It’s only been a week since GDPR has become a law and we need to start this week’s discussion with a simple question. How many of you thought the GDPR was only about privacy policy change emails and subscription notifications we have received over the last few weeks? Well, that was just the beginning.
As soon as the sun came up last Friday, May 25th, privacy activist Max Schrems – and his None of Your Business (NYOB) non-profit organization – filed complaints against Alphabet Inc (Google) and Facebook. A few days later, lawsuits followed totaling $8.8B. Schrems is also planning to begin the same process with Apple, Amazon, and LinkedIn.
Max Schrems, an Austrian lawyer, has successfully battled Facebook over its handling of personal data over the last few years. Because NOYB has non-profit status, it is able to file complaints on behalf of EU citizens (Chapter 9, Article 80).
What is the basis of the complaints?
GDPR’s law states companies cannot use ‘force consent’ when using consumers personal data. Customers personal data can only be used for the service where consent has been granted.
Simply stated, if a potential EU buyer submits a lead inquiry from a Broker’s website that is targeting EU citizens and the Broker automatically enrolls them into a monthly subscription of a newsletter or enrolling them into a targeted marketing campaign, this would be considered “Force Consent”. Consent by the EU buyer was not for processing their email address or other personal data to perform additional marketing activities (Recital 32).
On the contrary, the GDPR does provide provision to enroll the EU buyer into a ‘Just listed’ notification because of a legitimate interest to build and maintain a client relationship related to delivering services and goods prior to a contract (Recital 47).
Havoc in the EU
Some media and blogging websites from the US and other countries have shutdown access to content from within the EU countries. Others are preventing people from within the EU countries to perform online registration capabilities for subscriptions or access to certain content.
Publishers like the Washington Post have a posted a “premium EU subscription” model specifically for customers within the EU. A subscription model which allows consumers to experience no on-site ads or third-party ad tracking. Of course, this model is available for a 50% premium fee over regular subscription rates.
Ad exchanges and networks in the EU have plummeted since last Friday because European advertisers have moved a majority of their ad spend to a different platform. The winner here was Google as competitors were having difficult time showing that they were in compliance with the new regulation. Google spent the last 18 months updating DoubleClick Bid Manager for GDPR compliance and pushed the responsibility of consent onto publishers.
Economic concerns where echoed as well. Michael Gregoire, CEO of CA Technologies, spoke on CNBC regarding potential challenges with the GDPR by saying, “22% GDP on a global basis is primarily digital…if we don’t have rules of law and understanding of how digital moves from country to country and we are driving to the lowest common denominator, it’s going to stifle overall economic growth”.
Data-driven businesses are feeling the first hits from the regulators and their customers. Tracking consumer behavior will need to have stricter business policies and practices to ensure they comply with the GDPR.
What are the next steps to begin planning on how to become GDPR compliant?
Determine if the company is targeting EU customers through its digital media. Look for language on the website with intents of “International” service, contains a list price conversion tool to convert US dollars to EU currency on the listing pages, or include the International dial code in a phone number.
If you are targeting EU customers, then:
Audit and document where personal data exists in the corporate systems. This is not a one-time event but must have processes and procedures in place to always keep the information current.
Develop a roadmap to remediate processes and protocols of non-compliance. The EU provides a Data Protection Impact Assessment tool to assist in a plan to become compliant.
Assign someone within the organization to be Data Protection Officer. The DPO advises and informs your organization of GDPR requirements. Furthermore, they must monitor and enforce GDPR compliance from within the organization.
Establish technology and policies to ensure security and data protection are part of the organizations culture. Continuously train as it ensures compliance is maintained throughout the organization.
Update the corporate privacy policy for GDPR compliance to:
- define how you use personal data.
- define how you provide personal data to others.
- define how you use and process cookies on your public facing website.
- define how you use personal data in analytics.
- define what rights the customer has in regard to their personal data.
- define GDPR compliant consent forms
Only time will tell!
As with any new regulation it takes time in practice to understand its impact to business. The GDPR is a shot heard around the world in privacy activist’s plight for protection of how companies use personal data. The wind has already given them full sails with all the data breaches over the years. We will have to see how this all shakes out.
In the meantime, do your due diligence and begin to review how GDPR affects your organization and plan accordingly.
The WAV Group published the “How Europe’s New Personal Data Rule Impacts Real Estate” white paper to assist real estate companies on how to get started.
WAV Group is happy to get on a conference call to walk your team to discuss GDPR. Contact Victor Lund, Marilyn Wilson, or David Gumpper to schedule some time. Firms may schedule a private overview for their executive team or board by Camilla Harvey at Camilla@WAVGroup.com.
“When the horse dies, get off.”
I love that saying, learned it from a very wise social worker-turned speaker I hired many years ago. And so the discussion of data protection is the brokerage industries new “dead horse.” Have you ever wondered why in a free enterprise system the government is about to rule on hoarding data? That’s because that is what they do. Could this have been avoided? Absolutely, but we should have stopped talking about controlling data years ago.
Listings are not data, they are the product of the broker who takes them. They are owned by those who secure and create the product, they are what we sell to make money and operate our businesses. They are our competitive advantage Period. No one in the government would ever be holding workshops to interfere with the sale of someone’s product in business. It is the fault of the industry – and mostly the failed MLS industry – to have assumed the sharing of its data with others to create cooperative sales and compensation that has brought about this inquiry. If we had treated each listing as a unique product, absent blanket assumptions of such cooperation, this type of intervention would have never happened.
Do you see the airlines or the auto manufacturers under this regulatory microscope now? No way. That is because the product they create and market has NOT been placed in a “coop”. The data is widely available, but the product is marketed and sold in their own controlled competitive environments. They control the sale of their products – seats and cars – within their own sales environments. Lexus has not agreed to work with Mercedes to sell their cars and American does not cooperate with Delta to fill seats. If you want to know who has put the brokerage industry in this pickle, look only to organized real estate and their constant efforts to level an otherwise competitive playing field. And if you want to investigate the biggest contributor to destroying the otherwise competitive nature of the residential real estate brokerage business, look to the practices, rules, and policies of the same organized real estate entities.