Commentary

WFA Sounds The Alarm Bell On GDPR Preparations

The World Federation of Advertisers has issued a warning to adland today, claiming its research shows that 70% of brand owners fear the marketers in their organisation are not fully aware of the implications of the General Data Protection Regulation, which comes into force in the EU next May. 

Although there may be some solace in the finding that two in three (65%) believe they would be compliant in time for May's deadline, only four in ten (41%) currently have plans in place. Only one in four is in the initial planning stages. 

The WFA report paints a picture that the brands it represents are concerned that their own people -- and most likely executives in their agencies -- are simply not ready for GDPR and have a mountain to climb before they are. The big issue for these brands, the organisation reveals, is raising sufficient awareness of privacy issues internally to get a company up to speed with the new rules. 

The main challenge brands feel they are facing is "connecting the dots" between data held across the organisation with getting the right level of permission following up closely in second place. This means the top priority moving forward is to review permission and privacy policies. It's good news if you are a Data Protection Officer. Apparently, one in three organisations have already hired a DPO, and an additional one in three are in the process of doing so.

Just for good measure, the WFA has advised members that they need to work on permission being clear, informed, freely given and unambiguous, with a suggestion that legal teams are worked with to ensure that this happens going forward -- and that a decision can be made on the compliance of previously collected data. Children's data should have a particular focus because the age at which it is permissible to collect data will vary from between 13 to 16, depending on the country. Aim below the age limit for a country and you will need parental permission. Fail to get this and you're breaking the new law. 

The elephant in the room here, of course, is that the WFA is primarily an American organisation and as such, underscores the very basic point that GDPR affects not just the EU but any brand that intends to market itself to anyone in the EU. It's hard to think of any global brand that suddenly won't want to sell to Europeans, and so businesses across the world have to identify their EU databases and ensure that information stored on them has the necessary permissions to be used.

This is particularly relevant for the UK. The perennial question -- which the Information Commissioner's Office (ICO) constantly needs to answer -- is what happens after Brexit, whether GDPR will still apply and if not, whether we need to bother with being compliant.

The simple answer is that the UK will still be in the EU next May, and so by definition the new law applies. The more subtle question to ask straight back is: do you want to market to EU citizens post-Brexit? If the answer is yes, then you will have to be -- and then remain -- GDPR compliant. The final point, of course, is that the UK is unlikely to reverse GDPR.

Although there is likely to be a process in which EU laws are assimilated in to UK law with British names, such as the Data Protection Act 2019, it is highly unlikely that standards around permissioning will be significantly changed.

Next story loading loading..