GDPR is coming, but nobody knows how it will be enforced

The deadline for Europe’s sweeping reforms to data protection is looming, but many marketers are still none the wiser on how those rules will be enforced.

The General Data Protection Regulation may be a universal law for the European Union, but that doesn’t mean it will be applied equally. After all, 28 different countries will handle enforcement. That means Germany, for example, is expected to be tougher on enforcement of GDPR than elsewhere on the continent given data protection is conducted at a state level. Conversely, the U.K. has traditionally been the member state to push back against any overtly data-privacy regime that could impede global trade.

The cross-border differences have left some companies confused as to what to do; some are considering country-specific strategies, while others like AppNexus mull a strategy for Europe as a whole. That there is still such trepidation over how GDPR will be enforced in eight months is emblematic of its ambiguities.

“When it comes to how the law is going to be enforced on foreign companies we are still awaiting guidance [from regulators],”said Nathalie Moreno, a partner at law firm Lewis Silkin. “I’m often asked how the regulators are going to enforce it, and my guidance is that there are some data-protection authorities that have a culture of fining and will continue to do so, while there are others that have more of a business-friendly approach, and they will carry on enforcing in that way.”

The issue came up at a Direct Marketing Association event last week and was also raised weeks before at Dmexco, as the industry tries to spot the gap between the letter and spirit of the law. Executives at both events were worried that enforcement of the GDPR will be superficial if its regulators don’t have the resources to detect most offenders.

“We think because they [regulators] don’t have more staff to deal fairly [with each case], they will [target] symbolic cases, and some of that enforcement may be arbitrary and unfair,” said Townsend Feehan, CEO of IAB Europe, at Dmexco.

One advertising executive recently met with several senior marketers from big brands to discuss GDPR and said the “big shock” to them wasn’t the hefty fines imposed by regulators if they broke the law; it was the damages they could suffer from class action suits.

The Information Commissioner’s Officer in the U.K. plans to recruit 200 additional staff to take its total number to around 700 over the next three years. The regulator is already working with the British advertisers’ trade body ISBA to clarify ambiguities in the GDPR that have left many brands unsure of how it will be enforced. Seven in 10 companies do not feel marketers in their organization are fully aware of the extent of the GDPR, and just 65 percent expect to be fully compliant when it comes into force next May.

Discussions at the DMA’s event backed the findings, with some attendees debating between sessions as to whether data watchdogs could properly enforce the regulation outside of the EU. One visitor mused that companies would move personal information to servers in regions like Latin America, where they believe it would be difficult for the organizations like the ICO to enforce.