Like it or not, consumers are waking up to their right to privacy online. The implementation of GDPR (General Data Protection Regulation) was a catalyst compounded by the high-profile case of Facebook’s Cambridge Analytica scandal.
But four months into GDPR and marketers are still struggling with complex, often ambiguous, guidelines. At the same time, a new wave of uncertainty looms over markets outside of Europe, with the United States and Brazil beginning to weigh up similar measures.
It’s no surprise, therefore, that progress with GDPR progress is on the lips of many marketers at Digital Marketing World Forum Europe (#DMWF) already today. Not least that of data privacy firm OneTrust, whose VP of sales and business development, Kevin Kiley, provided a refresher course of data privacy fundamentals.
Marketing Tech took the chance to collar Kiley post-presentation for his thoughts on just how far we’ve come with GDPR compliance, and what remain as the key challenges for companies on the path to becoming fully compliant.
It seems like data privacy has never been more important for consumers, not just in digital marketing but perhaps every industry. Why do you think that’s the case now?
Kevin Kiley: The GDPR [General Data Protection Regulation] has had a catalytic effect on consumers’ attitudes toward privacy and global privacy regulation. Since its adoption date we’ve seen California pass a new Consumer Privacy Act, Brazil sign its own GDPR-style privacy law and India release a draft data protection bill. Even the United States is exploring moving away from sector-based regulations, such as HIPAA, COPPA, etc., to a comprehensive federal privacy law.
Couple this momentum in privacy regulations with constant headlines of blatant misuse of personal data – consumers are waking up. They are realising not only the sheer volume of data any company may have on them, but they possess the rights to have greater control over that data. When you educate and empower public as a whole, all industries are impacted.
Do you think marketers have adapted?
KK: Overall, we’ve been impressed with marketers’ interest in becoming GDPR compliant. We work with our customers to think of privacy compliance as a competitive advantage, not a business inhibitor. If marketers can show their consumers that they take privacy seriously and consumer know they can easily exercise their rights – such as opting out of certain communications – they can increase trust and maximise opt-in. That said, GDPR compliance is an ongoing process, not a one-and-done activity, and marketers need to think privacy first when continuing building programmes and processes that collect and use personal data.
Why has compliance been so difficult for many?
KK: One of the challenges of GDPR compliance is that the text of the law is not prescriptive and open to interpretation. We work with our customers to understand the nuances of the law and provide guidance on how to best comply. While the EDPB [European Data Protection Board] – formerly Working Party 29 – continues to publish guidance, there are still a number of open questions. ePrivacy is expected to provide clarity on a number of questions that face marketers specifically.
It doesn’t seem like the ICO has really made any examples yet despite consumer complaints doubling since last year. Can marketers continue to take chances?
KK: We are still less than six months into the GDPR enforcement date and while it seems that the ICO is practicing leniency at this point, I would recommend companies at least have processes in place to demonstrate GDPR compliance. At this stage, we recommend that marketers take the GDPR seriously and should not be surprised if the ICO does take enforcement action in the coming months.
What are the most common challenges?
KK: The biggest questions I receive from marketers are about when to use consent and as a legal basis for processing data versus legitimate interest and the right way to set up cookie notifications on websites. We share with customers the risks and benefits of the various approaches to legal bases for collecting and processing data and cookies, but ultimately, it’s up to their risk tolerance to determine their company’s marketing compliance strategy. I anticipate the impending ePrivacy Regulation will address a number of these questions and be more prescriptive for how marketers can collect, use and store personal data in a way that is still beneficial for their business and marketing purposes.
Finally, how do you think consumer attitudes to data-handling will evolve over the next year or so?