GDPR: Where Are We Four Years Later?
Data privacy is a complex issue for most organizations, and it has been made even more complicated by legislation such as GDPR. Today, four years after GDPR went into effect, I thought it would be useful to look at the state of data privacy in the United States.
I recently had the opportunity to sit down with privacy expert Brandon Glantz, senior director, global privacy operations at NBCUniversal. Among other duties, Glantz is responsible for implementing the requirements of GDPR and operationalizing them – finding ways to practically apply the law across NBCUniversal’s data landscape.
While he joined NBCUniversal after GDPR came into effect, Glantz was able to offer some insight into how the multinational mass media and entertainment corporation was impacted by the legislation.
In Europe, Glantz told me, data privacy is a fundamental right; when it comes to digital trackers, consumers are opted out by default. In the United States, consumers are automatically opted in. He explained: “At the end of the day, everyone has their own ideas about what is right for consumers, but nobody necessarily knows the answer. That’s because every consumer wants a different experience.”
Compliance can be a costly – and confusing – commitment. Let’s review the basics.
GDPR best practices
GDPR is a set of rules created to secure the personal information of European Union (EU) citizens. It is applicable to organizations with more than 250 employees that handle personal data in the process of trading goods and services within the EU. The enforcement deadline for full GDPR compliance was May 25, 2018.
Since then, GDPR has prompted significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Not only that, but GDPR legislation has pushed the topic of data privacy to the forefront. But has that been enough to drive meaningful change in data protection?
According to Glantz, NBCUniversal has an advertising-based revenue model, so GDPR had some impact on the organization’s approach to engaging with European customers. “GDPR allowed us to revisit strategy so we could continue to find ways to engage with consumers – and find ways to provide them with the services they had come to expect from us, but in a more indirect way. Our compliance and marketing teams worked closely together to answer some tough questions, including: How do you expand email marketing and social media campaigns without using personal information?”
GDPR has seven fundamental principles to ensure the individual’s rights and security of sensitive personal information that could be used for illegitimate purposes. Organizations must think about each of these principles regularly to ensure compliance:
- Accountability: Are you doing everything you can to comply with GDPR principles?
- Accuracy: Is the data you’ve collected on individuals both accurate and up to date?
- Data Minimization: Have you only collected data that is necessary to perform the task the information is intended for?
- Integrity and Confidentiality: How do you always assure the security and privacy of personal information?
- Lawfulness, Fairness, and Transparency: Is all the personal information in your possession processed lawfully?
- Purpose Limitation: Does all the personal information you’ve collected have a lawful and legitimate purpose?
- Storage Limitation: How long do you hold on to personal information?
When I asked him about some of the roadblocks around compliance with these principles, Glantz mentioned the following: “There was so much hype leading up to the GDPR deadline. Organizations all over the world went all-in as they prepared their data for compliance. However, when the deadline for compliance came around, nothing really happened.”
The sheer volume of data for regulators to monitor is overwhelming, so it would be reasonable to expect them to concentrate their efforts on only a small number of organizations that have raised a red flag in some way. Most organizations are not really evaluated or scrutinized, and they are simply continuing to build their own paths toward compliance.
According to Glantz, “This is causing a lot of fatigue in organizations that are pushing for compliance.”
Why do we need GDPR?
GDPR obliges organizations around the world to take data protection more seriously than ever before, primarily because their reputation now relies on it – and because the penalties are crippling.
One of the ideas behind GDPR was to assure consumers that their data will not fall into the wrong hands. Consumer data and privacy is now considered a top priority by leading companies.
Said Glantz, “Data privacy legislation provides organizations with a fantastic opportunity to reevaluate their data strategy and governance. Short-term pains are paving the way for organizations to do better – to explore how they approach data sanitization, data strategy, and more. They will eventually be able to offer a more holistic experience to their customers.”
GDPR has brought some cost savings and improved efficiencies. It has forced companies to address archives of data and ask whether the information they have collected is necessary or fit for purpose. Data maintenance has therefore become a more active process that is managed regularly.
The GDPR has also encouraged organizations to assess the efficacy of their networks. Many have had to migrate over to improved infrastructure – enabling them to better align better with the latest and emerging generations of technology as old hardware is replaced with more capable (and secure) devices. While initially expensive, this has been offset through an improved user-experience for employees that promotes greater levels of engagement and productivity.
At an even higher level, GDPR has empowered the public. It has improved our trust in the emerging digital economy. By streamlining data protection across the EU (and effectively the world), goods and services now flow more freely. Confidence between organizations and the public has increased.
What are GDPR compliance requirements in the U.S.?
Even if an organization is not physically located within the EU, they must still comply with GDPR if they handle personal data that is identifiable to a resident that is located within the EU. GDPR reaches into companies based in the U.S. because it is designed to protect the personal data of individuals.
I asked Glantz if GDPR changed the way NBCUniversal looks at data privacy in the United States. He said, “At NBCUniversal, we aim to do the right thing. So, while we need to make some changes here and there related to new data privacy regulations, we haven’t had any major roadblocks.”
NBCUniversal tends to separate its U.S. and European businesses effectively, so it was able to take a more targeted approach to GDPR compliance. And as U.S. data privacy law evolves, Glantz mentioned that the company has been able to take learnings from its European practice and replicate some of the best practices in the U.S.
Outside of GDPR, Glantz mentions the California Consumer Privacy Act (CCPA) of 2018 as one of the most impactful data privacy laws in the U.S. NBCUniversal used CCPA as a stepping stone to extend consumer rights to access, delete, and opt-out of the sale of their personal information across the U.S. because it was the right thing to do.
How can skillsoft help with your GDPR efforts?
Skillsoft’s compliance solutions allow organizations to easily train employees to comply with regulations such as the GDPR. Our GDPR compliance training courses help employees understand their responsibilities in mitigating the risks surrounding GDPR – helping your organization to acknowledge and adhere to best practices.
Look at what your team can learn from Skillsoft on the topic of GDPR:
Compliance Short: GDPR: In today's data-driven society, organizations rely on the collection and processing of user data in ever-evolving ways. Employees working in these organizations share a duty to protect the rights of individuals' personal data, which includes complying with GDPR.
GDPR Compliance for Marketing: When conducting marketing activities, organizations must follow GDPR’s standards for collecting and using the personal information of customers and prospects. This course addresses compliance with GDPR in the areas of generating leads and collecting contact information; profiling and data enrichment; sending direct marketing messages; selling or sharing data; and ensuring the protection of individual rights.
GDPR Short: Generating Leads and Collecting Contact Details: Customers are the key to your company’s success. When conducting marketing activities, you must follow laws and regulations pertaining to the information you collect and use about customers – both existing and potential. This course covers the key best practices for ensuring compliance with GDPR when generating leads and collecting and using contact information.
GDPR Short: Individual Rights: GDPR specifies what companies can and cannot do with the personal information they collect and use while ensuring that individuals retain control over their personal information. This course covers the specific individual rights under GDPR to help ensure personal data is protected.
GDPR Short: Online Advertising: The quantity of personal data available online provides limitless marketing potential, but companies must ensure that their use of that data is legal. This course covers key best practices for ensuring your online marketing activities are GDPR-compliant.
GDPR Short: Profiling and Data Enrichment: Collecting and using customer information to inform your marketing activities is a significant factor in remaining competitive, but you must do so in ways that respect your customers’ rights under the GDPR. This course covers key considerations to keep in mind when using profiling and enrichment services to ensure GDPR compliance.
GDPR Short: Selling or Sharing Data: Contact information, shopping habits, and product and service interests are hot commodities to marketers. But selling or sharing that information must be done appropriately and legally. This course covers key considerations for selling or sharing marketing data in compliance with GDPR.
GDPR Short: Sending Direct Marketing Messages: Organizations rely heavily on direct marketing practices to keep customers coming back and to gain new ones. This course covers key considerations for sending GDPR-compliant marketing messages.
No matter what type of courses you’re looking to offer your employees, Skillsoft provides organizations with the necessary technology and training to manage their compliance obligations within an ever-evolving regulatory landscape.