Posted: 21 Jun 2018 Contributor: Matthew J Fritschle
How Digital Advertising and Marketing Will Be Impacted by GDPR
Have you thought about your GDPR digital marketing strategy? Well, it happened; as of May 25, 2018, GDPR policies are in effect and organizations opting to ignore them are facing the harsh realities of noncompliance. For those out of the know, GDPR, or General Data Protection Regulation, is arguably the most comprehensive update to Europe’s data protection rules in the past twenty or so years.
The Ins and Outs of GDPR for Agencies
Seeing that the amount of personal data organizations collect has skyrocketed in recent years, the European Union (EU) decided to step in and do something about it. Their solution? Strict legislation that protects citizens from the mishandling of their personal data, which is any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
With the goal of holding organizations accountable of how the handle data, these new regulations replaced previous legislation like the Data Protection Act of 1998 and the 1995 Data Protection Regulation, and include 11 chapters and 99 articles that address how organizations, whether they’re a digital marketing agency or eCommerce giant, process and control personal data. Delving deeper, these regulations apply to anyone who handles EU data subjects, even if they’re in a totally different continent like the Americas.
Major GDPR Marketing Rules and Their Penalties
As we just saw, GDPR affects anyone who has their metaphorical foot in EU data soil. If you fall into this category, your organization MUST comply with the new rules or face very steep fines and penalties. What are these new rules, you ask? For one, organizations have to implement safeguards and data protection measures to protect data from being lost or exposed. Second, if you’re a public authority, if your company systematically monitors behavior at scale or if your organization processes judicial data relating to criminal convictions and offenses, your company needs to appoint a data protection officer (DPO) to inform controllers of any important regulations out there and to mitigate concerns.
Additionally, the privacy notices you’re used to ‘reading’ when signing up for a service have to be clear, transparent and unambiguous. In other words, when creating them, organizations have to make them as legible as possible and explain who will collect the data, what the purpose for collecting the data is, who will have access to the data and the like. Apart from this, opt-ins have to be modified to better comply with GDPR. For example, even though these are already in place, the new regulations make it clear that organizations have to include more details about what information can actually be shared and with whom.
As for the penalty for GDPR violations, companies can be fined on one of two levels:
- Lower-level violations resulting in a fine of €10 million, or 2% of the violator's worldwide annual revenue (whichever is higher).
- More serious violations resulting in a fine of €20 million, or 4% of the violator's annual revenue (whichever is higher).
More specifically, Article 83 of the GDPR defines ten major criteria> that authorities will use to determine fines:
- Did the offender meet the standards for data protection certifications?
- Did the offender cooperate with authorities investigating the data breach?
- What type of personal data was accessed due to the breach?
- Did the offender have a history of allowing such data breaches?
- Was the data breach due to the offender's negligence or intentional action?
- What actions did the offender take to mitigate the damage?
- What was the nature and extent of the damage caused by the data breach?
- When did the offender notify the regulatory authorities and the affected parties about the data breach?
- What preventative measures did the offender take prior to the data breach?
- What other mitigating circumstances were involved in the data breach?
Now let’s do a little math to see how a GDPR fine can affect your bottom line. As reported by Digital Guardian with Hilton Hotels’ 2015 data breach as an example, they (Hilton) were fined $700,000 by the New York Attorney General's Office for a breach involving data from 350,000 customers. Under GDPR, this $700,000 bill translates to a whopping $420 million — $2 per lost record before versus $1,200 with GDPR.
The Effect of GDPR Ad Targeting
As you can imagine, with GDPR online advertising is definitely affected. To illustrate, let’s consider GDPR programmatic advertising. Unlike when people do the buying and selling, programmatic advertising entails the use of technology to do so, and this requires A LOT of data. The thing is, GDPR requires advertisers to obtain active consent from customers, meaning that their access to data is quite limited when compared to the pre-GDPR days.
Additionally, because very few people actually consent to third-parties tracking their online behavior — something that’s needed for ad targeting, advertisers are going to need to focus on segments as opposed to specific individuals. That is to say that because GDPR doesn’t allow adding filters that narrow a target audience down to a single end-user, a broader approach is needed. For example, targeting men living in NYC who shop at H&M and who ride the subway, as there are many people who fit this description.
Similarly, GDPR is also changing how advertisers embark on retargeting campaigns because these usually involve tracking data in the background, without the user being fully aware of what’s happening. That’s not to say that retargeting is completely out of the picture; rather that advertisers need to be very specific about when and why they’re tracking data.
Who Wins with GDPR?
Reactions to GDPR have been mixed, to say the least. On the one hand, because it’s designed to help consumers, they’re pretty happy knowing that their data won’t be used inappropriately, such as with fishy pay per click advertising that somehow knows what’s in your head before you even think it. On the other hand, organizations aren’t too excited because they have to go back to the drawing board to figure out what data can be collected and what use it can be put to. In other words, online advertising and ad targeting now becomes GDPR online advertising and GDPR ad targeting.
The pros of GDPR, then, relate more to consumers. Remember, the whole point of GDPR is to offer users more control over their data and make the data collecting process more transparent, with the aim to make sure that they and their data are protected, and additionally that they have the right to a withdrawal of consent. While these things all equate to pros for consumers, they translate as cons to organizations because they now have to be MUCH more specific about the purpose of processing an individual’s data. As such, they have to be able to demonstrate without a shadow of a doubt that the processing is for legitimate reasons.
Even though the thought of mounting fines is enough to deter would-be GDPR offenders, the opposite should be enough for compliance. In other words, the benefits of adopting the new regulations because complying means higher levels of trust from both customers and investors.
Best of luck and, remember, if you need more info on GDPR and how to comply, feel free to get in touch with us and we’ll help you out!