Digital Analytics & the GDPR: one year on — making sure you’re compliant
It’s a year since the GDPR was brought in, and it’s been a busy 12 months!
Following the Equifax data breach in 2017 and Facebook’s Cambridge Analytica scandal last year (as well as a host of other issues such as alleged election targeting and the latest Instagram database leak), data privacy and user consent have never been higher on the agenda.
Coinciding with the International Data Protection Day on the 28th January, further evidence came to light about the significant leak of highly personal web-user data by auction companies. Privacy regulators in Poland, Ireland and the UK were also urged to act against online ad auctions and the widespread misuse of personal info.
The recent complaints against real-time bidding in Belgium, Luxembourg, the Netherlands and Spain over the harvesting of personal data for ad-tech targeting allege that personal data is broadcast via bid requests “hundreds of billions of times” per day — and that data leakage is “widespread and systematic”. While the IAB’s GDPR transparency and consent framework failed on several counts last year as it was clearly designed to further the interests of ad-tech companies and hinder publishers.
Claims have also been made that a significant number of companies are gathering private information and tracking users through EU government portals and public services — destined to end up in the possession of data brokers both in and outside of the ad network industry.
According to Michael Veale, technology policy researcher at University College London, “Hugely detailed and invasive profiles are routinely and casually built and traded as part of today’s real-time bidding system, and this practice is treated though it’s a simple fact of life online. It isn’t — and it both needs to and can stop.”
In the wake of these scandals and relentless breaches, has the GDPR had any effect at all?
Despite being labelled as a ‘transition year’ by CNIL’s Mathias Moulin, the first 12 months of the GDPR can be viewed as a positive first step towards privacy regulation. The CNIL’s €50M fine against Google Android (although a blip in the tech giant’s annual turnover of $136.8 billion) demonstrated the regulation’s muscle and flagged up the ongoing nature of the “wide-scale and systematic” breaches of personal data privacy. The GDPR also set in stone what constitutes personal data and how it can be misused by applying a standardized notification requirement to the entire EU — significantly expanding the scope and our awareness of what types of breaches are occurring.
However, there is still a long way to go. There have only been a limited number of fines imposed on companies who fail to adequately protect their customers’ data — with nearly 200,000 breaches reported during the first year of the GDPR across Europe (almost double that of 2017), fines only ran up to €56M (€50M coming from Google).
The data protection authorities of several EU countries also need to harmonise the wide range of fines being handed out, according to the International Association of Privacy Professionals which hosted a retrospective panel on the GDPR’s first year in London recently. The panel is working on a matrix ‘toolkit’ for various watchdogs to give them a foundation for calculating fines in the future.
To get you up to speed, we’ve put together a guide at AT Internet outlining the major developments during the first year of the GDPR. By putting the regulation under the microscope as well as CNIL’s fine against Google, we aim to steer you in the right direction and show how working with AT Internet will guarantee that your digital analytics data is 100% compliant.
