No matter your business or profession, whether as an individual or an organisation, as of 25 May 2018 the EU General Data Protection Regulations (GDPR) will mean something to you.
That may seem like some time away, and it is, but businesses that fail to adapt in time may get left behind. One man who knows a thing or two about GDPR is Mark Roy, founder and chief executive of Read Group, the UK’s biggest data provider.
Roy has been lobbying the EU over GDPR, and was an instrumental figure in its final design through his former position as chair of the Direct Marketing Association (DMA). "The first version of GDPR that was presented to us was a case of ‘pack up, turn the lights off and go home,’” he says. Still not entirely happy with the outcome, he tells me that “the reality is that we’ve ended up with a decent piece of legislation that has been watered down.”
What is GDPR?
GDPR is the long-awaited EU response to the outmoded Data Protection Directive (DPD), which enforced in 1995, “predates the digital age and is no longer fit for purpose,” says Roy. Each of the 28 member states of the bloc already have individual data protection laws, such as the Data Protection Act (DPA) in the UK, which GDPR will replace with a single pan-European piece of legislation.
The data landscape has changed dramatically in the last two decades, with the rise of social networking sites, cloud computing and location-based services. Although it may be unbeknown to some, every business uses personal data; whether you’re a local contractor holding customer invoice details, or a brand using programmatic advertising to direct targeted marketing.
GDPR regulates the use of EU citizens’ personal data by businesses, and although in theory applies to the bloc, is supra-continental. Any organisation handling EU citizens’ data has to abide by it and its strict data protection compliance regime or face severe penalties of up to 4 per cent of global turnover. No other EU law of such breadth, scope and international relevance has ever been implemented.
The GDPR is 200 pages of ambitious legislation and far too complex to detail in a short article. Primarily it ensures that businesses must have permission to hold personal data, and replenish permission every six monnths. Other concepts such as the extension of the “right to be forgotten”, data portability, data breach notifications and accountability will also take some getting used to.
Why it’s important
Roy talks of the “fair exchange of data” – that is the theory that consumers should get something in return for use of their personal data. “To be honest I think it’s rubbish, I don’t think consumers really care much about all of that. I think what people really care about is their data being used safely and kept secure.”
He says that consumers have broadly accepted that, in exchange for continued use of a service, the cost is their personal data, and that actually people are more concerned about trust. “Trust in the journey of their data, and knowledge that businesses aren’t going to go and sell that to a whole bunch of people without permission.”
Roy, although a sceptic of the final version of GDPR, says that the diminished trust between marketers, advertisers and consumers is a product of its success, but blames global media conglomerates for letting the mistrust get so out of hand.
“Where it started was around this issue of ownership from Facebook, Google and Whatsapp – that photo you took on a night out, does it belong to you and your mates, or does it belong to Facebook? The issue was that when we (as European citizens) went online, our data was taken abroad, to America. And we had safe harbours that existed until the ECJ screwed it up.”
Last year the European Court of Justice ruled that the transatlantic Safe Harbour agreement, which allowed American companies to use a single standard for consumer privacy and data storage in both the US and Europe, was invalid. Under Safe Harbour, US companies could self-certify that they would comply with EU data protection standards in order to allow for transfer of European data to the US. “The problem was that Facebook and co were taking the piss,” says Roy.
He is an industry stalwart, a darling of data, and the lack of transparency and occasionally misuse of data is one reason he supports GDPR. “It does sort of lift the veil slightly on what’s going on, and demands that organisations like us are open, honest and transparent. Not that we aren’t already – that’s always been our mantra.”
Roy thinks that laying down a set of rules and standards for businesses holding data is essential to restoring consumer trust. “They are driving the change, they want it. GDPR is happening because consumers want to be able to trust the brands, but feel like they can’t.”
The mistrust is a product of an industry free-for-all as it adapted to the digital age. “I think the internet is making the same mistakes we did in direct mail during the early 90s – just carpet bombing consumers, in hope that if you hit them enough, they’ll eventually convert. It was certainly a license to print money, but I think there’s an enormous fatigue with consumers now. They want to be targeted reasonably, in a refined way, and most importantly, in a way that is relevant and timely.”
“Consumers are right at the centre of GDPR, if you ignore their wishes, and what they want, then do so at your peril. And as we’re trying to build relationships it seems odd to try and ignore the key party.”
For those who voted for Brexit to escape the grip of EU red tape, it may seem rather bizarre that UK businesses will still have to abide by GDPR if they want to deal with EU citizens’ data. Roy has a solution that fixes both the watering-down and Brexiteer’s qualms by calling its bluff. He thinks that implementing our own data regulation that overrides GDPR can make us world leaders in data standard-setting.
“I think there’s an enormous opportunity, which I think we should be moving towards now. We cannot have a watered down version of GDPR – we should have an authentic version, as intended. One that is led by Britain, where anyone wanting to hold British data would have to abide by it. If you go into a different country you have to abide by their laws,” he says, “it’s no different online, you have to accept it.”
The watering down he talks of is multi-faceted, often driven by the unreliable jigsaw of self-interested EU states vetoing important aspects. “It pretty much prevented the opportunity to sell to people,” he says. “The thing that gets my goat more than anything else is that, by definition, the EU has to work to the lowest common denominator. That for me, as someone who has spent all my life trying to work to the highest common denominator, is a bit of a conflict.”
The industry certainly needs a fundamental shake up to restore confidence in brands, but Roy believes that GDPR doesn’t go far enough.
“Perhaps I’m foolishly optimistic but what I’d like to see is UK legislators building a something which is global, with us leading the way, doing it our way, not answerable to the EU.”