Two years in – the industry reflects on the impact of GDPR

Yesterday marked the two-year anniversary of the implementation of the General Data Protection Regulation (GDPR), one of the most far-reaching pieces of legislation brought in to protect the interest of consumers, in respect of how organisations collect, store, manage and use their personal information.

It was brought in with the promise of serious fines for companies found to be in breach of the rules, with a maximum fine of €20m (or equivalent in sterling) or 4 per cent of the company’s total annual worldwide turnover in the preceding financial year, whichever is higher.

In fact, the really big fines have been few and far between. British Airways is facing a fine of £183m, and Marriott Hotels, a fine of £89m. Both are currently appealing the fines. The ICO also fined Cathay Pacific £500,000 in March, for a data breach that saw hackers gain access to the personal details of 9.4m customers globally, including names, passport details, dates of birth and phone numbers. The relatively low size of that fine is due to the fact that the data breach took place before GDPR came into force.

The ICO has also made a point of investigating business practices in the ad tech industry, though earlier this month, it said it was pausing its investigation into real-time bidding and the ad tech industry, while noting slightly ominously: “Our concerns about ad tech remain and we aim to restart our work in the coming months, when the time is right.”

So two years in, what’s the industry’s verdict on GDPR. We spoke to some of those on the coalface to find out…

Dyann Heward-Mills, ethics expert for the European Commission and CEO of HewardMills:
“Europe once again finds itself at a crossroads. GDPR was a monumental turning point in data protection and caused a ripple effect of similar legislation around the world. However, Covid-19 is severely stress testing GDPR, in a way few anticipated. Emerging technologies and processes such as Contact tracing and employee testing pose significant data protection and privacy concerns.

“Working life across Europe is still being shaped by Covid-19 but data protection and privacy must remain a business priority. This is why its key for regulators across Europe to support companies in remaining compliant. To build trust of consumers and employees companies must appropriately resource data privacy, security and compliance teams and must not be put at an unfair disadvantage for doing so.”

Richard Reeves, managing director, Association of Online Publishers (AOP):
“As a trade body for publishers, we worked tirelessly in the lead up to GDPR to ensure we were prepared and understood the exact requirements demanded of publishers. During this time, we worked closely with the ICO and two years on, we continue to engage in positive dialogue with them, and our GDPR working group has evolved to become the ICO working group.

“The ICO’s warning to the ad tech industry one year ago was extremely valid, and their latest updates regarding a pause on investigations should not change the priority that companies place on compliance. For our members, GDPR remains high on the agenda and we are continuing to invest resource into providing guidance and we work closely with our partners – that includes our relationship with the ICO.

“One output of the working group is the creation of a document outlining proposed mitigating options, that recognises the complexities of the ecosystem, and acknowledges publishers’ reliance on other industries, technical solutions and trade bodies to meet their responsibilities as data controllers under GDPR. Looking forward, we will continue in our role as the trade body for premium publishers to encourage other stakeholders to recognise their responsibility in the ecosystem.

Jakob Bak, CTO, Adform:
“We’re now two years on from the implementation of GDPR, one year since the ICO’s report on adtech and real-time bidding (RTB), and currently five months into the CCPA’s enactment. Privacy is more relevant than ever today, with the phase-out of third-party cookies already underway worldwide. However, this doesn’t mean the end of programmatic advertising as we know it.

“By putting data integrity first, as an industry we can further empower consumers with the knowledge of how their data is collected, stored and processed. This collaborative cross-industry effort will also speed up the shift from working with multiple third-party vendors to more sophisticated integrated advertising platforms that include comprehensive consent management solutions as standard.”

Ivan Ivanov, COO, PubGalaxy:
“While all companies should be in control of their GDPR compliance at this point, publishers and advertisers should especially now be preparing for the perfect storm that’s heading their way. With more global privacy regulations rolling in, unstable ad spend, and the end of third party cookies on the horizon, the industry is under pressure to adapt to the changing conditions. In response to this, we expect to see compliant use of first party data continue to grow in popularity. By establishing direct relationships, publishers and their advertisers can use personalisation methods to seize strong monetisation opportunities.”

Alexander Igelsböck, CEO, Adverity:
“Two years on and GDPR maintains its standing as a key priority for companies across Europe, and the world. In the UK, the ICO’s announcement regarding ‘pausing’ its investigation into the ad tech industry does not mean data privacy should move down the agenda. Businesses must continue to focus on ensuring best practice in data management, making sure they have the right systems and processes in place to track data better and ensure the correct permissions are sought, and always followed.

“As an industry we do have a clearer understanding of what compliance means and moving forward we should be seeking the most efficient ways to comply with our responsibilities. The tools and means exist to ensure both compliance and excellent levels of service. Its time to turn this into a strategic advantage for companies.”

Calum Smeaton, CEO, TVSquared:
“Across the advertising and adtech ecosystem, privacy needs to be more than a simple checkbox exercise. Its something that continues to evolve to suit consumer and industry needs. Whether it’s our physical infrastructure or how we manage data access and control, we’ve made sure privacy is embedded within the DNA of TVSquared. That is second nature to us, as the founding team members, myself included, come from fintech and are used to working within regulated, high-security environments.”

“Within digital marketing, the phase out of third-party cookies reflects the next stage of data privacy. While TV is an essential player in the next wave of data privacy due to the growing information available via smart TVs and subscription platforms, its going to see less of a fall out from the disappearance of third-party cookies than digital-first companies. However, data privacy concerns are not restricted to third-party cookies, the focus on personal information and how data is managed, processed and accessed are top-of-mind for us, especially as digital and TV collide.”

Amy Yeung, CPO, Lotame:
“Closer alignment between industry and regulatory bodies is permitting both sides to better understand the technology available and industry data flows. The result is clearer visibility into the challenges companies are facing in GDPR implementation, as well as sharper insight into how they can best approach compliance. There’s a variety of working groups, and independent advisory boards like the IAB, ANA and ESOMAR, helping to further address these issues and identify some of the technological challenges that lie ahead – I hope we can continue to leverage them for the transparency and consumer awareness we seek.”

Buno Pati, CEO, Infoworks:
“We will see a dramatic increase in consumer control over ‘peronal’ data as privacy laws evolve over the next year. The second anniversary of GDPR also marks the tip of the iceberg with regards to the protection and consumer control of consumer data. As a global society, we need to trust our privacy is safeguarded. Throughout 2020 and into 2021, consumer control of personal data can be expected to increase dramatically as governments and regulators drive new privacy legislation. Within a decade, these regulatory actions will likely lead to complete consumer control of personal data and opportunities for consumers to directly monetize their data or directly exchange data for goods and services.

Tanzil Bukhari, managing director, EMEA, DoubleVerify:
“As we enter the third year of GDPR implementation and a new post-cookie world, many marketers are looking to leverage new methods to reach audiences. While GDPR has been an important and necessary regulation in Europe, it has also limited the data advertisers can use for targeting, analysis and optimisation.

“Contextual targeting provides an alternative for cookie-based targeting without the need to use personally identifiable information (PII) or track cookies. It uses information about the content of the page, not bid or impression data. By combining machine learning with human expertise to enhance the scale and accuracy of semantic and contextual targeting, marketers have a viable substitute to target consumers and improve their media experience, while maximising campaign performance. It’s not a silver bullet for targeting but it’ll play a significant role in driving performance in the future.”

Nick Morley, EMEA MD, Integral Ad Science:
“Two years on from the GDPR, our research shows that privacy is still a key concern for the majority of consumers, in fact a massive 94 per cent of them – even if 33 per cent of consumers remain unaware of specific data privacy regulations. Instead of sharing personal details, UK consumers prefer to see digital ads based on interests and purchase history. With the demise of the third-party cookie, advertisers must now consider context as a crucial part of their approach to audience targeting.

“Almost nine in 10 consumers (87 per cent) understand their time online means more opportunities for data to be collected and used for advertising purposes. However, by considering the environment – the topics written about on the page, the sentiment and emotions conveyed – brands can adjust their strategies to engage with consumers alongside relevant content. The knowledge that context provides a clear opportunity to reach receptive consumers will be incredibly valuable for brands as we enter a cookie-less world.”