• by Ray Schultz , Columnist, November 27, 2018

Marketers are warily assessing the fact that GDPR is now six months old and not much has really happened.

Sure, there have been some rumblings against the obvious targets. For instance, groups in five countries have asked EU regulators to take action against Google for its alleged location tracking of consumers, according to a Tuesday report by Reuters. The search giant is already facing legal action in the U.S. over phone tracking, it adds.

“These practices are not compliant with the General Data Protection Regulation (GDPR), as Google lacks a valid legal ground for processing the data in question. In particular, the report shows that users’ consent provided under these circumstances is not freely given,” says the European Consumer Organization, according to Reuters.

And as we have reported, a group called Privacy International has filed complaints against Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian, asking data authorities to determine whether they are in compliance with GDPR.

But what about the micro scale — is anything happening?

Yes.  For one thing, an unnamed company was assessed with a fine of €20,000 for a hack that exposed email addresses and other data on roughly 330,000 individuals, JD Supra reports. The company reacted quickly, and cooperated with the authorities, for which it was rewarded with the relatively low fine.  

Then there was the €400,000 fine imposed by the Portuguese Supervisory Authority against a hospital that failed to protect patient data, JD Supra says. In addition, France has ordered Vectuary, an online ad network, to change its consent program.

This last action is troubling because the company has data on 67.6 million people. As TechDirt writes, “It’s hard to see how it could possibly confirm consent for the 67.6 million people whose data it holds.”

Meanwhile, there have been a plethora of new surveys that shed light on various aspects of GDPR. For example, a study released on Monday by Mazars and McCann FitzGerald, shows that 84% of Irish businesses feel they are compliant with GDPR. And 88% say they have correctly assessed their GDPR requirements.

Moreover, while 68% of businesses have found compliance challenging, 82% agree that GDPR is beneficial for individuals.

“Nobody said the road to GDPR compliance would be easy but most organizations have found it to be a worthwhile, albeit, at times painful, exercise in terms of information governance, something they may not have done otherwise,” states Paul Lavery, partner and head of technology & innovation, at the firm. 

It’s not clear whether UK marketers feel the same level of confidence, or are even bothering to comply A survey by Nesta found that 42% of UK consumers say they have received unwanted marketing emails and phone calls since GDPR was implemented, according to the Telegraph.

Indeed, 22% say they are getting more spam emails than they did before. Only 7% are receiving none.

And 62% feel they have no more control over the number of emails they receive than they did last May. This is especially pronounced among 16- to-24-year-olds.

This is happening despite very aggressive actions by Britain’s Information Commissioner’s Office (ICO).

The ICO announced on Tuesday that it has fined Uber £385,000 for failing to protect customer data during a 2016 cyberattack. 

According to the ICO, a series of avoidable security flaws exposed email addresses and other details on 2.7 million customers. The data was downloaded by attackers from a cloud-based storage system run by Uber’s parent company in the U.S., it says.

The ICO has even launched a probe of the Metropolitan Police Service for a database called the Gangs Matrix for use in fighting gang violence.

“The Matrix can be shared with local councils, housing associations, and education authorities,” the ICO writes. “And when shared, simply being on this database could lead to denial of services and other adverse consequences.” 

If the police aren’t even immune from such investigations, what chance do marketers have?