2018 is officially the year of privacy: The EU’s General Data Protection Regulation (GDPR) will officially come into force on 25 May, followed by its local cousin, POPIA in the second or third quarter of the year.
Both GDPR and POPIA are set to dramatically change the way South African organisations do business – especially how personal data is handled and stored.
Why should the GDPR matter to South African digital marketers? The GDPR extends well beyond the borders of the EU. The legislation has so-called ‘extra territorial applicability, but it also stops European organisations from sending data to other countries unless they are sure that GDPR equivalent data protection laws are in place.
This has a far-reaching impact on global communication, and the way countries outside of this regulation do business. If you do not have stringent data management processes in place, and cannot illustrate that you obtained your data with the consent of your audience, you could face severe penalties or lose international business.
In countries like South Africa, where there are not comprehensive privacy laws (yet), local businesses are being forced to conclude contracts in which they undertake to follow the GDPR. They are also often forced to demonstrate that they are compliant. If they cannot do this, the contract will be awarded to someone else. This type of commercial force has been the true sting in the GDPR’s tail for SA companies.
Digital marketers in particular will feel the GDPR’s reach due to the clamp down on data farming and data sharing which has already started. Tech giants have already made moves to withdraw support for third-party ad serving in Europe and limiting the number of vendors that can measure ads performance on their platforms.
When will the GDPR apply directly to an SA company? This is an important question to answer, because the penalties of non-compliance are severe. There are fines of up to 20 000 000 EUR or 4% of total global turnover.
Four questions determine whether the GDPR applies:
1. If an organisation is incorporated in Europe, that entity has to comply with all European laws, including the GDPR.
2. If an organisation is active in Europe through a ‘stable arrangement’ in the EU, the GDPR will apply. This includes instances where a South African business is active in Europe through an agent, a sales office or a branch in Europe. The European Commission will look at factors such as whether the SA company has a website in an European language (other than English), whether it has equipment in Europe or a European postal address.
3. If the SA business is not established in Europe under questions 1 and 2, the GDPR may still apply if it offers goods or services to individuals while they are in the EU. When the European Commission determines whether this is the case they take factors into account such as whether these services are offered in an EU language (other than English), whether payment can be made in an EU currency and whether your marketing material specifically mentions customers located in the EU. This does not mean that the GDPR will apply to European citizens while they are in South Africa. So, just because you have European customers doesn’t mean that you have to comply. It will depend on whether you are delivering goods or services to individuals while they are in the EU.
4. Lastly, and perhaps most importantly for digital marketers, the GDPR will apply to a South African business if it is monitoring the behaviour of individuals while they are in the EU. If the business does analytics on individuals while they are in the EU to create a profile of them, or to analyse their preferences, behaviour or attitudes, the GDPR applies.
This means that if a digital marketer is profiling and targeting individuals while they are in Europe, the GDPR will apply.
So, it applies, now what?
The biggest concern for digital marketers is whether they need the consent of consumers to serve personalised advertising. While marketing via email and sms requires consent, more specifically an opt-in consent, the digital marketing world falls within a grey area. This unfortunately means that there are no hard and fast rules – whether consent is required will depend on what the digital marketer wants to do.
Given how impractical it is to get consent for personalised ad serving, it is important to remember that consent is not the only way to justify personalised advertising. In the EU, many digital marketers make use of the ‘legitimate interest’ argument where the impact on consumers’ privacy is measured up against the interests of the business.
Factors such as the level of the targeting (whether individuals are being targeted as opposed to clusters) and whether the consumer was notified that their data would be used in targeting are taken into account.
As with POPIA, the name of the game to become GDPR compliant is data management. Without it, an organisation will not be able to demonstrate that its use of data is, or was, compliant. This means that they have to be able to record when, why and how the information was collected and that it was only used for the original purpose. This requires sophisticated systems and processes and will challenge companies to set up dedicated infrastructure for data management.
The IAB South Africa will notify all members of GDPR developments as they pertain to South African publishers, marketers and agencies. We will also be holding a workshop in the coming months to unpack the impact of the regulation in detail.
By Elizabeth de Stadler, editor of the Consumer Law Review