One Year Later, A Conversation on GDPR

May 25, 2018 represented a sea change in the protection of personal data globally when the EU began enforcing the General Data Protection Regulation (GDPR). GDPR, which aims to enhance and harmonize data protection laws across the EU, continues to reverberate globally. To celebrate its first birthday, Adrian Whelan sat down with Emerald De Leeuw, CEO of EuroComply Data Protection Technology, to reflect on GDPR and to take stock on what’s changed, what remains the same, and the broader implications for asset managers. Here’s their conversation.

Adrian Whelan: So Emerald, times flies, it’s been a whole year since GDPR went live. How has the data privacy landscape changed since GDPR’s implementation in May of last year?

Emerald De Leeuw: The awareness of the questionable way certain organisations handle personal data has changed dramatically. This is not only due to the GDPR but also some very high-profile data breaches we have seen. Media reporting of data privacy is at an all-time high and the unthinkable happened last May when Google searches for GDPR overtook searches for both Beyoncé and Kim Kardashian (shocker I know!!).

An area we’ve focused on a lot in our firm is the effect that GDPR has had on marketing and product distribution efforts in financial services. Can you talk to us a little bit about that?

Financial services has been impacted by GDPR in an identical way to how it has affected marketing across the board, millions of annoying consent refresh emails were sent out just before May 25, 2018. There has been a misconception that GDPR solely governs rules on advertising. It is in fact the ePrivacy Directive 2002 that sets the general marketing standards and this Directive has not changed. The only thing that changed is that the standard of consent needs to be GDPR grade consent, and not to get too technical but this means that the consent must be freely given, specific, informed, and unambiguous.

However, if you are marketing to existing customers or clients you may be able to rely on “legitimate interest” for your marketing activities. Be mindful you must meet all the requirements of the so-called “soft opt-in” to be able to do so. Organisations have become a lot more careful, lists have been purged, and there is a greater sense of awareness that if you annoy clients too much they will stop engaging with your business, or worse, could file a GDPR complaint. No one wants to be on the radar of the regulators.

GDPR was framed very specifically by EU policymakers to protect EU citizens data privacy rights in an increasingly digital and data driven world. Has it delivered its desired outcomes for EU citizens?

To a degree, yes. We have had data protection laws for a long time, but they were largely ignored and outdated. The new regulatory framework with its principles and the fact that the GDPR is technology neutral allows for longevity. Furthermore, there is a self-enforcing element within the GDPR, data controllers are now responsible from their entire data supply chain. This means that a demand for such compliance gets baked into contracts globally. This quite obviously benefits European residents, but we are also seeing countries outside of Europe implementing similar laws. Most notably in the US with the Californian Consumer Privacy Act. 

So, you suggest partial success. Which desired areas of GDPR still remain to be accomplished?

An effective way of getting real meaningful consent remains elusive. Consent under GDPR doesn’t really work online, particularly in advertising technology as the chain of data recipients is very difficult to discern. This is as much an issue for asset managers as it is online retailers. We need to figure out how to properly inform individuals without annoying them with popups that drive them to immediately click “I accept” without reading what they are consenting to. 

I couldn’t agree more about the impacts of vendors who have been overly intrusive with their consent requests. Personally, that’s driven me mad at times. On another note, when you and I spoke last year before GDPR took effect, we speculated that GDPR would become the global standard for data privacy. Has that prediction proved correct? 

Yes, it certainly has extra territorial scope, which means if you target European residents with your product or services or monitor their behaviour you must comply. Also, for countries that wish to make it easier for their residents to do business with Europe, it is desirable to have free flow of data between and be considered a country that offers “adequate” protection. For example, Japan now has “GDPR adequacy” which means data can flow freely between EU member states and Japan.

GDPR has influenced non-EU policy making on data privacy. You’ve already referenced Japan and California changes. Have there been others? What was the single biggest lesson learned from GDPR implementation in your opinion?

Don’t underestimate the time it takes to sort out your data processing legal agreements. And, sending constant consent refresh emails is a bad idea.

Your 2018 GDPR prediction proved spot on regarding global standards. What data privacy prediction or hot topic should we look out for in the coming 12 months?

Again, I think you should brace yourself for the California Consumer Privacy Act as it works similarly to the GDPR. It has global reach which means countries in the EU will have to comply with Californian State law if they fall within its scope. It’s not too dissimilar to GDPR in terms of what it requires but it is yet another law to comply with. Since California is home to many of the world’s largest social media and technology firms, again this one will likely have global effect. This will have an impact on all companies with a Californian presence but also anyone who does business there, including non-US firms with US clients since these requirements, as we know from GDPR, tend to impact the entire data chain of an organisation. 

Getting back to the global view, are firms globally on the same page in terms of the GDPR implementation? How are EU vs non-EU firms engaging differently?

The same page? No, not at all actually. A lot of companies incorrectly believe that they won’t get fined if they aren’t established within the EU. Companies with a European HQ naturally are doing a better job. 

I know you’ve been busy in your business but how have other businesses been impacted by GDPR?

The impact has been profound. We are seeing more jobs created, more new people joining the data privacy industry, and more companies looking at data governance as a competitive advantage as opposed to a mere compliance cost. There is value in being a data privacy friendly organization and there are career opportunities in the area of data governance globally that simply didn’t exist a few years ago. 

As always, you’ve been a fountain of data privacy knowledge. Before I let you go, is there anything else you want our readers to know?

Yes, privacy and data protection are more than just the GDPR. We can all say that privacy is dead because we make more money that way, however is a world without any respect for our boundaries really what we want? We don’t have to choose between innovation and privacy, we should be able to have both.

The views expressed in this material are those of the author as of May 24 and may or may not be consistent with the views of Brown Brothers Harriman & Co. and its subsidiaries and affiliates (“BBH”), and are intended for informational purposes only. Neither, Brown Brothers Harriman, its affiliates, nor its financial professionals, render tax or legal advice. Please consult with attorney, accountant, and/or tax advisor for advice concerning your particular circumstances. BBH is not affiliated with Emerald De Leeuw.