The General Data Protection Regulation or GDPR will celebrate its second anniversary on 25th May. The Regulation generated a significant amount of media coverage in the run up to its introduction. Since then it has continued to maintain a high profile in business and general media, driven partly by the key role played by Ireland’s Data Protection Commission and the occasional eye-watering fine. Marketing and communications professionals spent a considerable amount of time preparing for GDPR. In this article, we will look at some of the learnings from its first 24 months.
Accountability is one of the key principles of GDPR. Companies must be able to demonstrate their ongoing compliance with the Regulation in a tangible way. This can take many forms. For example, putting in place clear retention policies for how long your business or department stores online and offline data. Another is ensuring written contracts are in place with all third party processors of personal data. In some cases, this work was completed in the run up to the Regulation’s introduction but may not have been revisited since then.
One key way PR teams can respond is by identifying a data protection champion within their department or business unit. In larger companies, this person can act as a liaison with compliance and legal teams, whilst also keeping team colleagues updated on latest developments and best practice.
From a communications perspective, consumers are significantly more aware of their privacy and data protection rights than was the case pre-GDPR. This is clearly seen in the Data Protection Commission’s 2019 annual report. A total of 7,215 complaints were received last year, representing a 75% increase on 2018 figures. Data breach reporting, meanwhile, saw a 71% increase for the same period.
Transparency and trust are key to every brand’s reputation. Communications teams and the companies they work for will come under more pressure to demonstrate transparency in how they obtain and process personal data. The negative implications from a data breach, both in terms of reputational damage and fines, means this should remain a high priority for firms over the coming months and years.
Data protection is the responsibility of everyone within a business. Contrary to popular perception, it is not purely the remit of legal and compliance teams. Ongoing training at all levels is important for a number of reasons:
The potential for large fines – up to €20 million or 4% of global turnover – was hyped by media in advance of GDPR. It helped focus many businesses on compliance. After a cautious start in 2018, supervisory authorities have again made headlines. Britain announced its intention to fine British Airways £183 million (€210 million) for a data breach affecting half a million of its customers. Google was issued with a €7 million fine by the Swedish authority in March, for not complying with the right-to-be-forgotten.
The Data Protection Commission (DPC), one of Europe’s most high profile supervisory authorities, has faced criticism from some quarters, notably German regulators, for its perceived slowness in issuing fines under GDPR. With 23 separate statutory inquiries underway, it is likely this will change during the course of 2020. Commissioner Helen Dixon has given clear indications in recent interviews that substantial fines may be pending.
Since GDPR’s introduction, many countries have drafted new privacy legislation. In the US, for example, the California Consumer Privacy Act took effect at the start of this year; lobbying continues for a federal law. This makes compliance more complex, and is an ongoing challenge for marketing and communications teams with a multinational presence.
Within Europe, there remains considerable variance in certain aspects of privacy. For example, the British, French, German and Spanish authorities take different approaches to best practice use of web cookies. The Irish Data Protection Commission launched its own guidance on 6th April, with a six-month grace period to comply. PR and communications professionals are strongly recommended to familiarise themselves with these guidelines, given the short lead in time.
Data is one of the core resources of the 21st century digital economy. For this reason, data protection and privacy legislation have become increasingly important. They form a key component in ensuring consumers and the general public have trust and confidence in how companies obtain and use their personal information. The coming years are likely to see additional laws, as legislators cope with the complexities of machine learning, big data and artificial intelligence technologies. Those firms that place emphasis on data protection best practice will be well placed to thrive. As the voice of the customer, communications and marketing teams must ensure data privacy remains a priority with our organisations.
Steven Roberts is Head of Marketing for Griffith College and a certified data protection officer. He is the author of the forthcoming book ‘Data Protection for Marketers: A Practical Guide’, which is due for publication by Orpen Press this summer.
Thank you for your interest in the PRII Media Sourcebook which is available to full PRII members (MPRII & FPRII) and Life Fellows of the Institute. Affiliate, Associate and Student members of the PRII may purchase discounted access to this online edition.
Thank you for your interest, this resource is available to PRII Members only. To learn about the full range of membership benefits please click the button below.
