With all the attention that the EU’s General Data Protection Regulation (GDPR) has received over the past year, one could assume that this is a completely new initiative; however, the GDPR will just be superseding an existing data-privacy initiative—the EU’s Data Protection Directive.
The Data Protection Directive was first adopted in 1995, but hasn’t received anywhere near the same amount of press as the GDPR. One of the main reasons for this is because the Data Protection Directive was just a directive, whereas the GDPR is a regulation.
Watch the video below to understand the difference between an EU directive and regulation.
The shift from directive to regulation not only means that both the goal and the process of achieving the goal will be unified across all EU member states, but it means companies that fail to comply will suffer some pretty harsh penalties.
The EU to AdTech and MarTech Companies: Comply or Pay Up
For years now, many companies, especially those operating outside of the EU, have taken a rather relaxed approach to protecting user privacy, while others have just been paying lip service.
However, AdTech and MarTech companies will no longer be able to hide behind empty statements like, “We don’t collect PII,” or “Of course we protect user privacy.” Beginning May 25, 2018, the GDPR will hold ALL companies that collect, store, transfer, sell, and use data from EU citizens accountable, even if they don’t directly operate in the EU.
Publishers, brands, ad agencies, AdTech and MarTech companies will need to implement a range of steps and update their policies to ensure they comply with the GDPR, and there really is no way around it; if you’re a US-based publisher using US-based AdTech platforms and an EU citizen accesses your website, then you and the AdTech companies will be forced to comply with the GDPR.
The fines for not complying are substantial—€20 million or 4% of the previous year’s turnover, whichever is greater, for the most serious infringements, such as not obtaining the right consent from users (i.e. data subjects).
A lesser fine of €10 million or 2% of the previous year’s turnover, whichever is greater, will be reserved for less serious infringements, such as failing to notify the relevant supervising authority and data subject about a data breach.
To put that into some perspective, if your company’s revenue from the previous year was €100 million, then you can expect to pay €4 million if you get caught. It’s important to highlight that these fines are per infringement!
Failing to comply with the GDPR, however, can cost your business big time well before you commit any infringements.
Lost Business Opportunities Will Come Well Before the EU’s Fines
Even if you view the GDPR as isolated to the EU and feel that you can possibly avoid complying with the GDPR somehow, that doesn’t mean your clients share the same opinion.
The fines listed above may only be applied after the fact—for example, once you’ve been the subject of a data audit or had your data stolen—but not complying with the GDPR could hurt your company’s back pocket a lot sooner.
Smart companies have already started working towards becoming GDPR-compliant, but doing so is no easy feat, and companies that have spent time, money, and resources on compliance efforts are not going to work with those that are not GDPR-compliant and risk paying hefty fines. Potential and existing clients may then look elsewhere.
AppNexus has already started working towards becoming GDPR-compliant and has stated that it will stop working with partners that fail to comply with the new EU regulation. It’s only a matter of time before other companies start doing the same.
To remain successful post-2018, companies will have to illustrate how their USPs and their data-protection policies align and comply with privacy laws; some may even choose to use their privacy compliance as a valuable selling point.
This may mean drastically changing how they do business now and investing in new, innovative ways to serve targeted ads that don’t infringe on a user’s privacy and comply with laws like the GDPR. Although becoming GDPR-compliant will be challenging for all companies operating in digital advertising, it could very well be the catalyst for innovation.