Digital Publishing
4 mins read

Three years on: Is the GDPR having the impact it promised?

Put in place to protect consumer privacy and bring regulations up to speed with the fast-evolving, data-powered digital landscape, the 2018 introduction of the GDPR sent shockwaves through the industry at a time when publishers were still trying to successfully transition from traditional to online editions. The new rules forced publishers to rethink their entire approach to their readers’ experience.

As we reach its third anniversary, the impact of the GDPR is up for debate – recently, one of its founders Axel Voss called for an overhaul of the policy to improve data privacy in a post-covid world – with many businesses, including publishers, still confused about the best ways to manage compliance without negatively impacting online experiences or monetization strategies. Meanwhile, some big platforms are seemingly getting away with ignoring the rules, which for many others remain unclear.

So, is enough being done to ensure compliance with the regulations and support those trying their best to operate within them? We spoke to a selection of experts from across the media industry to find out more and source best practices that publishers could implement now.

The rules are too complex for many to thrive

In the three years since its implementation, organisations have been striving to achieve compliance while grappling with a multitude of other industry challenges. For many, the result is a potentially negative impact on user experience.

“Over the last three years GDPR has done much to shape subsequent rules and regulations about how data can be collected, traded, sold, and stored. However it remains a complex law for publishers to understand and thrive under in a global landscape,” explains Sivan Tafla, CEO, Total Media Solutions. “This is especially true with the update to the law this year when publishers that previously traded data between the UK and any EU member state will have to meet additional requirements starting June 2021.”

Adding a CMP should not be seen as a silver bullet for compliance

Sivan Tafla, CEO, Total Media Solutions

“GDPR has made cookies toast and consent management platform (CMP) messages another thing for users to scroll and accept or decline blindly. But adding a CMP should not be seen as a silver bullet for compliance. Publishers should be looking to hire or empower a data specialist in-house to identify which choices their users need to know about based on how they are trafficked. With the demise of the third-party cookie, consent and ID could merge into a clear user choice which is clearly presented upfront, not layered and obfuscated by different parties which confuse the user.”

Confusion and a lack of clarity endures

As a result of this complexity, and a lack of clarity from those enforcing the rules, “many UK businesses have been confused about how to confidently implement a data privacy policy,” suggests Steve Carrod, Co-Founder and Managing Director, DMPG. “This is largely due to unclear guidance from the UK’s ICO and the complex information it provides around how it is regulated in the UK. To date, the ICO’s communication has often been contradictory to what the European Data Protection Board (EDPB) says on different cookie types.”

Carrod continues to explain how this contrasting advice has left many companies trying to find their own balance of compliance and customer experience: “In principle, over the last three years, GDPR has advocated for better consumer privacy protection, but for many businesses here – that haven’t received robust guidance from the ICO – the best course of action has been to take a pragmatic approach and ensure that their customers’ privacy is at the heart of their customer strategy.”

“Businesses that are still struggling to understand and comply with differing privacy regulations should make themselves familiar with these, but also offer customers transparency, choice, and flexibility when it comes to personal data privacy concerns. Businesses need to really consider whether they should share any data with third parties and when they do, to ensure an explicit opt-in criteria is in place. They must demonstrate that their consumer engagement is based on respect of privacy preferences, with a compelling reason provided for why data is being collected about consumer behaviours, as well as the option to opt-out, or opt-in, regarding 3rd party cookie tracking. This approach should provide protection from regulators and strengthen ongoing customer relationships.”

Rule breakers feel little impact

Agreeing with Carrod, Hiran Patel, Chief Product Officer, Hybrid Theory feels more needs to be done for the original goals of the GDPR to be met. “Three years on, regulators must do more to enforce GDPR,” he explains. “In principle, the regulations were a positive step forward in addressing rights and trust for consumers. Jurisdictions around the globe are debating and introducing their own privacy regimes, where the GDPR is often cited as a hallmark example. In reality, they mean nothing unless regulatory bodies across the EU and UK enforce the law to stamp out rogue actors and companies.”

As a result of poor enforcement mechanisms and low fines, companies are indirectly incentivised to break the law and take a risk based approach. This puts law abiding companies who strive to be compliant at a competitive disadvantage.

Hiran Patel, Chief Product Officer, Hybrid Theory

“Regulatory bodies need to be funded and take more decisive action to catch up with the principles set forth by the reality of GDPR compliance and ultimately do more to enforce the law when it’s broken. Only then will regulations have an equal impact for all companies and consumers to level the playing field. For the GDPR to be a success it must take a page from financial industry reforms and introduce criminal penalties, as seen with Sarbanes-Oxley, and enforce oversight mechanisms akin to Dodd-Frank. There’s a lot to be done before the GDPR can affect the change it originally promised.”

As the GDPR regulations continue to evolve, it’s clear that there is some way to go before the industry is aligned on what they really mean and how they should be implemented. As we fast approach another industry turning point – the death of the cookie – we’ll need to keep a close eye on progress and make sure our privacy provisions reflect these. One thing that is clear is that the whole industry is still finding its footing when it comes to GDPR compliance.