The impact of GDPR one year later - State of Digital Publishing

What’s Happening: One year after the European Union introduced the General Data Protection Regulation (GDPR) law, how has the impact of it and digital privacy affected news publishers? Why it Matters: Designed to update the privacy rights of internet users and ensure that organizations are transparent and responsible when handling customer’s personal information, GDPR went into effect in May 2018 just as data privacy and consent were topping the news after episodes such as the Facebook and Cambridge Analytica data scandal. Although the law was specific to the EU, because of the open and global nature of the internet, the impact was worldwide as publishers around the globe rushed to comply. One year later, what have the effects been, and what’s next? Global Effect This extended reach across the globe has led to some unexpected outcomes, writes Danny Palmer at ZDNet. He gives one example: “European internet users looking to visit some US-based news publications may find that they can't view the websites – instead being met with pages explaining the publication didn't comply with the new legislation and blocked them out instead.” But Palmer says that beyond the flood of emails asking for explicit marketing consent and notices on websites warning of the presence of third-party cookies, there is a bigger shift taking place. Consumers largely view this as an annoyance, rather than a regulatory shift to consumer control and visibility over their own data. Yet, GDPR is likely only the tip of the iceberg, as countries around the world look to implement their own, similar privacy policies, including Brazil, Japan, India and South Korea. In the United States, the California Consumer Privacy Act is set to be introduced on January 1, 2020. Unlike GDPR, however, the California law doesn’t set a time limit for notifying consumers of a data breach, nor does it come with the prospect of fines for non-compliance. Even so, it appears to already be having some effect on how the large companies of Silicon Valley operate. Google, Facebook and Apple are all talking about privacy and consumer data. “It's possible that the introduction of GDPR has helped spur this change on, as companies like Google work to accommodate users becoming more aware about digital privacy,” Palmer says, adding that it’s within the realm of artificial intelligence that data privacy could have the most impact. Artificial Intelligence It’s one thing to talk about human-based data accumulation, even when those activities are automated. When we start discussing artificial intelligence, however, it becomes a whole new ballgame. Most AI-based algorithms rely on gathering and analyzing vast amounts of data, and it's not always clear where that data came from or whether the individuals involved have given consent. Emma Wright, commercial technology partner at law firm Kemp Little says that the debate around ethical data collection practices is raging when it comes to AI. “AI allows the mass processing and analysis of data. In lots of areas, we're suddenly looking for general counsels to be looking at the ethics of something, not just the legalities of something. It's not how can you behave, it's how should you behave." Minors and Data Protection Another extremely sensitive area in this realm is that of children’s digital identities and the privacy surrounding that — which, rightly so, becomes much more of a security issue. The EU does not have an independent law that addresses the protection of children’s data; rather, some of its GDPR provisions warrant a higher standard to protect children’s data. In the US, the data of minors is protected under the Children’s Online Privacy Protection Act of 1998. The International Association of Privacy Professionals (IAPP) published a Privacy Tracker series that looks at laws from across the globe, including COPPA, and matches them up against GDPR. “The GDPR and COPPA were written with a different focus,” says Tay Nguyen of IAPP. “The GDPR has a wider focus on data protection for all natural persons. COPPA is narrower in its focus, prohibiting unfair or deceptive practices related to children’s data online.” Vendors and Other Organizational Departments Data privacy doesn’t begin and end with the publishers and websites themselves; the scope of responsibility extends to the security postures of suppliers and vendors, and the onus is on companies to ensure that they are compliant as well. “Many organizations have a vendor management program in place, but the increased focus of outsourcing data processing makes it imperative and urgent that GDPR compliance is confirmed,” says Bob Bruns of Forbes. “Specifically, GDPR has five articles – Articles 28, 30, 32, 33, and 36 – that pertain to the responsibilities of third parties.” Likewise, GDPR compliance isn’t just an IT issue within a company itself. Bruns says that companies can view this as an opportunity to help strengthen partnerships across other departments within the organization, such as human resources, legal and marketing. “Marketers, in particular, have had to undergo a shift in campaigning and data mining approaches and may need the help of legal, compliance or IT resources. Marketing should work together with other departments to make sure data is attained and managed properly, including customer consent and communication on how their personal data will be used.” The Bottom Line: A company’s entire controls framework that helps ensure GDPR compliance can also ensure data protection principles and can be applied to all areas of business. One thing that GDPR has accomplished is raising awareness about data privacy issues, though this is only the beginning of a much larger conversation about the overall ethics policies of internet technology and information.