Griffith College’s Steven Roberts looks at what companies need to think about as we approach the five-year anniversary of the GDPR.
The General Data Protection Regulation (GDPR) will mark its fifth anniversary on the 25th of May this year. While many aspects of the regulation are still to be fully realised, it has had a profound impact on consumer and business awareness both within Ireland and across the EU.
Its influence has also been felt further afield, in the many new national, regional and local laws introduced around the globe as legislators respond to demands from their own populations.
More than €1.6bn in GDPR fines were issued during 2022. Technology firms have been at the forefront of the regulation’s enforcement, with eye-watering penalties issued by Ireland’s Data Protection Commission (DPC) and other European supervisory authorities.
In a number of cases, companies have also had to significantly adapt their processing activities. It is timely, therefore, for Irish tech companies to consider some of the key data protection trends they must be mindful of in 2023.
Fines capture most media headlines. However, some of the most fundamental effects of supervisory authority decisions can relate to amending processing activities. The DPC has made this point repeatedly in recently times.
For digital firms, this can have a substantial impact on their business models. Executive teams and their boards should ensure that this is reflected in their risk management and profiling. It also emphasises the importance of data protection by design and default.
By using a data protection impact assessment (DPIA) at the outset of any potential data processing project, companies can assess potential privacy risks and implement appropriate mitigating actions.
It is difficult not to think that at least some of the high-profile breaches and penalties reported in recent years might have been avoided had such an approach been taken. Data privacy training for new and existing staff should place strong emphasis on the importance and use of tools such as DPIAs.
Third-party cookies are at the core of the global digital advertising ecosystem. Advertisers value the targeted audience data and performance metrics this technology provides.
However, significant opposition has emerged in recent years, driven primarily by privacy concerns. Firefox and Safari have already blocked their use. Google Chrome, the browser with the largest global share, has stated its intention to phase-out third-party cookies sometime during 2024.
While Google has pushed back this deadline on a number of occasions, business leaders must prioritise the development of alternative strategies. One area of focus is the increased use of first-party data.
Technology firms embarking on such a strategy must be mindful of data protection implications; the use of a DPIA will form an important part in that process. Companies should also monitor developments in the potential introduction of a new ePrivacy regulation.
Increased use of AI technologies
According to Chiefmartec.com, there were nearly 10,000 marketing technology platforms available to communication professionals as of 2022. Many of these systems use some form of artificial intelligence.
In addition, ChatGPT has recently garnered considerable media attention and appears to present many opportunities for marketers and their businesses. The Government’s National Digital Strategy sets ambitious targets for the digitisation of Irish businesses, including that 75pc of enterprises will have a take-up in cloud, AI and big data by 2030.
As companies implement AI technologies within their operations, and introduce new AI-driven services for customers, it is paramount that the data protection implications are fully considered at the outset.
Certain aspects of the technology can be opaque, even to experts. Providing clear, transparent information to customers as to how their data will be used, and auditing this data on a regular basis, will be fundamental to maintaining reputation and trust.
A complex global ecosystem
In response to the GDPR, many countries have introduced new or updated privacy legislation. China, South Africa, Singapore and Brazil are just some of the nations who have overhauled their data protection regimes.
In the US, the California Consumer Privacy Act mirrors aspects of GDPR; however, many other states and local jurisdictions have also introduced their own laws. Companies operating internationally need to effectively navigate this complexity. Compliance is required both with the GDPR and with local laws in the countries internationally where one operates.
Firms transferring data overseas must also keep track of what is a rapidly changing area. For example, the potential for a new EU-US Data Privacy Framework, replacing the invalidated Privacy Shield, would be welcomed by many Irish firms with operations in the US.
Businesses trading in the UK need to remain mindful of any potential changes to that country’s data laws (known as UK GDPR), which might impact on the current adequacy agreement that’s in place with the EU.
Technology firms should also take on board the impact of adjacent laws such as the Digital Markets Act, Digital Services Act and the proposed AI Act as the EU increasingly takes a leading governance role globally in the areas of data and new technologies.
The GDPR’s 99 articles cover a broad range of requirements. At their core lie the seven privacy principles and six legal bases for processing personal data.
Alongside this, companies seeking to be compliant should consider what might be called the ‘3T’ framework – placing a premium on transparency, maintaining and building the trust of consumers and stakeholders, and providing regular and ongoing training for their staff.
The global privacy ecosystem is likely to become more complex in the coming years, driven both by consumer concerns and the increased adoption of digital technologies by businesses. It is only by building a data protection culture at all levels within the organisation that businesses can truly aim to effectively implement the regulation and other relevant privacy laws.
Steven Roberts is group head of marketing at Griffith College. He is a certified data protection officer, vice-chair of the Compliance Institute’s Data Protection and Information Security Working Group and the author of Data Protection for Marketers: A Practical Guide.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.