3 years on – are you GDPR compliant?

Since May 2018, GDPR has significantly changed the way in which we collect and process data, and the waves that the regulations have created in the sphere of online marketing are still being felt.

3 years on, we take a look at how the digital landscape has evolved, and give you the chance to test the strength of your GDPR compliance.

Are you GDPR compliant? Let’s find out!

A quick history of GDPR

The General Data Protection Regulation was adopted by the European Union on April 16th, 2016 and came into effect on May 18th, 2018. The regulation was put in place to enhance the control and rights that individuals have over their personal data. This piece of legislation is a regulation, rather than a directive, and is therefore directly binding and applicable, without any flexibility for individual member states.

GDPR is based on 7 principles:

  • Lawfulness, fairness and transparency – the user must understand what, how and why you’re processing their data
  • Purpose limitation – data should only be collected for a clear, specified and legitimate purpose
  • Data minimisation – only the data that is needed should be collected
  • Accuracy – all collected data should be accurate and up-to-date, anything else should be erased or corrected
  • Storage limitation – data linked to an individual can only be kept for the pre-stated period of time
  • Integrity and confidentiality – all personal data should be secured and protected
  • Accountability – you are responsible for the data you collect and hold

What have the GDPR focus points been in the last year?

Conversations about GDPR in the past year have centered around 2 main topics:

The Privacy Shield is an EU-US legal framework designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States, in support of transatlantic commerce.

It came into effect on July 12th, 2016 but has since been struck down by the courts, most recently on July 16th, 2020. The EU wants to protect its citizens’ personal data, but also wants to encourage cross-border collaboration and international trade. But the US and EU views on data privacy are diametrically opposed, with the Europeans believing that your data is private unless you agree to it being shared, whereas the Americans believe that your data is public unless you explicitly request it be made private. It is in everyone’s interest for the Privacy Shield to be replaced, and it should be, but it is proving a bit of a legal nightmare.

The abrupt end of the Privacy Shield is causing considerable difficulties for companies outsourcing (or using) data processing solutions in the US, but who are also collaborating with US-based companies in Europe. Indeed, the ruling of the European Court of Justice has confirmed that data processing can only be carried out outside the EU, or outside the appropriate states and under certain conditions. The country of destination must offer privacy guarantees that are as close to those foreseen by the GDPR as possible. And this is not the case for the US and American companies, due to their surveillance programs (Cloud Act). Therefore, collaborating with these companies or processing data in countries with data surveillance programs in their legislation has become more complex, but still possible of course, by taking the necessary legal and technical measures to protect that data. The European Commission has published new contractual clauses to be implemented, and the European Data Protection Board has issued recommendations about the implementation of additional measures that are essential for the compliance of such processing.

So a lot of progress has been made in terms of how GDPR is applied since May 2018, and not only with GDPR in Europe, but also in other parts of the world, where new data protection laws are also being implemented, such as the CCPA (California Consumer Privacy Act) in California, that will soon be upgraded to the CPRA (California Privacy Rights Act).

As far as cookies are concerned, the majority of the data protection authorities are tightening the rules on cookie consent. The official line is that under GDPR, implied consent doesn’t equal consent. They want to promote simple, meaningful and equitable options for cookie consent. Cookie opt-in/out options should be implemented per the GDPR guidance.

The disappearance of third-party cookies in the next couple of years will mean that companies will have to rely even more on the first- and zero-party data they’re collecting from their audience, so having an efficient and GDPR compliant data collection strategy in place will be key. Want to find out more? Take a look at our e-book!

ebook-2-years-gdpr-how-affected-marketers-facebookDOWNLOAD OUR E-BOOK →

What’s next?

GDPR is now fully implemented across the European Union, despite the reluctance of some countries. There are growing concerns however that the implementation isn’t as thorough everywhere, thus allowing for potential divergences and fragmentation. The EU is keen in the coming months to make sure that all member states are aligned to avoid this from happening.

Moving forward, the EU will be looking to make it easier for SMB companies (small and medium businesses) to be compliant, by offering extra support and tools.

Several large companies have been slapped with significant fines in the past three years (Google for 50 million €, Marriott International for 18.4 million € and H&M for 35 million € to name but a few), and the EU is promising to keep these fines coming if companies aren’t complying with GDPR.

There is another piece of EU legislation that is looming somewhere in the not so distant future, called the ePrivacy Regulation, considered by many as GDPR’s evil twin. This new set of rules will replace the ePrivacy Directive of 2002 and will go beyond regulating just cookies and ad tracking, it will apply to all electronic communications. It is proving tricky to finalise at the moment as not all member states agree on the extent to which it should be applied, so the earliest it is likely to become law is 2025.

So the next year is yet again going to be an interesting one in terms of GDPR and other data protection laws – we’ll keep you updated in the meantime on any major developments!

How can Qualifio help you with being GDPR compliant?

Interactive marketing is increasingly being considered as one of the best GDPR compliant ways for brands and media companies to collect first- and zero-party data from their audience. Consumers are more likely to share their data with a brand if they get something in exchange, results from a personality test for example, or the chance to win a great prize.

When creating an interactive campaign in Qualifio, brands can access the GDPR toolbox, to make sure that their campaign is compliant and ticks all the necessary boxes.

Find out how Qualifio can help with data collection by providing over 50 formats of interactive marketing campaigns that can be easily created and published.