The clock for when the General Data Protection Regulation (GDPR) comes into place on May 25 is ticking. But is everyone feeling confident in adtech? And how prepared are they? At The Drum and Sun Arms panel in London this week, John Mitchison, director of policy and compliance at DMA Group, Yves Schwarzbart, head of policy at IAB, Jessica Douglas, GDPR services leader at IBM and Somer Simpson, product lead at Quantcast gathered to give their views.
Here are the three main takeaways.
DMA’s Mitchison said the elusive nature of the legislation is not instilling much confidence in people right now, because of its ‘principles based’ proposition.
“Everybody can interpret guidance in their own way. It means that when you get two people in a room with slightly different advertising propositions then they may well do things quite differently,” he explained.
He added: “I don't think anybody can really say they are GDPR 'compliant'. They can say they are GDPR 'ready' which is as good as anyone can be. It will only be further down the line where we iron out some wrinkles."
IBM’s Douglas joked that the May 25 deadline will be massively underwhelming when it finally comes around.
“Honestly nothing will happen on the actual day. Even when the regulators start reacting, it will take weeks or months before anything is enforced. If you are sensibly planning for this, don’t get too hung up by the deadline.”
But this does not mean everyone should just bide their time to see who falls first, added Quantcast’s Simpson. “The people who are waiting around to see who is going to be the first to be fined and how it’s going to be worked out in court is probably not the best stance to take.”
Data minimization objective has been lost
IAB’s Schwarzbart reminded every one of the main reason GDPR was formulated in the first place – to minimise the creation of personal data. He said this piece of legislation is a “missed opportunity” and even schizophrenic in some places.
“If you look at GDPR’s journey, the irony is that more personal data will be created in order to comply with the legislation – and that was never it’s intention,” he argued. “And even the true advocates of GDPR don’t really talk about data minimization anymore.”
Quantcast’s Simpson is more optimistic, saying she does not find the legislation that complicated. She thinks its elusive nature will come to fruition over time.
“We are just going to keep evolving over time until we get to a place when the law balances the needs of everyone.”
ePrivacy directive could makes things difficult for adtech
But if GDPR is perceived as draconian, the ePrivacy directive is set to go even further. The regulation, which focuses on electronics such as storage, browsers and processing techniques, is set to require additional compliance. DMA’s John warned that this directive could make things much harder for everyone in adtech.
“It’s going to most likely be a year before the ePrivacy directive is ready. But some of the privacy advocates for GDPR who did not get their way are putting all their energies into this one and the current draft insists on consent for everything - which could make things very difficult for adtech.
IAB’s Schwarzbart added: “What is often lost is what compliance post May 25 looks like. There is a perception that we could wait to see what happens to e-privacy because it's a year away or maybe longer than that.”