At the Digiday Hot Topic: GDPR event in May in London, we surveyed 22 companies on their readiness for the General Data Protection Regulation. Check out our earlier research on whether GDPR or the Facebook-Cambridge Analytica scandal will have a greater impact on how advertisers collect and use audience data here. Learn more about our upcoming events here.
- Over one-third of respondents from the survey were unsure if their company will be compliant with GDPR come May 25.
- Thirty-six percent of respondents said their company hasn’t hired anyone to help prepare for GDPR.
- Eighty-six percent of companies are renegotiating contracts in the run-up to GDPR.
- In a separate online survey of 29 Digiday+ subscribers, 52 percent said their companies held their first GDPR compliance meetings after the start of 2018.
- In a different online poll of 25 Digiday+ subscribers, 40 percent said regulators are most concerned with companies complying with the spirit of GDPR.
Companies procrastinate on GDPR compliance
GDPR is the new data privacy regulation put forth by the European Union that takes effect today. The law will change how businesses collect and use consumer data. If you just started hearing about GDPR, you’re not alone. Digiday surveyed 29 executives in an online survey in May about when their companies had their first meetings about complying with GDPR. Fifty-two percent of companies said their first GDPR meeting occurred after the start of 2018.
Companies just learning about their obligations under GDPR now face a race against time to avoid penalties from regulators. One attendee at the Digiday Programmatic Marketing Summit Europe in April said, “We’re a U.S. publisher and thought this wouldn’t affect us until about two weeks ago, and since then, there’s been a massive scramble.”
But being proactive about GDPR compliance may not have made much of a difference. GDPR was officially approved in 2016 with a two-year grace period before enforcement. However, many companies have been stuck in a holding pattern. Organizations such as the Information Commissioner’s Office were slow to release compliance guidelines, and the Interactive Advertising Bureau Europe didn’t release its official GDPR framework until April 25. Many are still unsure about what compliance looks like.
Half of companies expect to be GDPR-compliant by deadline
There is an air of uncertainty hanging over the GDPR enforcement deadline that many have compared to Y2K. At the Hot Topic event, 36 percent of respondents said they were unsure whether their company would be compliant with GDPR before the deadline. Just 50 percent said their company would be compliant, with one respondent admitting that while their company wouldn’t be ready by today, it would be by early June.
Ensuring compliance with GDPR is expensive, but spending a lot of money on compliance efforts doesn’t guarantee it. An anonymous attendee at the Digiday Programmatic Marketing Summit Europe recalled a conversation where a vendor “spent £8 million [$11 million] on getting its business GDPR-compliant, and it still [wasn’t] sure if they’d achieved it.” Regulators can fine noncompliant companies up to 4 percent of their annual revenues or €20 million ($23 million), whichever is greater.
Over one-third of companies haven’t hired GDPR help
Under GDPR, only certain companies, such as those that rely on systematically tracking user behavior online, are required to hire a data protection officer. This role can fulfilled by an external consultancy or through an internal hire. In the U.K. alone, it was estimated that there need to be 28,000 DPOs. Due to the high demand for DPOs and high salaries these roles command, over one-third of companies surveyed by Digiday have yet to hire someone to help with GDPR compliance. Many companies are relying on a mix of hires and internal talent. One respondent to the survey at the Hot Topic event indicated that in addition to hiring an internal privacy expert, their company is counting on its data science team to ensure requirements are meant.
As companies rush to comply with GDPR, they should be wary of those offering assistance. Many self-proclaimed “experts” are offering themselves as GDPR consultants to businesses. However, there are neither formal qualifications nor an accreditation process offered by the European Union or the ICO for GDPR consultants, meaning any such company working with an “expert” is doing so at its own risk. Several agencies, including Isobar, are rolling out consulting services for GDPR, and there is no shortage of vendors popping up, offering solutions that guarantee GDPR compliance.
It’s the thought that counts
It is unclear how stringently European regulators will enforce GDPR after the deadline. This has led many companies to believe complying with GDPR is more about abiding by the spirit of the law and making an effort to improve user privacy than rigid enforcement. Indeed, in a May online poll of 25 Digiday+ subscribers, 40 percent believed European regulators care most about companies complying with the spirit of the law.
Even if marketers start documenting everything they’ve done in an attempt to prove compliance, there’s no guarantee that would save them from potential fines. But as one attendee at the Programmatic Marketing Summit Europe said, “Showing you’re doing it [attempting to be compliant] is the best defense against [regulators] trying to attack you.”
Companies adjust contracts before GDPR enforcement
One method companies might use to demonstrate their efforts to comply with GDPR is by updating the contracts they hold with partners and vendors. Eighty-six percent of the companies surveyed at the Hot Topic event said they updated a contract to comply with GDPR.
Contracts have been a particularly contentious issue for some publishers. Many pushed back against GroupM, which sent an updated contract to publishers informing them that GroupM would stop bidding on their inventory if they did not sign the contract. GroupM has since rescinded the contract and said it will follow the IAB’s GDPR Transparency & Consent Framework.
Even if companies update their contracts, there’s still no guarantee that they will be compliant. Doug Chisholm, CEO at location-data measurement firm Rippll, told Digiday that the updated contracts are almost useless without technology that helps companies figure out which data to keep and which to delete.
David Beckham and ‘Carnitas’: How Frito-Lay’s World Cup marketing strategy served up celebs and regional snacking flavors
Frito-Lay wants to be front and center as the go-to snack brand during the World Cup. Here's a look at its strategy.
Why a feminine wellness brand is prioritizing its organic social media strategy
With strict content rules, data privacy regulations and tight budgets, a feminine wellness brand remains bullish on its organic social media strategy.
Why this non-alcoholic beverage brand focused on experiential, working with bartenders to boost brand awareness with a sober Gen Z
Bare Zero Proof wants to tap into younger consumers interest in non-alcoholic alternatives as sober culture has become more common.
SponsoredPublishers are adapting advertising strategies for a privacy-first world
Tina Iannacchino, senior publisher director, Seedtag So much of the attention around the death of third-party cookies and its impact on the digital advertising industry is focused on the implications for brands and consumers, which is far from the complete picture. The digital publishing industry in the U.S. is massive and set to be shaken […]
WTF is the difference between in-stream and out-stream video ads?
In August, the IAB Tech Lab issued guidelines that introduced a new distinguishing characteristic that separates in-stream and out-stream video ads
Why HelloFresh struck an ad deal with StreamElements to reach the gaming community
StreamElements’ plug-and-play interface creates a lighter lift for brands looking to reach the gaming community, eschewing the protracted negotiations and production time that can come along with brand partnerships with prominent individual streamers.