Everything You Need to Know About the GDPR. An Interview With Aurelie Pols. (Part 2)

This is the second part of the Q&A with Aurélie Pols. To read the first one, click here.

What industries will the changes impact most and how will they affect them?

Unfortunately, I don’t have a crystal ball. Many industries have invested in data over the past years, therefore companies and their respective industry organizations are evaluating the consequences of this legal text on their data practices. Once the data companies collate can be traced back to individuals, the provisions of the GDPR apply.

My current estimation is that unregulated industries will probably be the most impacted as they might need to start from scratch. And while some industries are very data intensive, touching upon sensitive data types such as health for eg., they are often already regulated through US based sectoral best practices such as HIPAA, the Health Insurance Portability and Accountability Act. For them, it will probably be more about a change in mindset and reinforcing certain current practices, tightening the scrutiny and the accountability related to their data practices, if you will.

It is interesting to see for eg. how venture capitalists (VCs) are starting to include into their risk assessments, when deciding whether to invest or not in new ventures, requirements related to the GDPR. This was unheard of less than 2 years ago. An app developer out of Bangalore, if addressing the EU market will have to take this piece of legislation into consideration.

According to the EC’s press release of Jan 10, the changes in ePrivacy legislation will support innovation. How could they boost innovation?

ePrivacy legislation is mainly about 2 topics: 1. Confidentiality in communication for what is called Over the Top (OTT) service providers – think Skype, Google Hangouts, WhatsApp etc. 2. the question of cookies, unique identifiers, and what the consents might look like.

To me the first bit is first of all about “reasonable expectations” of privacy by consumers and the fact that while Telcos have privacy obligations in the sense that they can’t eavesdrop on your conversations, OTTs have not been bothered by these obligations.

In the mind of consumers, WhatsApp is probably not so much different than sending an SMS and yet there is a huge difference: Their parent-company, Facebook, can scan (and target) based on communication that flows through your WhatsApp, Skype, Gmail, etc., but regular Telcos cannot. That is not normal.

Having the same rule for all, independent of any legal distinction that was made through time, creates equal competition, which is usually considered positive for economic growth.

Another point I would really like to make is that while the rush for data and the underlying tools we have been blessed with ever since Hadoop came about has certainly brought about scale, this increasingly comes at the expense of data quality. We are therefore at the brink of replaying the moment in history when during the time of the grand data warehousing schemes, complaints started to emerge about “garbage in – garbage out”. Possibly the reason for “garbage in” were not related to the same issues we know today, yet as citizens are starting to better grasp this entire data industry. They are also becoming more reluctant to share data about themselves. The trust in online for eg., be it search engines or ecommerce websites, is not exactly at an all time high.

If anything, both the GDPR and ePrivacy are about reintroducing citizens into the data equation to foster trust, which in my opinion can only be beneficial to companies.

Businesses may worry that the changes regarding cookies and other tracking methods will skew their web analytics data. Are such misgivings valid?

It is interesting to see how web analytics has evolved through time and what it encompasses today: from pure site-centric audience measurement to improve forms conversion rates to the “data revenue generating business”, or the data brokers, as some actors call them. Such merging was introduced by the need to improve advertising spend through the introduction of programmatic. This development has also changed incentives. Today the value lies in the data, not the tools and the analytics services used!

Let’s imagine a publisher, whose audience measurement influences advertising revenue. There are safeguards in the law to make sure such revenue is not negatively influenced by legal obligations (see for eg. article 6 on lawfulness of processing). It is when it touches upon individuals, and revenue is generated through exchanging information or preferences about them, that certain GDPR rights, like being able to object to profiling, kick in (article 22 on automated individual decision-making, including profiling).

During the first discussions about ePrivacy back in 2009, before the current Directive was put in place, there were talks about generating a “cookie cliff” – a huge loss in traffic if explicit consent was required before tracking. This was brought about by the ICO, the UK based Data Protection Authority, which is why the UK went for implicit consent: if you continue surfing, tracking is tolerated. The Dutch usually went the other way: explicit, affirmative action before any tag is triggered. It is too soon to tell how this will unfold, together with DNT requirements.

This will be part of the debates starting today around the proposed text for the ePrivacy Regulation, as ways to assure lawfulness of processing are a lot more limited than in the GDPR text. There are 6 ways in the GDPR where processing of personal data is lawful (article 6, paragraph 1 (a) to (f)). Only the first one exists in the current ePrivacy draft: asking for consent.

Seeing the list of people working on the ePrivacy, I imagine our industry will be asked to be more transparent and accountable while the fines foreseen by the GDPR are a lot higher. It is therefore essential to start building sound privacy basis with the current GDPR and align with the ePrivacy text once it is agreed upon.

Again, as the online world has been plagued with issues of viewability and leakage, my hope lies in better quality of data, which is beneficial to advertisers. Honestly, who wants to be retargeted with the ads of shoes or holidays they have already bought or booked?

What might the repercussions of enforcing the DNT be? Who will win? Who will lose? What interests are at stake?

DNT is part of ePrivacy, not GDPR and it is about to be debated, if not as heavily lobbied, just like the GDPR saga has been for the last 5 years.

I just came back from Brussels where IAB Europe is at the forefront of finding solutions, resurrecting old W3C programs dating back quite a while. They are not there yet, but together with they GDPR readiness task force, it looks like they are paving the way for constructive debate and possible solutions.

If anyone wins in this debate, it will be, imho, the digital economy at large, as this can reinforce trust. It should also pave the way for more secure data transactions and exchanges, preparing for the upcoming Internet of Things deluge that is on our doorstep.

How should businesses prepare for the changes?

I typically break GDPR down into about 10 pillars for my clients. We then define who is responsible for these pillars within companies and get to work, using existing processes or building from scratch – depending on what is out there, what applies and what is required within the law. It reinforces security, we look at data flows and the liabilities within contracts and documents.

My hope also lies in better collaboration with Data Protection Authorities (DPAs). Being able to share the work with them as well as gather their thoughts about how the text is being interpreted and if this entire toolbox we are building falls within the spirit of the law would be ideal. As someone reminded me yesterday, in the end it will be for the courts to decide whether those fines can be enforced or not.

In the meantime, doing our homework and reaching out in a collaborative spirit should allow for the European Digital Single Market to take shape in the best way possible, taking into account the first article of the EU Charter of Fundamental Rights: “Human dignity is inviolable. It must be respected and protected”. After all, it is not only about the trust in data, but also about the trust in the companies we have chosen to buy from as we know they’ll handle our data with care.

This has been the last part of the interview with Aurelie Pols. Hopefully, we have managed to familiarize you a little bit more with the GDPR and shed some positive light on the imminent change. If you have any questions concerning the legislation and your organizational policies, we (Piwik PRO) wholeheartedly recommend Aurelie’s consultancy services. There is also some more input from her to come on our blog, so stay tuned or subscribe to our newsletter so as not to miss a thing!