Comment (0)

GDPR in a year: changes that have already affected the tech world, ambiguities of GDPR interpretation, and how businesses are supposed to address them.

On May 25, 2018, the new European Data Protection Regulation became mandatory for execution in the European Union and the rest of the world where the data of EU citizens are being processed. Back in 2018, the majority of tech companies, hailing from the ad tech industry, in particular, were nervous about the inability to adapt their tech stack to the new standards in time. This was quite understandable, given that the consequences of a violation of the GDPR were promised to be severe, ranging from the following: a fine of 10 million euros, a 2 percent of the annual turnover, a fine of 20 million euros or 4 percent of annual turnover.

It appeared that only 48 percent of US companies and 20 percent of EU-based companies had managed to be fully prepared by the deadline. Although tech companies had two years to pass the stage of adaptation, wrongful regulation interpretation and uncertainties still keep particular companies under scrutiny. Is there a chance left to overcome them successfully?

Challenges of the Post-GDPR Era: Worldwide Effects

During the first months after GDPR came into enforcement, most European national regulators worked with preliminary investigations, general recommendations, and applications of the small fines. However, by the end of 2018, large media giants like Facebook, Twitter, and Google had faced million-dollar penalties for not disclosing the mechanisms of personal data collection for advertising purposes. In Google’s case, GDPR fines had climbed to 57 million euro.

It might seem that European regulations are heavily focused on big corporations, but this is merely an information-infused delusion. In March 2019, the Personal Data Protection Office (UODO), imposed a 220,000 euros fine on a small local analytical company in Poland for the failure to execute the information obligation required under Art. 14 (1) – (3). The data protection agencies in EU countries also reported a significant rise in the number of GDPR violation complaints coming from customers.

What Users Expect From Companies

EU citizens have already noticed the effects of GDPR activation. Thousands of messages about privacy policy updates successfully found their way to user mailboxes last year. For now, even though a particular share of European users believe that GDPR hasn’t affected their privacy rights, 63 percent agree that it positively impacted the transparency of their communication with brands.

The users across the European Union and the U.S have quite the same perception of GDPR requirements. However, their expectations from companies in response to GDPR may differ. While the most U.S-based users expect the companies to update their privacy policies accordingly, the users based in the EU expect a greater step that extends to the prohibition of personal data resale and sharing with other companies.

Such requirements would completely cease the operations of ad tech companies since user data is largely fueling advertising personalization. ML and AI algorithms automatically analyze large arrays of big data to determine audience preferences. Based on these preferences, such systems, like programmatic, determine the portraits of the customers in order to show each viewer the offer they will most likely respond to.

In this regard, last year the ad tech world experienced great turbulence. Many ad tech experts predicted the end of advertising personalization and transitioning back to contextual advertising. Indeed, last year the share of programmatic purchases did drop by 25 and 40 percent. At the same time, when the panic had ceased, the initial rates went back to normal. Market experts have come to the revelation: after GDPR adoption, the wave of massive opt-outs actually didn’t start. Instead, 85-88 percent of customers revised their approach to consent giving and reported about willingness to share their data in case they’re assured that the whole procedure is clear and transparent.

How to Avoid GDPR Confusions

Often, tech companies that are fully adapted to GDPR, both technically and organizationally, make common mistakes that can arise from regulation misinterpretation. A good example was Google. It didn’t centralize the process of user data collection on a single page. Instead, it required users to perform several actions. After completing them, users were not fully aware to what extent their personal info would be used. It is important to remember, for each data processing goal, the company has to have a separate consent form, according to GDPR.

French Data Regulator, Commission Nationale de l’Informatique et des Libertés (CNIL’) also considered that the text of Google’s consent obtaining agreement to be insufficiently informative and ambiguous. For example, when Google asks for permission to show personalized advertising, the company does not warn that it’s actually about advertising in all its services.

The European Union Institute has inspected the privacy policy of 14 large enterprises, which features Alphabet, Amazon, and Facebook, and claimed their legal documents were somehow ambiguous and superficial. There’s another common situation when the user disagrees with new policies, and the website prevents them from further browsing. Whereas GDPR states, compliance giving should not affect performance at any stage.

In order to not fall victim to GDPR misinterpretation, it is necessary to have a "minimum package" of documents:

• Privacy notice and privacy policy
• Clear and concise user consent form
• Cookie policy
• Personal data protection policy
• Disclaimer on cookie processing

This list of GDPR documents is an absolute must for all Internet companies that work with European data, but it has to be supplemented by other documents depending on the specifics of the company’s work.

European legislation is also designed in a way that if the company works with non-compliant vendors, it can be fined for collaboration with unreliable partners. Such consequences can wreak havoc on businesses and business networks in particular. That’s why it is no less important to make a complete revision of partners than adhering to must-follow technical and organizational GDPR measures. The best advice is to start with the analysis of the entire company operation. Assign a data protection officer, involve internal lawyers, and external data security specialists to assess user data processing, potential risks, and the areas for improvement.

The Takeaway

Tech sector has had the opportunity to align their business with new European requirements starting from 2016 when the transition was announced. But, as the practice showed, the requirements had been executed superficially, which caused negative consequences for certain companies. In spite of controversial predictions, the ad tech sector has not perished. Undoubtedly, GDPR has made user consent harder to get, but the result is promising to pay off in the long run. With proper technical, legal, and organizational preparation, processing the user data will result in a more secure and transparent functioning of digital space, that will be equally beneficial for advertisers and users.

Comment (0)