Home Business Three Years Later: GDPR is All Talk and No Action

Three Years Later: GDPR is All Talk and No Action

by wrich gbaf

The General Data Protection Regulation (GDPR) was introduced on May 25th 2018. This legislation focuses on data protection and privacy across the European Union (EU) and European Economic Area (EEA), while addressing the transfer of personal data outside of the EU and EEA, and aims to provide citizens with more control over their information.

However, three years into a post-GDPR world, the regulation remains all talk, no action – and isn’t quite meeting its objective effectively. Although we have witnessed the likes of British Airways, H&M and the Marriott hotel chain suffer heavy fines of up to £32.1m for their data protection failings, even the latest potential fine on Amazon cannot mask that GDPR still lacks the necessary funding and structure to make it more than an incipient – supposedly hard-hitting – concept.

A big part of the problem is due to the self-regulative – ‘honesty-policy’ – nature of the legislation. It is typically up to individual organisations to record and communicate their own offences and infringements to the Information Commissioner’s Office (ICO), who then enforce the regulation.

Which entity is responsible for inspecting whether a business is actually still GDPR compliant three years later? Who is in charge of validating GDPR compliance? Further, how effective  – as well as  official – is self-regulation in ensuring organisations are co-operating? Russell Loarridge, Director UK, ReachFive argues that Martech and retail technology providers have a greater role to play in GDPR compliance.

Consumers crave reassurance that data is GDPR compliant
Where is the GDPR equivalent standard that proves that organisations are certified as “compliant”?

A GDPR kitemark would solve this problem and offer customers reassurance from brands, and retailers, that their data is being stored and used in a way that is genuinely GDPR-compliant and ethical.

Typically, important legislation, similar to GDPR, comes with a need to meet specific prerequisites in order to certify standards are met. Once it has been proven that these are adhered to, certification usually results in the option for organisations to use a kitemark of sorts as a way of demonstrating compliance has been achieved. Good examples of this in action can be seen from the likes of the BSI or the various ISO standards.

Cookie request immunity – click ‘Accept All’
Is anyone else bored with accepting cookies on every site and every click through on mobile, whilst still not knowing why the site needs that information?

As a ‘form’ of GDPR consent, many businesses often encourage the public to accept cookies when using apps and visiting websites. Is this really acceptable in the eyes of today’s consumer? To the majority of people, cookie requests have become the norm, a boring overhead to using the web.  Users find themselves clicking ‘Accept All’ for convenience in order to reach the online content they were looking for as quickly as they can.

In addition to this, through the pandemic, we witnessed an accelerated change in consumer behaviour. Lockdown restrictions forced people to stay at home and consume media online. This included an influx of film and game consumption, as well as an increase in e-commerce. A new study by Ofcom found that UK adults are now spending more than a quarter of their waking day online – the highest on record. This digital transition demonstrates how more and more data continues to shift online at pace.  This drives a heightened risk for data privacy breaches to take place.

As people spend more time online and share data, this is where a GDPR kitemark could help reassure consumers about where to spend their time or money safely. Furthermore,  the industry could benefit from defining the status of compliance achievement, in a similar way to how PCI DSS compliance is defined. What if organisations could confirm whether they are Bronze, Silver, or Gold GDPR compliant? This will help relieve worries experienced by some consumers and, indeed, help  organisations demonstrate that they are treating customer data with the privacy it deserves.

Consumer demand drives more to be done by tech firms though
Not long after GDPR’s three-year anniversary, at Apple’s recent developer conference, it announced new features that will help users control and monitor apps’ use of their data.

Driven by consumer demand, this is a good move by Apple – we expect the idea of ‘privacy’ to become a competitive differentiator for the tech giant and other ‘copycat’ firms down the line. We anticipate more brands to follow suit as they strive to demonstrate data privacy and GDPR compliance. Within today’s data-driven landscape, people will start to take more of an interest in how their personal data is used too. This is where Martech and retail technology vendors have a critical leading role to play.

As organisations seek to achieve GDPR compliance and data privacy best practice, they need to assess whether they are collecting and storing customer data ethically. For some, this might mean completely re-engineering how they engage with customers at an ‘identity’ level. This is where customer identity and access management (CIAM) technology can help. For ecommerce brands, this is especially crucial to review too – many mistakenly think that their e-commerce engines provide some form of identity management; when, in fact, they don’t.  Further, since there is no kitemark for GDPR yet, a combination of tools, like CIAM, can help firms manage customer identity (and data) effectively and transparently, and support their growing business under the best practice outlined by GDPR.

All of this can help build trust with consumers that personal data is not abused – but, equally, that it will be used to drive relevant and personalised marketing that truly benefits consumers.

What has GDPR taught us over the past three years? Arguably, not a lot.

The current state of GDPR in 2021 consists of self-regulation, a lack of an industry kitemark, as well as an absence in enforcement. For a legislation as important as one that protects the public’s data, more needs to be done to provide confidence to consumers that their information is being respected by the rules set out by GDPR’s regulatory requirements – but, equally, that brands, or retailers, don’t just superficially try to meet these requirements. Instead, ethical data management and privacy should ideally underpin their character, customer relationships and GDPR efforts long-term.

You may also like