideal environment to discuss the GDPR and its implications, sharing best practice and queries with colleagues from across the world.
But while Germany may be one step ahead, there are positive signs across the rest of Europe. Luxembourg introduced national legislation to complement the GDPR in September and The Netherlands published its bill, although it has not yet been finalised. Belgium is in the process of reforming its own national data protection authority, while the French equivalent has published practical guidance for data processors on complying with GDPR obligations.
Across the continent, countries are taking a tougher stance on data privacy and moving towards GDPR style fines. The Italian data protection authority issued financial penalties to five companies for unlawfully processing personal data in March while the UK’s Information Commissioner’s Office (ICO) recently fined TalkTalk for putting customers’ data at risk of exposure. Earlier this year, the ICO also penalised Moneysupermarket.com – a popular price comparison website – following the company’s distribution of 7.1 million emails to customers who had previously opted out of direct marketing.
Global preparations are variable
A study by Veritas Technologies revealed 86% of organisations across the globe are worried a GDPR breach could have a major negative impact on their business, but there is great variation in the level of preparation individual countries and global businesses are making for the regulation. Some international businesses are taking a global approach, including Apple, which introduced its Intelligent Tracking Prevention software in September to prevent advertisers following consumers’ online movements.
The U.S. is more advanced in data management than Europe, with 78% of U.S. businesses carrying out a data privacy impact assessment in the past year compared with just 60% in the UK and 65% in Germany. On the other hand almost half (43%) of IT professionals in the U.S. believe the GDPR won’t impact their business, compared with only 9% across the EU, indicating low awareness of the scope of the regulation. While countries such as Australia – which is bringing in mandatory data breach notification laws next year – are relatively advanced in preparing for the GDPR, the Veritas survey reveals some countries are way behind, with Singapore, Japan and the Republic of Korea the three that are least prepared.
Ultimately the increased territorial scope of the GDPR means it will impact all businesses, regardless of geographic location and the new regulation will set a global precedent for future data privacy laws. It is vital for all businesses to prepare for its enforcement by auditing the data they collect and analyse, securely deleting non-critical data, streamlining internal processes for managing that data – ideally via a central data hub – and revising policies for obtaining consent to data processing.
The terms of the regulation may seem strict but in the long term it will help marketers to gain consumer trust, as well as a more comprehensive understanding of individuals that can be used for relevant, targeted consumer engagement. Further guidance on preparing for the GDPR can be obtained from individual countries’ data protection agencies, or the UK ICO Guide to the GDPR provides a detailed overview.
The GDPR may originate in the EU and Germany may be leading the way in planning for its enforcement, but it is a truly international regulation that will become the de facto template for global privacy laws moving forward, meaning businesses across the world must be prepared.