GDPR five years on: can regulation keep up with innovation?

Half a decade ago, to ensure a level playing field for the fair and reasonable treatment of individuals’ personal data across Europe, businesses within the continent had to ensure their practices complied with a new set of regulations – the General Data Protection Regulation (GDPR).

Since its inception, GDPR has forced an overhaul in how peoples’ personal data is treated and organisations have been punished for non-compliance – most recently with Ireland's Data Protection Committee issuing a €1.2bn fine to Meta under GDPR law, the biggest penalty to date for a breach of the rules.

John Kirk, Chief Strategy Officer at Team ITG, believes that although businesses have overcome some initial trepidation, GDPR needs to be flexible to remain relevant in future.

He says: “All companies should now have mechanisms, privacy policies, and data governance processes aligned with the GDPR's requirements.

“Moving forward, for GDPR to remain effective there needs to be increased consistency of definitions and frameworks with multi-market, rationalised standards. This could also include the ability to centrally control one’s own data sharing across multiple platforms backed by Web3 technologies. Also, the utilisation of AI technologies to help govern, manage, and protect both consumers and companies at the point of data origination.”

Marrying GDPR with DPDI

From departing the EU in 2020, to the impending introduction of the Data Protection and Digital Information (DPDI) bill, the business environment GDPR was introduced to in Britain has changed dramatically.

As DPDI uncouples the UK somewhat from the rest of Europe, what does this mean for the future of marketers who trade in the UK under GDPR? Especially as the EU still needs to judge organisations' use of data under DPDI as ‘equivalent’ to GDPR. And how complex will it be for organisations to implement DPDI alongside GDPR? Some marketers believe not very.

Chris Combemale, CEO of the Data & Marketing Association (DMA UK), is confident the DPDI’s reforms will improve upon GDPR. He says: “GDPR has reshaped the global data privacy ecosystem for the better, benefitting both consumers and businesses – with consumers increasingly willing to share their data as trust levels rise. However, there are still important improvements to be made through the DPDI’s reforms.

“With additional clarity in key areas of the legislative text, particularly around the use of legitimate interests for marketing and less administrative burdens on small businesses, the UK can supercharge data-driven innovation and economic growth, while maintaining GDPR’s robust privacy protections across the UK.”

Despite GDPR, brands and advertisers are still relying too heavily on personal data

Niall Moody, Chief Revenue Officer at Nano Interactive, doesn’t share Combemale’s optimism surrounding consumer trust but believes the DPDI bill will help strengthen GDPR and even rectify some of its shortcomings. He also warned brands and advertisers against an over-reliance on personal data.

He says: “GDPR was designed to give consumers more control over their personal data and to protect their privacy, but it is clear that five years later there is still huge concern around how data is being used. In fact, 70% of UK consumers are regularly taking steps to hide their personal data online to protect their privacy.

“This goes to show that despite GDPR, brands and advertisers still rely far too heavily on personal data, and they will be increasingly left behind if they continue to do so. Google has now confirmed it will begin disabling third-party cookies in Chrome next year. Businesses and advertisers need to do more to respect consumer privacy, embracing longer term alternatives that will be more palatable to online audiences than outdated people-based targeting.”

Is GDPR keeping pace with innovation?

It’s not uncommon for regulation to fall behind innovation and opinions among experts are divided as to whether or not GDPR has been able to remain fit for purpose.

With emerging tech like the metaverse and generative AI creating some opacity around interpretation of GDPR, particularly surrounding their influence on data sharing, clarity is something marketers need to demand.

Paul Thompson, Country Manager at Seedtag, says: “Though there have been stumbling blocks around implementation costs and the still work-in-progress question of consent frameworks, we can thank GDPR for a more transparent data ecosystem that gives consumers control over their information and holds companies accountable for its misuse.

“But as robust as GDPR has been, it has not been able to keep up with the breakneck progression of generative AI, which has further compounded concerns of data provenance and usage rights. The complexity of the cookie era is a drop in the ocean compared to the sheer scale of data swallowed by machine learning models, along with the dire consequences of the unchecked internal biases and “hallucinations” these models can produce. With so much at stake, we cannot afford for a “GDPR for AI” to take as long at the drawing board as GDPR did.”

Chris Hogg, Chief Revenue Office at Lotame, is more optimistic about GDPR’s chances of keeping pace with AI, and less concerned about the timeline for new legislation, suggesting that regulators are already keeping organisations accountable.

He says: “The maturity of the privacy-first data market in Europe makes it well positioned to handle complex questions being raised over the provenance and ownership of data used by generative AI. Regulators are already matching bark with bite — as seen in the temporary ban of ChatGPT in Italy — and I expect there will be AI legislation taking shape by the year’s end.”

Lucia Mastromauro, UK Managing Director at WPP company Acceleration, adds:“GDPR set a good base and much needed standards for privacy in the digital advertising industry, meaning the established players had to evolve significant parts of their solutions to operate within a privacy-first paradigm. Now, new AI capabilities have supercharged industry players and enabled marketers to take advantage of privacy-centred solutions at scale.

“Data modelling powered by machine learning, for instance, can plug the gaps left by limited data collection, while predictive AI can use businesses’ historical and observable data to forecast customer behaviours. With these capabilities, marketers are able to make even more impactful, data-driven decisions that boost a business’ bottom line.

“Responding to GDPR has been somewhat painful at times, but a highly positive journey as a whole, and it will be exciting to see how AI will continue shaping the industry’s approach to upholding data privacy.”

“A growing sense of complacency around data privacy in some areas”

Although many believe GDPR has been widely adopted, and subscribe to a “if you haven’t jumped aboard already, then you’ve missed the boat” approach, some alledge that 10% of marketers are unsure that GDPR applies to them.

This calls into question the enforceability of GDPR and should prompt marketers to consider if complacency is a potential pitfall for a hefty fine, as Meta found in Ireland late last week.

Paul Coggins, CEO of Adludio says of this news: "With Ireland's Data Protection Committee recently issuing a €1.2bn fine to Meta under GDPR law, it's clear that the bodies responsible for GDPR's implementation are eager to show they are serious about consumers' privacy rights.”

Daniel Pike, Chief Product Officer at Covatic, says: “There seems to be a growing sense of complacency around data privacy in some areas, fuelled perhaps by a perception that enforcement will only apply to the most egregious of breaches.

“Five years on, businesses, large and small, must continue to value the protections afforded by the GDPR – and be prepared for future changes, as legislation evolves and adapts to changing culture, mindsets and dynamics.

“Moving forward, we’ll likely see privacy credentials becoming a competitive differentiator, as companies recognise the importance of going above and beyond what is required by current legislation; raising public awareness, resetting norms and expectations and creating space for further protections.”

Joanna Reynolds, Managing Director of Bordeaux & Burgundy, adds: “From the company perspective, GDPR has been difficult to navigate and incredibly costly to businesses to be compliant. The guidelines and rules are still to this day incredibly misunderstood by businesses, leading to many falling short of being fully compliant despite investing in GDPR consultation and platforms.

“Looking ahead, it’s important for regulators to assess the impact GDPR has had on businesses and individuals, and to look again at its effectiveness against the cost and inconvenience to companies.”

Sjuul van der Leeuw, CEO of Deployteq, concludes: “Despite a much better understanding of GDPR, fines persist as companies grapple with the rising tide of cyber threats, fraud, and data leakage. In future, a generally recognised guideline, which does exist for some sectors but not all, would help in making mutual contracts and agreements.”