He told iTWire that on a global scale, "GDPR compliance might now help those who have been engaged in issues related to privacy (but have not always received C-level support) to operationalise their perspective". The data regulation came into force on 25 May 2018.
Dr Decker is responsible for Signavio’s overall strategic direction. A business process management expert, he is passionate about product innovation.
Before he founded Signavio, he worked for SAP and McKinsey. He holds a doctorate in business process management from Hasso-Plattner-Institute. He was interviewed by email.
Dr Gero Decker: The global impact of GDPR is now becoming more evident. Since its implementation, at least 10 countries outside the EU, including Australia, Argentina, and Brazil, have moved to implement similar rules. For advanced economies, updating their domestic legislation will be relatively straightforward. In some cases, countries are copying the GDPR almost word for word.
But spare a thought for less sophisticated and emerging economies. Here, companies must balance the need to access the EU’s market of 500 million customers with the pressure to support and encourage domestic innovation. Developing economies such as Uruguay and India have managed to devise comprehensive regulatory frameworks to meet the EU’s rules whilst also being sensitive to their own economic and cultural trajectory.
Let’s not forget, additional regulatory nuances have also added an extra layer of complexity for global companies that use subcontractors because previous laws did not cover the ownership of privacy data between a principal contractor and a subcontractor. With the GDPR, the main contractor is now responsible, so they need to be able to monitor all subcontractor activity.
On this global scale, GDPR compliance might now help those who have been engaged in issues related to privacy (but have not always received C-level support) to operationalise their perspective. Also, customer relationships can be strengthened when an organisation takes steps to improve data security and ensure customer privacy.
The future of GDPR global compliance isn’t about penalising organisations; it’s about protecting the consumer. It is about having the technology and expertise to make the critical principles of trust and transparency the bedrock on which you build your organisation - wherever you are in the world.
How well do Australian laws protect consumers' data rights and do you envision any major changes to Australian laws in this regard – i.e. our own version of GDPR?
The increased focus on digital privacy is part of a global trend, and it is great to see Australian businesses and the government recognise how important it is to offer sufficient data protection to remain globally competitive. The interesting thing is that this is taking place in a context where there seems to be a pretty significant difference in the aims of the Australian Privacy Act 1988 and the GDPR.
The Privacy Act is, in many ways, seen in Australia as a cyber security policy, helping businesses to understand their responsibilities in terms of governance, as well as providing the information they need to avoid penalties for a data breach. However, the GDPR is very consumer-focused and rights-based with the emphasis on a pro-consumer regulatory approach to what companies can do with data, as well as obtaining consumer consent, and so on.
As an example, there was powerful opposition to the 2018 Australian law designed to compel technology companies to grant police and security agencies access to encrypted messages. Critics listed wide-ranging concerns that the laws could undermine the overall security and privacy of users, something in total disparity to the GDPR.
However, there is a significant overlap between current Australian privacy laws and the GDPR too, meaning that Australian organisations are coming around to the view —albeit slowly — that customer data doesn’t belong to them, it actually belongs to the customer, and the business is just processing it for them.
Are some organisations simply pulling out of the European market in order to avoid the costs of complying with GDPR?
The GDPR may have only been in effect for a year, but EU member states have been far from inactive. Regulators around the world have steadily grown their staff numbers and expertise. As one example, the Irish Data Protection Commission has grown from less than 30 employees back in 2014 to 130 staff members in 2018, with plans for further expansion of staff and expertise in 2019.
This is especially noteworthy because many of the world’s biggest tech companies have their EU headquarters in Ireland, and the Irish DPC has a pivotal role in the implementation and enforcement of GDPR. This means that public complaints filed against companies like Facebook, Twitter, Microsoft, LinkedIn, and Google are under the purview of the DPC.
With this, we have certainly seen examples of companies ‘pulling the plug’. Almost overnight, organisations quit the EU, including: Drawbridge, Verve, and Klout – even Uber Entertainment, which makes online games – shut down its Super Monday Night Combat game because of the difficulty in deleting data from user accounts. This is why we are seeing a considerable upturn in the number of geographically coded consent pop-ups that appear across websites on EU IP addresses.
But, as I mentioned, Europe is a market of 500 million customers, and as companies bed down better in the GDPR, there is scope to transform operations and continue the extension of data and privacy rights already embedded within many business frameworks.
What was the biggest problem with the rollout of the GDPR and how could this be improved in future privacy regulations?
Information hysteria! As the deadline for the GDPR approached in 2018, there was growing industry nervousness, comparable to the feverish “Millennium Bug” hysteria, because of the hard-drop date bringing severe penalties globally. Business people were running scared, and the lack of clarity coming from European lawmakers made the situation combustible. Businesses were spending millions of dollars in preparation for the GDPR, "just in case".
In fact, I’ve seen figures, quoting the average spend on GDPR compliance per global organisation was over $1.5 million.
So, there has to be a better global understanding of future privacy regulation implementation. Companies shouldn’t be left scrambling to implement new policies and procedures to bring their business in line with the updated laws.
Is consumer awareness in regard to rampant data collection and trading increasing with moves like GDPR and if so what does that mean for the AdTech and MarTech industries?
Consumer awareness is definitely increasing, and will further skyrocket. It is fascinating that the first infringement complaints arrived on the very day that the GDPR came into force, when the non-profit organisation noyb.eu presented four complaints against Facebook, Instagram, WhatsApp, and Google, for “forced consent,” i.e. forcing users to agree to new privacy policies.
Privacy policies may be updated, tools created to give users more control, and more ways adopted to request that data is deleted, but the GDPR is only now revving up for action on behalf of the consumer. The GDPR positioned data handling and privacy as a human right, and there is no turning away from our obligations under it.
For the AdTech and MarTech industries specifically, even though the regulation hasn’t quite had the impact as predicted, there were several critical events in 2018 which showed that many data protection agencies are taking note and taking action. For example, the French DPA investigated an AdTech vendor for illegally processing user data based on invalid consent.
I further predict that as we increasingly move to advanced TV in 2019, so too will advertising dollars. But advertisers will face the challenges they always have, such as brand safety and fraud.