Digiday Research: How companies prepared for GDPR
At the Digiday Hot Topic: GDPR event in May in London, we surveyed 22 companies on their readiness for the General Data Protection Regulation. Check out our earlier research on whether GDPR or the Facebook-Cambridge Analytica scandal will have a greater impact on how advertisers collect and use audience data here. Learn more about our upcoming events here.
- Over one-third of respondents from the survey were unsure if their company will be compliant with GDPR come May 25.
- Thirty-six percent of respondents said their company hasn’t hired anyone to help prepare for GDPR.
- Eighty-six percent of companies are renegotiating contracts in the run-up to GDPR.
- In a separate online survey of 29 Digiday+ subscribers, 52 percent said their companies held their first GDPR compliance meetings after the start of 2018.
- In a different online poll of 25 Digiday+ subscribers, 40 percent said regulators are most concerned with companies complying with the spirit of GDPR.
Companies procrastinate on GDPR compliance
GDPR is the new data privacy regulation put forth by the European Union that takes effect today. The law will change how businesses collect and use consumer data. If you just started hearing about GDPR, you’re not alone. Digiday surveyed 29 executives in an online survey in May about when their companies had their first meetings about complying with GDPR. Fifty-two percent of companies said their first GDPR meeting occurred after the start of 2018.
Companies just learning about their obligations under GDPR now face a race against time to avoid penalties from regulators. One attendee at the Digiday Programmatic Marketing Summit Europe in April said, “We’re a U.S. publisher and thought this wouldn’t affect us until about two weeks ago, and since then, there’s been a massive scramble.”
But being proactive about GDPR compliance may not have made much of a difference. GDPR was officially approved in 2016 with a two-year grace period before enforcement. However, many companies have been stuck in a holding pattern. Organizations such as the Information Commissioner’s Office were slow to release compliance guidelines, and the Interactive Advertising Bureau Europe didn’t release its official GDPR framework until April 25. Many are still unsure about what compliance looks like.
Half of companies expect to be GDPR-compliant by deadline
There is an air of uncertainty hanging over the GDPR enforcement deadline that many have compared to Y2K. At the Hot Topic event, 36 percent of respondents said they were unsure whether their company would be compliant with GDPR before the deadline. Just 50 percent said their company would be compliant, with one respondent admitting that while their company wouldn’t be ready by today, it would be by early June.
Ensuring compliance with GDPR is expensive, but spending a lot of money on compliance efforts doesn’t guarantee it. An anonymous attendee at the Digiday Programmatic Marketing Summit Europe recalled a conversation where a vendor “spent £8 million [$11 million] on getting its business GDPR-compliant, and it still [wasn’t] sure if they’d achieved it.” Regulators can fine noncompliant companies up to 4 percent of their annual revenues or €20 million ($23 million), whichever is greater.
Over one-third of companies haven’t hired GDPR help
Under GDPR, only certain companies, such as those that rely on systematically tracking user behavior online, are required to hire a data protection officer. This role can fulfilled by an external consultancy or through an internal hire. In the U.K. alone, it was estimated that there need to be 28,000 DPOs. Due to the high demand for DPOs and high salaries these roles command, over one-third of companies surveyed by Digiday have yet to hire someone to help with GDPR compliance. Many companies are relying on a mix of hires and internal talent. One respondent to the survey at the Hot Topic event indicated that in addition to hiring an internal privacy expert, their company is counting on its data science team to ensure requirements are meant.
As companies rush to comply with GDPR, they should be wary of those offering assistance. Many self-proclaimed “experts” are offering themselves as GDPR consultants to businesses. However, there are neither formal qualifications nor an accreditation process offered by the European Union or the ICO for GDPR consultants, meaning any such company working with an “expert” is doing so at its own risk. Several agencies, including Isobar, are rolling out consulting services for GDPR, and there is no shortage of vendors popping up, offering solutions that guarantee GDPR compliance.
It’s the thought that counts
It is unclear how stringently European regulators will enforce GDPR after the deadline. This has led many companies to believe complying with GDPR is more about abiding by the spirit of the law and making an effort to improve user privacy than rigid enforcement. Indeed, in a May online poll of 25 Digiday+ subscribers, 40 percent believed European regulators care most about companies complying with the spirit of the law.
Even if marketers start documenting everything they’ve done in an attempt to prove compliance, there’s no guarantee that would save them from potential fines. But as one attendee at the Programmatic Marketing Summit Europe said, “Showing you’re doing it [attempting to be compliant] is the best defense against [regulators] trying to attack you.”
Companies adjust contracts before GDPR enforcement
One method companies might use to demonstrate their efforts to comply with GDPR is by updating the contracts they hold with partners and vendors. Eighty-six percent of the companies surveyed at the Hot Topic event said they updated a contract to comply with GDPR.
Contracts have been a particularly contentious issue for some publishers. Many pushed back against GroupM, which sent an updated contract to publishers informing them that GroupM would stop bidding on their inventory if they did not sign the contract. GroupM has since rescinded the contract and said it will follow the IAB’s GDPR Transparency & Consent Framework.
Even if companies update their contracts, there’s still no guarantee that they will be compliant. Doug Chisholm, CEO at location-data measurement firm Rippll, told Digiday that the updated contracts are almost useless without technology that helps companies figure out which data to keep and which to delete.
‘Brands have really taken note of this interest’: How Sanctuary is partnering with brands as Gen Z, millennials seek out astrology content
This year, brands like McCormack, Venmo, Away, Benjamin Moore and Le Creuset have worked with Sanctuary to create custom branded content -- matching paint colors, spending habits or cookware to specific astrology signs, for example -- that’s then posted on Sanctuary’s Instagram page.
Member ExclusiveDigiday+ Research: The future of agency work is remote(ish)
The share of agency professionals who said they do not want to return to full-time office work has risen by more than 40% this year.
How esports org 100 Thieves will boost its M&A strategy with $60M in Series C funding
As esports organizations expand their offerings in search of a cohesive and profitable business model, the acquisition of new companies can help bring in fresh ideas and unique revenue streams.
SponsoredMarketing teams are revisiting brand suitability on social media in 2022
Brands and people want to know that social media apps are safe places to connect, free from exposure to harmful content. Brand suitability describes the practice of determining a particular brand’s tolerance of advertising alongside safe but sensitive content. Heading into 2022, brand suitability will continue to be at the forefront of the advertising industry’s […]
Myth buster: Misconceptions about the relationship between gamers and brands
With activity in the space ramping up, brands that are leery of getting involved in gaming could be leaving money on the table.
‘Time for a bigger advertising push’: Why hummus brand Ithaca is investing in OOH, radio now
By strategically placing the billboards outside of Wegmans in particular, Ithaca is hoping to get grocery shoppers to remember the brand when they are making their snack and dip purchases for football Sunday.