Post-GDPR: What you may have noticed

Since its introduction in May, the GDPR regulation has massively reduced the number of trackers that companies place on the internet and how our data is stored. After the flurry of emails we received in May, seemingly from every company we’ve ever had contact with, all seems to have gone silent. The reality, however, has been different. Behind the scenes, plenty has been going on.

Trackers include cookies and pixels – pieces of code in websites that follow internet users around online to try to get them to click on personalised advertising.

Small trackers have lost between 18 and 31% of their reach and the overall number of trackers on pages reduced by 4% for firms in the EU. You might have noticed a slight drop in the number of targeted ads you’ve seen, but this is likely to have been a negligible change.

For people who work in companies that use customers’ data, GDPR is likely to be remembered for creating a massive workload by forcing them to rapidly assess how it collects and stores data. GDPR compliance means that consumer data has to be kept securely. It must be safe from hackers and thieves, and non-compliant firms risk fines from the EU of up to 4% of global turnover if a breach is found to have taken place. This understandably caused a headache for IT departments across the country.

Despite smaller firms’ loss in reach, tech giants have still managed to track plenty about what their users do. Since the legislation came into force, Facebook’s trackers declined just 7% and Google actually managed to increase its reach by 1%.

The fact of the matter is that GDPR has done little to prevent tracking by the tech giants. The likes of Google and Facebook have the money to invest in the most experienced lawyers and ensure that they can still collect as much data as possible. This data is what they use to generate much of their revenue.

It has hit smaller digital advertising firms the hardest; those who don’t have the budget to ensure they can keep their trackers deep into users’ lives without the risk of violating GDPR legislation – unlike tech giants.

Google, which has entire departments purely working on GDPR and started preparing 18 months before its implementation, has been challenged by data privacy campaigners and could potentially face a so-called “mega fine”.

Its obsessive collection of location could violate GDPR because it prevents users from giving informed consent. They bury their location consent settings deep in their browser and apps – hidden under the ‘location history’ button, in case you’re interested in taking action to stop Google using your location to target ads.

So far in the UK, only one notice has been served under GDPR. This was to a Canadian analytics firm who worked for Vote Leave. AggregateIQ was accused of processing people’s data for “purposes which they would not have expected”. It was paid almost £2.7 by Vote Leave to target ads at potential voters.

Since GDPR, complaints about potential data breaches in the UK have more than doubled and businesses widely report struggling to manage this extra burden. It seems that, so far, GDPR has created a lot of extra work without doing much to prevent the intrusive practices of large firms.

GDPR is one of those acronyms you’re probably hearing a lot about at the moment. You’re no doubt receiving a high number of emails asking if you’re still happy to receive communications from a company and to be on their database. So what are the reasons behind this?

In 2016, a bill was passed by the European Union introducing the Global Data Protection Regulation, which will come into force as of 25th May 2018. GDPR defines the legal rights of EU citizens in relation to their data, and enforces regulations on the data controllers and processors who hold that data.

Under GDPR, organisations will find themselves in one of two categories; data controllers and data processors. Controllers are those who ‘determine the purposes for which and the manner in which any personal data are, or are to be, processed’ and processors are those (other than an employee of the data controller) ‘who process the data on behalf of the data controller’.

The definition of ‘personal data’ applies to any information that can be used to identify a person, either directly or indirectly. That includes a subject’s name, location, IP address or mobile device identity, and any organisation that holds the personal data of any EU citizen must ‘implement appropriate technical and organisational measures’ to protect that data.

Any organisation holding EU citizens’ data will need to tell you how your data will be processed. There are 6 different lawful bases for this which are outlined for organisations as below:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

4. Vital interests: the processing is necessary to protect someone’s life.

5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).

As the 25th May deadline approaches, we’re sure you’re coming into contact with a number of different organisations who are communicating their own GDPR journey with you. This can sometimes feel overwhelming but it’s important to note that although organisations will communicate with you in different ways, they will all be working to the same lawful bases.

If you’re interested in learning more, we recommend consulting the Information Commissioner’s Office Guide to the General Data Protection Regulation which can be found here.