• by Sean Hargrave , Staff Writer, April 20, 2018

The more you read, the more you listen, the more you realise that the GDPR was ahead of the game and will arrive just in the nick of time. Two major announcements this week underscore the point -- one from Facebook, and the other coming today from the World Federation of Advertisers (WFA).

The WFA's announcement for a marketing and advertising industry built around data transparency comes highly recommended through support from the likes of Unilever, Mars and Disney. It's a pretty simple, self-explanatory plan, but then the best proposals usually are.

The guiding philosophy is to only take the data that is needed, do so in a transparent manner that puts customers in charge and ensure that data transparency extends throughout the entire digital marketing supply chain. The end goal is to build an ecosystem that consumers can trust. 

Not sure about you, but this sounds very much like the aim of the GDPR, as well as the language being used around it. Giving consumers great control over who has and uses their personal data, with the right to stop or curtail it, is front and centre among the EU's intentions.

Which brings us neatly to Facebook -- which, regular readers will know, sells a lot of advertising in the UK and the rest of the EU, which is accounted for through its "base" in the lower tax economy of Ireland. 

Well, it is decided that the 1.5bn users in Africa, Latin America, Australia and Asia who currently fall under the remit of Facebook in Ireland will now be served by Facebook Inc., like American and Canadians. The very clear intent here is to not have to apply GDPR to these non-EU markets. There's nothing legally wrong in this, of course. It's pretty clear, however, that it's a way to avoid stricter privacy rules for people who are not covered by the law.

Which makes one realise that the GDPR, through Facebook choosing to avoid it where it possibly can, is a strong set of protections for EU citizens.

A point that, in my opinion, has not been made strongly enough about GDPR is that it protects sensitive data from being used unless clear consent is given. While consent for general personal information is an option alongside "legitimate interests," it is not for sensitive data. Only a raised bar on consent applies. That rules out a Cambridge Analytica-type app scraping political views of users and their friends. 

As for the WFA's welcome push for greater transparency, GDPR mostly answers these needs too. Only the data required should be taken -- it should only be stored as long as required and companies must be very clear about why they are taking data and what they are using it for.

The WFA extends the point by explicitly mentioning the digital marketing supply chain, but GDPR kind of has this covered too. This is why many digital advertising networks, data-gatherers and ad exchanges are expected to start anonymising data so a person can be retargeted without knowing who they are but with the knowledge that an anonymised web user is likely to be "in market" for a particular product or service.

The fact that the WFA is calling for this greater level of transparency is to be applauded. Digital marketing has no long-term future without greater trust that consumers will be protected as they swap their data for content and services. 

The point remains that despite the furore over GDPR, which has now died down to a subdued form of acceptance, we have to ask ourselves a simple question.

Was the EU ahead of the curve here? It's fortuitous that GDPR's introduction comes so soon after the CA and Facebook scandal, but its raising the bar on consent to be freely given and unambiguous with sensitive data seems to have eerily foreseen what can happen if a third party goes rogue with data on someone's political views, and those of their contacts. 

The fact that Facebook is restructuring its service to avoid offering this extra protection to 1.5bn users outside the EU, speaks volumes. 

So too does the drive the WFA is rightly calling for being pretty much encapsulated in what GDPR provides.

The new law took years of wrangling -- sorry, that should probably be debate -- and had a two-year window of warning. Even so, it looks like it's arriving just at the right time with the trumpet sound of the advancing cavalry assuring greater protection is on its way.