This Saturday the 25th of May marks one year since the launch of the EU’s General Data Protection Regulation which introduced new rules for how businesses handle consumer’s personal data.
We asked MEF Members from across the mobile value chain to share their thoughts on GDPR’s first year; how has the regulation impacted the mobile ecosystem and attitudes towards personal data among businesses and consumers, and what have been its major successes and failures?
Dr Piet Streicher, MD, BulkSMS
As a global SMS messaging provider we have seen how our efforts to ensure GDPR compliance has furthered our growth in the European market a year since GDPR came into effect. We have learnt several key lessons in validating or putting technical and organisational measures in place to meet our obligations to protect the processing of personal data.
The reality of GDPR is that clients in the United Kingdom and European countries now have a greater awareness of information security and data protection and demand technical and commercial assurances in this regard when signing up for our messaging services. Due to the nature of our global business, we have found that we need to educate and give additional assurances to our clients on the cross-border transfer of restricted data.
It seems that one of the successes of the media focus on the need for GDPR compliance among UK and European organisations has created an unintended consequence for global business: a hesitance to look to provider solutions where personal data may be processed outside of the European Economic Area (EEA) in a non-EU country. This despite the fact that GDPR regulations provides model contract clauses that set out appropriate safeguards to permit international data transfers.
Lastly, GDPR has provided us with a firm base to work from in preparing us for getting ready for the implementation of other GDPR-like regulations in other countries, such as the Protection of Personal Information Act (POPIA) in South Africa. The work we have done and continue to do on GDPR compliance has placed BulkSMS.com in a good position to take advantage of the new global era of data privacy.
Rafa Pellon, Partner, FAS Advogados
GDPR not only had a huge impact on the European Union and its geopolitics and approach to the tech industry but also to Latin America, where most of the countries are either on the verge of approving new laws inspired on it or updating its local privacy laws to englobe GDPR’s key dispositions.
Countries like Brazil, Mexico, Argentina and Colombia now have laws with GDPR-like provisions and its companies and citizens are discussing privacy as a key topic in its digital agenda.
Privacy has become an essential right in the digital era and addressing its relationship with digital security and human rights is now in the order of the day in the Latinean tropics.
Michael J. Becker, Managing Partner, Identity Praxis
It has been a year since the GDPR tsunami washed on to the world’s shores. And, even though the GDPR waters have yet to settle, there is no doubt that the world’s economic topography has forever changed.
In the wake of GDPR, countries like the United States have responded to the call to give individuals self-sovereignty over their data. California enacted the California Consumer Privacy Act, which is similar to GDPR and will take effect on January 1, 2020. Also, Washington State and the Commonwealth of Massachusetts initiated laws similar to GDPR to give individuals new rights and authority over their personal information. Washington State’s efforts appear to have stalled, but the Massachusetts law is still taking shape and is expected to take effect in 2023.
Industry titans have also responded to society’s demands. Facebook’s CEO is repositioning Facebook by publicly announcing that “The future is private;” also, Facebook is introducing new privacy-centric capabilities. Google’s CEO, Sundar Pichai, remarks that “privacy should not be a luxury good,” but rather an inherent part of every product and service. And Apple’s Tim Cook suggests that we’re faced with privacy crisis, that people are not the product.
Prosperity is on the horizon. According to the UK Government, in a 2018 report authored by Ctrl-Shift, the efficiencies to be had from empowering people with control over their personal data could generate as much as $27.8 billion the country’s GDP.
Organizations big and small should not be resigned to simply comply with the rules laid down by the GDPR and similar legislation. They should not be afraid to empower individuals and to give them control of their data. Rather, to thrive in the wake of GDPR companies should embrace change, adopt new systems, and overcome their challenges, and use this opportunity to re-configure their value chains, organizational systems, and business models, to innovate, and most importantly to refresh and forge new bonds with the people they serve.
Andrew Bud, CEO & Founder, iProov
In the late 1980’s the European Community introduced – indeed imposed – GSM as the European standard for digital mobile communications. I was privileged to participate in the process. At the time, there was much concern about the exact choices made, stifling of innovation, costs to the consumer, etc. Other nations preferred to encourage several standards to emerge and compete. As we know now, GSM became a huge success, and was ultimately adopted worldwide.
By eliminating the hideous complexity of market fragmentation with a high quality solution, it created a global platform for growth in mobile communications. As we enter its fifth generation the original standard is now just a memory, but the benefits of this approach persist.
One year on from the introduction of GDPR, we can begin to see a rerun of this story. Its deployment in Europe has been fairly smooth, and where national laws have been enacted to fill in details, they have not been disruptive..
The elimination of broad national divergences has been a blessing. The fine regime is starting to show its teeth, but big class-action suits have not (yet) materialised. The consequences of Brexit are not (yet) apparent.
GDPR is also becoming a gold standard worldwide. Many customers outside Europe are happy to know their data processed in Europe is protected by the provisions of GDPR. Other countries, such as India and Australia, are looking at GDPR as a model for their own future regulations.
In the United States, once home to three mobile communications systems, data protection is becoming complex and inconsistent. Biometrics, for example, are being regulated by cities, such as San Francisco which recently banned face recognition, and by States such as Washington, Texas and Illinois. Vertical industries have their own rules – HIPPA, for example, applies some GDPR-like standards to healthcare data, and disparate Federal laws and the FTC regulate data privacy at the Federal level. Class action suits are in progress. There are growing calls for a more consistent, robust approach. Well, here’s one we cooked earlier that seems to work…..
Dario Betti, CEO, MEF
It is one year after the GDPR implementation deadline – the new set of regulations that gave protection for customer’s own personal data in EU. One year after and we count 56 million euro of fines and about 100,000 complaints (Source IAPP). In the grand order of things these are small numbers for the European Union. Should we be disappointed, or pat ourselves on the back for the good implementation? As often in these cases, the answer is more complex – a simplified version of the feedback from MEF members would read “that was just the beginning.”
The impact of GDPR will go beyond the series of checkbox lists and change requests that companies were frantically trying to meet last May. The more profound change will be the drawing of a new relationship between consumers, their personal data, and the companies collecting and processing it.
Overall, GDPR has not stifled innovation or brought customer experience to a halt. Nor it has brought the massive fines and intervention that some were expecting. It has not revolutionised the rapport between companies and data either. There are large parts of this regulation are still left open to interpretation or at least to some guidance. All of these are not signs of ineffectiveness or failure, but of a staged, organic growth, that is only beginning.
GDPR has re-kindled a debate. Internationally it has sparkled a series of similar frameworks. MEF members are engaging with the regulation and expanding on its interpretation. The post-GDPR period is proving to be an opportunity for some companies to build a competitive advantage: the MEF Global Consumer Trust Report shows that smartphone users have grown to mistrust how companies use their data worldwide, and they are now taking actions to protect themselves. The long-term sustainability of the personal data economy is directly linked to the ability of bringing trust back to this industry.
At MEF the discussions has never been more lively than in the last few months – this moment is the opportunity to shape the future, to influence large players and regulators, to collectively re-design the framework of Trust, Data and Personalisation. Come and join the debate.
Julian Saunders, CEO, Port
One year on and GDPR has certainly made an impact. The general level of expectation around privacy has risen considerably, for both businesses and consumers, and it needed to. As consumers, our trust in the use of our data, it’s security, and it’s portability, are all critical to the future success of our society.
So how have we done? Well although the motives of GDPR were admirable, the inevitable consequences of rightly delivering the regulations in a principle-based format have meant that many organisations have been guided by lawyers and privacy professionals rather than by common sense and integrity. This has inevitably led to a ‘compliance’ led approach to GDPR. We are now inundated with excessive cookie banners and legalese, rather than clarity, and transparency.
The realisation that trust is critical in a personal data-driven world has not been lost on the international community. Countries around the world are moving swiftly to implement their versions of the GDPR and are looking to Europe for leadership. As the policemen of Europe perhaps it’s not surprising that our own regulator, the ICO, is leading the way for regulators across Europe and beyond.
Google has recently opened a privacy engineering hub in Munich and for a time, at least, Europe has a chance to lead the world in all aspects of privacy. But, like the dominant days of Nokia and Sony Ericsson in mobile, (remember those?) it’s all too easy for us to lose our position of leadership if we don’t invest and innovate at the levels seen in the US and China. A very difficult scenario to believe.
Amongst all the distractions and confusion of GDPR, one thing is already very clear. And that is that the future belongs to those brands who can be trusted to manage our personal data with integrity, security and transparency. The new battle lines have been drawn and battle has commenced.
Silvia Quaglierini, Data Protection Officer, Rdcom
Since the introduction of GDPR, we have enjoyed continual improvement, not only in response to a necessary regulatory adaptation, but also in taking the opportunity to assess the ability of the company to guarantee effective processes and protection of information and personal data.
This in turn has led to the establishment of medium and long-term security standards through the means of dedicated security training for all our employees within Human Resources.
There are still imperfections within GDPR, however, which need to be addressed in the light of the new regulation. The electronic communications sector should ideally benefit from a specific legislative consideration, which takes into account and respects its situation.
Among the provisions of the new regulation that should ideally be revised, we would like to highlight those concerning the relationship between the Data Controller and the Data Processor and the possibility for the latter to make use of additional and possible sub-processors only with prior authorisation from the Controller. This is a considerably limiting provision for the electronic communications sector, which often does not allow a pre-determination of the chosen traffic channels, unless limiting the competitiveness of the service offered by the provider.
We should also consider the absence of an organic discipline in the field of log data, which is of fundamental importance; for example regarding the principle of accountability, which requires the Controller to be able to demonstrate that the processing of personal data is effectively in compliance with the provisions of the new regulations.
We understand that these issues will be considered by the European legislator in the future, and we hope to welcome sectoral legislation as soon as possible.
Joakim Boalt, VP Messaging, Sinch
GDPR has, of course, raised awareness of the types of data that we use, its sensitivity and how, at the transport level, there is an impact on security and privacy via the use of grey routes. There is definitely more work to do here so that every link in the delivery chain handles data according to the privacy principals that GDPR enshrines, rather than through unenforced compliance statements or contracts.
The negative impact of GDPR has mainly been limited to smaller companies that hesitate to launch services for EU territories because the regulation is perceived heavier and scarier than it actually is. Larger organisations tend to have scoped out what’s required, even if they might not have done all the work in ensuring they are compliant in reality (and not just on paper).
For GDPR to deliver on its promises, two things need to happen. Customers need to know what to do should they be so bold as to take an interest in their own personal data; how should they interact with businesses , how best receive the answers should problems or questions arise. Businesses need to wake up and smell the coffee.
A simple question: do they even know exactly what personal data is stored? Can they detail the multitude of ways in which its used? When and how? Do they even know if they’re allowed to use it? Can they prove any of the above? Companies need to be open, transparent and honest, for their own sake as much as their customer’s. By adopting such an approach,
companies can strengthen their customer relationship while also mitigating the risk of perceived data misuse. But that’s not all – as it turns out, people do not object to data being used to provide better, more personalised and open services. We do however want to know what data these companies are holding, and why. I don’t think that is too much to ask.
There is a new dawn coming. Businesses must show a new level of respect for their customers, and their data. The first step is to know and understand what you hold. The second is to extend this understanding to customers. This new standard of transparency and openness will itself drive new forms of customer interaction, strengthening existing relationships built on mutual understanding and building trust between businesses, Customers and Regulators. Surely this can only be a good thing.
Shawn Brown, CEO, Trunomi
You cannot manage what you cannot measure. GDPR has come and gone, and without so much as a ripple in the commercial world. A perceived inability to enforce GDPR has allowed businesses to adopt short-term, band-aid solutions. With the police nowhere to be seen, these short-term approaches are rapidly becoming legitimised.
Regulated businesses are more inclined to find and implement robust solutions to GDPR that will both stand the test of time and deliver upon the principles codified by the regulation. Yet one year on, silence rings out, action remains to be taken, and a lack of initiative means companies have failed, or at the very least are yet to adopt fulsome solutions to the GDPR.
It is unfortunately likely to take some high profile data breaches in the messaging sector for consumer and enterprise customers to start asking the right questions of their suppliers. Part of the problem is that enterprise messaging is price sensitive and can involve long, convoluted supply chains with poor transparency, as companies scramble to offer the cheapest price for bulk messaging. As a result, only tier one aggregators that connect directly with mobile operators can offer guarantees on privacy, compliance and security.
We see GDPR-like regulations becoming a new global standard, adding compliance requirements for anyone trying to do business on a global basis. Sinch is very well positioned to follow the rollout of data protection or sovereignty laws due to the global footprint and extensive local presence that we’ve built up over the past 10 years.
Jean Shin, Director of Strategy & Content, tyntec
GDPR has easily become the most extensively and globally discussed law in history. While a great deal of the conversations around it were initially rooted in worry and doubt about its repercussions to business, overall, the regulation’s broader impact has been positive in a number of ways. Of course, individuals now have a much greater breadth of rights over their personal data and renewed peace of mind that their information is being adequately protected.
Beyond this, the law’s stringent consent rules have added some protection against spam on consumer messaging channels. It may take time for the volume of unwanted business-to-consumer communications to decline noticeably (especially for emails), but GDPR is certainly positioned to “scrub” messaging channels so that consumers are receiving communications only from companies with which they want to engage.
Businesses have benefitted as well. For one, their marketing lists have been narrowed to include only engaged, interested consumers. Further, it has bolstered trust, which has become a critical priority for board members in maintaining brand and reputational integrity. The framework GDPR provides can guide companies in developing policies that reinforce consumer trust. By upholding strong security and data protection, and adhering to a specific set of compliance guidelines, organizations can more easily demonstrate their commitment to customer privacy.
These positive results from the regulation have been widely recognized, so much so that we’re seeing similar regulations emerge in other regions. Countries around the world are creating or updating data protection laws in alignment with GDPR, and numerous states in the U.S. have either passed or introduced legislation to improve personal data privacy on a global scale.
Lee Suker, Market Development Director, Data Protection Officer, XConnect
GDPR is European but has had an impact globally. It is recognised as the data protection gold standard to be emulated. It is central dialogue for many organisations. Questions are being asked by senior executives about data governance that were never asked before, the DPO roll is increasingly recognised as a strategic post and consumers have a growing awareness of data empowerment. These are things to be celebrated!
Most companies are seeing the economic benefits of being prepared. They experience fewer breaches and therefore less consequences which leads to higher trust with their customers and increased profits. However, I also observe a very polarised market and worry that GDPR may fail to meet its policy goals of protecting EU citizens because Capital, rather than democracy is dominating the privacy debate.
As a consumer, I do not recognise any shift toward respecting personal agency by Google, Amazon, Facebook, Microsoft. Acquiring vast amounts of personal data has been normalised and my sense is that GDPR, in particular consent management, has legitimised these practices rather than curtailed them. Equally, I am left feeling cold about some mobile identity initiatives which will simply service as a means of creating a ubiquitous tracker to deliver predictions and outcomes, furthering the cause of the existing flows of capital into surveillance which GDPR is attempting to curtail. However, whilst the biggest GDPR fines levied still only amount to a few hours of revenue, they are setting precedence.
To help build trust in our market we should be investing in certification schemes, such as ISO27001; increasing transparency and helping citizens understand the power and value of their data and meta-data they generate thus leaving them better equipped to exercise their rights effectively.
Florian Lichtwald – MD & Chief Partner Officer, zeotap
The harmonisation that the regulatory GDPR has brought to Europe has simplified the data protection panorama for European-based companies. The most commonly implemented approach for these companies has been to comply with the regulation not only in Europe but across the globe, making them a good global partner for advertisers that also have a global approach. On the contrary, smaller American-based organizations for example have had a tougher time expanding to Europe – resulting in some of those having to withdraw from the region altogether.
As a result, advertisers have also become much more conscious on GDPR when working with or selecting new external technology and data partners. They have started to question their partners in much more detail – to the point of involving their legals teams – to ensure they only work with fully GDPR-compliant ones. For companies focusing on privacy is not a nice-to-have or optional anymore but has become a central success factor to close deals and do business across the EU.
On the other side of the coin we find the users. Some of them have felt annoyed since they care more about a smooth browsing experience than differentiated consent. They’ve been upset by regional filters e.g. blocking access to some US publisher websites from within the EU. Some other users have been reading everything in detail and have made differentiated choices. Only when they have a value added they will still agree to share their data. Finally, the last set of users have refused all data collection at the cost of the experience, annoyance of recurring pop ups, etc. eventually leading them to withdraw from certain online properties over time.
What I have no doubts about is that GDPR started a global trend that helps advertisers, publishers and the data economy to follow clear guidelines while keeping the protection of privacy of consumers in focus. While to some it might seem as a burden you could also perceive it as a reasonable set of boundaries which needs to be followed to keep business interests and personal privacy in balance. We can see other regions following after Europe, such as the US with the new The California Consumer Privacy Act, and Brazil with the new Brazilian General Data Protection Law (LGPD) – which are both coming into effect in 2020.