The General Data Protection Regulation was adopted in 2016, and required all companies to comply by May 25, 2018. The companies affected by this development are either located in the EU or deal with EU residents* and collect their personal information. This means that these companies do not need to be in Europe, and 92 percent of US companies already consider GDPR a top data protection priority.
The recent Cambridge Analytica scandal demonstrated how important data privacy rules are, especially in today’s interconnected world. The UK-based firm collected information on millions of Americans, which it used for political campaigns. As data flows between continents, the law follows.
GDPR requires companies to act very responsibly with the data they collect on EU residents. Users must give their consent, be fully aware of how their data will be used, and have the ability to export and delete the data held on them. Companies must also take adequate measures to protect that data.
Companies that do not comply with GDPR can be fined $25 million or 4% of their annual revenue in the case of a breach – whichever is higher. But compliance is also costly. According to Netsparker’s survey, around 60% of companies will spend somewhere between $50,000 to $1,000,000 to become GDPR-compliant, while more than 10% will spend even more to get there.
This has led to all sorts of interesting compliance tactics. While GDPR is only for EU residents, the nature of the internet practically forces it on everyone, since any of these companies could be dealing with clients from the EU at any time. As a result, a few companies have blocked EU IPs, while others have removed their tracking. Some use a combination: now that we are not tracking you, pay for the ads you don’t see! Facebook’s tactic was one of the dirtiest; it tricked users into thinking they had messages waiting for them which they could only see if they accepted the terms.
This problem looks different when it comes to data that companies have collected on their clients over the years: they now need to go back to users and ask them for their consent (this is the reason for all those GDPR emails around May 25). The choice is simple: either get your users’ consent or stop tracking them.
GDPR: Bad for Business?
It’s needless to say that most people won’t re-register to the newsletters to which they once subscribed in return for free services. Ads will be less personalized and less accurate. All of these factors could hurt businesses.
But the truth is, we are just accustomed to bad business practices which eventually hurt more than they heal. Honestly, how personalized have those ads really been? Based on my own experience, I click on one ad in a thousand; the other 999 are irrelevant, intrusive and irritating.
Another example: Facebook and Cambridge Analytica. Facebook’s shares dropped and Cambridge Analytica went bankrupt in the aftermath of the scandal. This is what bad data hygiene can do – compare it to the Obama campaign, which did the exact same thing but was transparent about what it was doing.
So, getting GDPR-compliant pays off – not only from a fine-prevention angle, but really in terms of customer relationships. According to Kevin Simonson, CEO and co-founder of Metric Digital: “Digital advertising will still be incredibly powerful under these GDPR regulations, but ultimately it will weed out bad actors who don’t believe in transparency. It will raise the tide for all ships involved.”
GDPR is favoring new ways of doing business. “The GDPR represents a sea change in the way marketers do business online… No more scooping up data wholesale just because you can. If you collect data that doesn’t have a specific purpose, you may find yourself out of compliance,” says Jeff Edwards, a tech writer and analyst who blogs for Ipswitch. “For that reason, I think GDPR compliance and auditing capabilities will emerge as a major selling point for marketing tools this year.”
One of the challenges in the post-GDPR era is that companies have to restrain their hunger for data. But companies need that data or they will miss out big. So what’s the other trick up their sleeve? They make the data “non-personal”: By removing the identity of whom the data belongs to, they can still keep the data necessary to detect behavioral patterns and train their AI or other services. Kirill Rebrov, Co-founder and CEO of Demografy, has trained AI to predict demographics based on such data. He explains: “Our technology uses ML [machine learning] to infer demographic data from as scarce data as possible. It can be provided with just first names and partially masked last names which are not PII [personally identifiable information].”
For those who don’t want to encrypt their data, the main challenge for organizations is being able to discover where all their clients’ personal information is located throughout the many different business systems they use. This can be a daunting task for BI groups that requires manual data mapping which is extremely time consuming and inaccurate. To aid them, Amnon Drori co-founded Octopai, a machine learning-based SaaS platform that enables organizations to find their data and track its movement process in seconds by automatically discovering, centralizing and analyzing cross-platform metadata. This metadata is then used to accurately surface sensitive information within one’s organization in a matter of minutes as opposed to weeks.
As for the “user consent” part, AdEx offers a solution that’s GDPR compliant from the ground up. Being a decentralized advertising platform with no middlemen, it has the unique ability to let users decide what ads they see – thus, they have full control over how they are tracked and targeted, and can stop it altogether. “In this new model, the power is flipped, where the user/consumer is in control versus the business,” says Neil Patel, advisor to Kind Ads, another decentralized advertising project which pays users in exchange for sending ads to them. “Users are empowered, and they are given options in which they can sell their data in exchange for compensation.”
Could this be the future where we finally get rid of intrusive ads and develop better protection against breaches, with more bandwidth to use and less distraction from what matters most? What is certain is that GDPR will weed out the bad actors and raise industry standards – until someone finds a way to cheat us again, in more sophisticated ways.
*The correct term is actually “data subjects”, which is broader than both “residents” and “citizens”. We have used “residents” for simplicity in this article.