It’s only been a week since GDPR has become a law and we need to start this week’s discussion with a simple question. How many of you thought the GDPR was only about privacy policy change emails and subscription notifications we have received over the last few weeks? Well, that was just the beginning.

As soon as the sun came up last Friday, May 25th, privacy activist Max Schrems – and his None of Your Business (NYOB) non-profit organization – filed complaints against Alphabet Inc (Google) and Facebook. A few days later, lawsuits followed totaling $8.8B. Schrems is also planning to begin the same process with Apple, Amazon, and LinkedIn.

European Union - General Data Protection Regulation - GDPR - Fundamental Rights of CitizensMax Schrems, an Austrian lawyer, has successfully battled Facebook over its handling of personal data over the last few years. Because NOYB has non-profit status, it is able to file complaints on behalf of EU citizens (Chapter 9, Article 80).

What is the basis of the complaints?

GDPR’s law states companies cannot use ‘force consent’ when using consumers personal data. Customers personal data can only be used for the service where consent has been granted.

Simply stated, if a potential EU buyer submits a lead inquiry from a Broker’s website that is targeting EU citizens and the Broker automatically enrolls them into a monthly subscription of a newsletter or enrolling them into a targeted marketing campaign, this would be considered “Force Consent”. Consent by the EU buyer was not for processing their email address or other personal data to perform additional marketing activities (Recital 32).

On the contrary, the GDPR does provide provision to enroll the EU buyer into a ‘Just listed’ notification because of a legitimate interest to build and maintain a client relationship related to delivering services and goods prior to a contract (Recital 47).

Havoc in the EU

Some media and blogging websites from the US and other countries have shutdown access to content from within the EU countries. Others are preventing people from within the EU countries to perform online registration capabilities for subscriptions or access to certain content.

Publishers like the Washington Post have a posted a “premium EU subscription” model specifically for customers within the EU. A subscription model which allows consumers to experience no on-site ads or third-party ad tracking. Of course, this model is available for a 50% premium fee over regular subscription rates.

Ad exchanges and networks in the EU have plummeted since last Friday because European advertisers have moved a majority of their ad spend to a different platform. The winner here was Google as competitors were having difficult time showing that they were in compliance with the new regulation. Google spent the last 18 months updating DoubleClick Bid Manager for GDPR compliance and pushed the responsibility of consent onto publishers.

Economic concerns where echoed as well. Michael Gregoire, CEO of CA Technologies, spoke on CNBC regarding potential challenges with the GDPR by saying, “22% GDP on a global basis is primarily digital…if we don’t have rules of law and understanding of how digital moves from country to country and we are driving to the lowest common denominator, it’s going to stifle overall economic growth”.

Data-driven businesses are feeling the first hits from the regulators and their customers. Tracking consumer behavior will need to have stricter business policies and practices to ensure they comply with the GDPR.

What are the next steps to begin planning on how to become GDPR compliant?

Determine if the company is targeting EU customers through its digital media. Look for language on the website with intents of “International” service, contains a list price conversion tool to convert US dollars to EU currency on the listing pages, or include the International dial code in a phone number.

If you are targeting EU customers, then:

Audit and document where personal data exists in the corporate systems. This is not a one-time event but must have processes and procedures in place to always keep the information current.

Develop a roadmap to remediate processes and protocols of non-compliance. The EU provides a Data Protection Impact Assessment tool to assist in a plan to become compliant.

Assign someone within the organization to be Data Protection Officer. The DPO advises and informs your organization of GDPR requirements. Furthermore, they must monitor and enforce GDPR compliance from within the organization.

Establish technology and policies to ensure security and data protection are part of the organizations culture. Continuously train as it ensures compliance is maintained throughout the organization.

Update the corporate privacy policy for GDPR compliance to:

  • define how you use personal data.
  • define how you provide personal data to others.
  • define how you use and process cookies on your public facing website.
  • define how you use personal data in analytics.
  • define what rights the customer has in regard to their personal data.
  • define GDPR compliant consent forms

Only time will tell!

As with any new regulation it takes time in practice to understand its impact to business. The GDPR is a shot heard around the world in privacy activist’s plight for protection of how companies use personal data. The wind has already given them full sails with all the data breaches over the years. We will have to see how this all shakes out.

In the meantime, do your due diligence and begin to review how GDPR affects your organization and plan accordingly.

The WAV Group published the “How Europe’s New Personal Data Rule Impacts Real Estate” white paper to assist real estate companies on how to get started.

WAV Group is happy to get on a conference call to walk your team to discuss GDPR. Contact Victor Lund, Marilyn Wilson, or David Gumpper to schedule some time. Firms may schedule a private overview for their executive team or board by Camilla Harvey at Camilla@WAVGroup.com.