GDPR dominated the early part of the year but it was no blip, says Asbjørn Bieling-Hansen. With more EU regulation in the pipeline, it’s time affiliates stopped ducking privacy compliance and grasped the opportunities offered by new regimes.
Today, personal data is collected at a phenomenal rate, making it a commodity that The Economist called “the world’s most valuable resource ahead of oil”. This is hardly an overstatement, considering how much the collection of data affects the success of a company and the customer experience alike.
Regulation of our data processing and data handling is an undeniable fact. In the past few years we have seen a lot, especially in igaming. Earlier this year all anybody was talking about seemed to be the General Data Protection Regulation (GDPR). On 25 May 2018 the GDPR became enforceable, threatening companies with large fines if they are not compliant.
So, are we compliant? Recent studies carried out by 451 Research suggest that, while businesses are realising the importance of GDPR, many are falling short in terms of the technologies and processes they have in place to ensure compliance. In most cases the challenges lie in the organisation, storing and retrieving of data. Forbes suggests that 20% of companies, at best, are close to full compliance with GDPR.
Since it came into force, European regulators have also reported massive increases in the reporting of complaints, with the ICO anticipating that, as more awareness is instilled, the number of complaints will continue to rise. This is concerning, considering that GDPR increases maximum fines for malpractice to €20m (£17.6m) or 4% of a company’s global turnover, whichever is higher. GDPR has also encouraged more transparency among companies, with an increase in the reporting of data breaches since its coming into force.
Interpreting GDPR Over the past few months, and very much in the week before the enforcement of GDPR, inboxes were flooded with a staggering amount of emails, all asking for consent for the processing of personal data.
As Alanis Morissette might say, “Isn’t it ironic?” Only in this case there actually is some irony, in that companies asking for consent must necessarily have had the previous consent of that same customer to be allowed to contact them in the first place. Moreover, consent is only one of five other legal bases on which businesses can rely to process data. These are: compliance with a legal obligation, contractual performance, vital interests, public interest and legitimate interest.
What is also very important to understand is the difference between ‘personal data’ and ‘personal identifiable Information’ (PII). To make the distinction, it’s important to understand that all PII is personal data but not all personal data is PII. For example, the European Court of Justice ruled in 2016 that a dynamic IP address will in some cases be considered personal data, while in others it is PII.
So, when is it PII? Certainly, if any third party can link the dynamic IP to an individual, then it is. And if the website operator can by any legal means obtain information held by the ISP in order to identify the individual, then it is also PII.
Beyond GDPR There is another regulation that in many respects will be even more far reaching than the GDPR. The EU ePrivacy Regulation (EPR) will repeal the current ePrivacy Directive. EPR is proposed to come into force within the next few years and will have a direct applicability towards all EU member states simultaneously.
Do yourself a favour: begin to take stock of this regulation and start preparing for it. In my opinion this regulation has a potential to mean a lot more to our industry than GDPR did.
EPR is about more than cookies but it does emphasise the importance of acquiring an informed consent before a business can track a person with cookies. This is significant not only for internal marketing teams but also for affiliates who rely on this.
Also worth mentioning is the EU Copyright Directive, which has recently given rise to controversy. This directive limits the way in which copyright works are shared on the internet and imposes an obligation on user-generated sites such as online platforms and affiliates to take down copyrighted material. The European Parliament has approved the directive but a final vote is pending, slated for January 2019. It will then be up to individual member states to adopt laws on the basis of the directive.
Make it work for you Over the past year I’ve had a lot of conversations on these topics and there seems to be three schools of thought. Some people know it is important but will not, for various reasons (money, time, understanding) make the effort to fix the things necessary for compliance. Some people are simply choosing to ignore the regulations all together. Finally there is the category of (way too few) companies that understand the importance of the regulations and who work on being compliant. I am happy to say that I work for one of these.
It is naive to think that you as a company can go ‘under the radar’ and never be confronted with a lack of processes, handling or understanding of the regulations. Sure, you might not get fined for being non-compliant on GDPR any time soon. But that is looking at it in the wrong way. There are good reasons behind these regulations. You should take this opportunity to gain control and offer transparency, as well as instil a new business culture where customer data and privacy are valued – which is what GDPR set out to do in the first place.
Take this opportunity to learn about the regulations that are here and the regulations that are coming. Share it internally, set higher standard for yourself and the people in your team.
We already know that GDPR is not the end – it is the beginning. The longer you wait to do something, the more you have to do. Instead of waiting, get things in order and then spend the time on thinking up new and innovative ideas for how you can use these regulations in a positive way rather than trying to get around them.