Digiday Research: How companies prepared for GDPR

Companies just learning about their obligations under GDPR now face a race against time to avoid penalties from regulators. One attendee at the Digiday Programmatic Marketing Summit Europe in April said, “We’re a U.S. publisher and thought this wouldn’t affect us until about two weeks ago, and since then, there’s been a massive scramble.”

But being proactive about GDPR compliance may not have made much of a difference. GDPR was officially approved in 2016 with a two-year grace period before enforcement. However, many companies have been stuck in a holding pattern. Organizations such as the Information Commissioner’s Office were slow to release compliance guidelines, and the Interactive Advertising Bureau Europe didn’t release its official GDPR framework until April 25. Many are still unsure about what compliance looks like.

Half of companies expect to be GDPR-compliant by deadline
There is an air of uncertainty hanging over the GDPR enforcement deadline that many have compared to Y2K. At the Hot Topic event, 36 percent of respondents said they were unsure whether their company would be compliant with GDPR before the deadline. Just 50 percent said their company would be compliant, with one respondent admitting that while their company wouldn’t be ready by today, it would be by early June.

Ensuring compliance with GDPR is expensive, but spending a lot of money on compliance efforts doesn’t guarantee it. An anonymous attendee at the Digiday Programmatic Marketing Summit Europe recalled a conversation where a vendor “spent £8 million [$11 million] on getting its business GDPR-compliant, and it still [wasn’t] sure if they’d achieved it.” Regulators can fine noncompliant companies up to 4 percent of their annual revenues or €20 million ($23 million), whichever is greater.

Over one-third of companies haven’t hired GDPR help
Under GDPR, only certain companies, such as those that rely on systematically tracking user behavior online, are required to hire a data protection officer. This role can fulfilled by an external consultancy or through an internal hire. In the U.K. alone, it was estimated that there need to be 28,000 DPOs. Due to the high demand for DPOs and high salaries these roles command, over one-third of companies surveyed by Digiday have yet to hire someone to help with GDPR compliance. Many companies are relying on a mix of hires and internal talent. One respondent to the survey at the Hot Topic event indicated that in addition to hiring an internal privacy expert, their company is counting on its data science team to ensure requirements are meant.

As companies rush to comply with GDPR, they should be wary of those offering assistance. Many self-proclaimed “experts” are offering themselves as GDPR consultants to businesses. However, there are neither formal qualifications nor an accreditation process offered by the European Union or the ICO for GDPR consultants, meaning any such company working with an “expert” is doing so at its own risk. Several agencies, including Isobar, are rolling out consulting services for GDPR, and there is no shortage of vendors popping up, offering solutions that guarantee GDPR compliance.

It’s the thought that counts
It is unclear how stringently European regulators will enforce GDPR after the deadline. This has led many companies to believe complying with GDPR is more about abiding by the spirit of the law and making an effort to improve user privacy than rigid enforcement. Indeed, in a May online poll of 25 Digiday+ subscribers, 40 percent believed European regulators care most about companies complying with the spirit of the law.

Even if marketers start documenting everything they’ve done in an attempt to prove compliance, there’s no guarantee that would save them from potential fines. But as one attendee at the Programmatic Marketing Summit Europe said, “Showing you’re doing it [attempting to be compliant] is the best defense against [regulators] trying to attack you.”

Companies adjust contracts before GDPR enforcement
One method companies might use to demonstrate their efforts to comply with GDPR is by updating the contracts they hold with partners and vendors. Eighty-six percent of the companies surveyed at the Hot Topic event said they updated a contract to comply with GDPR.

Contracts have been a particularly contentious issue for some publishers. Many pushed back against GroupM, which sent an updated contract to publishers informing them that GroupM would stop bidding on their inventory if they did not sign the contract. GroupM has since rescinded the contract and said it will follow the IAB’s GDPR Transparency & Consent Framework.

Even if companies update their contracts, there’s still no guarantee that they will be compliant. Doug Chisholm, CEO at location-data measurement firm Rippll, told Digiday that the updated contracts are almost useless without technology that helps companies figure out which data to keep and which to delete.