Building Better Regulations by Example: A Critical Assessment of the GDPR - Part 1

WM Circle Logo

By: Wise Marketer Staff |

Posted on April 3, 2019

Editor’s Note:  The themes surrounding personal data privacy are as complex as they are important – especially as they relate to the practice of loyalty marketing. If you have been following The Wise Marketer recently, you already know that we believe that the unchecked harvesting of consumer data (ala Cambridge Analytica) needs to be scrutinized and contained. What follows is Part one of an assessment of some of the problems GDPR regulations present. Part two will follow tomorrow.  Our hope is that this assessment will provide context for deeper discussion within our industry.

The turbulent landscape encompassing the state of data security and privacy is dotted with consumer confusion, compromising incidents, and growing levels of concern amongst the multitude of different stakeholder subsets. Part of the problem’s complexity is the novelty of the technologies and usage situations which support the advancement of data collection and utilization; relatively speaking, there is a dearth of precedent to establish functional standards that benefit all involved.

That is why governments are swiftly stepping up to enforce better regulations to protect the industry and its consumers. One of the first major reforms introduced by a government body is the GDPR regulations – the General Data Protection Regulation, a series of European Union laws describing data protection and privacy for populations within the EU.The mission of this standard is to “protect all EU citizens from privacy and data breaches in today’s data-driven world" – and while few would argue against the principles which drive this mission, its execution is not without its detractors.

As U.S. governments proceed in their efforts to tackle data privacy concerns and introduce workable regulations, there is an opportunity to learn from existing frameworks such as the GDPR regulations by assessing them through a critical lens. This perspective becomes particularly salient as the California Consumer Privacy Act (CCPA) looms on the horizon here in the U.S.

10 Pitfalls Of The GDPR

Earlier in March, Roslyn Layton, representing the American Enterprise Institute, posited a critical assessment of the GDPR and identified ten potential pitfalls which could plague the CCPA:

The GDPR strengthens the largest players.

The GDPR, by its nature, favors large organizations who possess the resources to navigate the intricacies of laws and the market presence to grow their influence amongst customers. These large companies have the financial means to upgrade their technologies and the professional resources necessary to comply with the GDPR; further, customers themselves become less inclined for market experimentation, preferring to stay with the market leaders whose presence is more familiar and perceivably reliable.

It has weakened small and medium-sized firms.

On the flip-side of bolstering large organizations, GDPR has also neutered the market influence of smaller competitors by creating an environment in which companies with less resources simply have no hope of thriving.

Various factors contribute to the conditions which throttle organizational size. In the context of the GDPR, one aspect is the fact that the regulations have mitigated opportunities for the European venture capital markets which fund start-ups. While some may perceive the GDPR acting as a de-facto trade barrier to keep small American firms at bay for the benefit of similarly sized European entities, even European counterparts have had difficulty leveraging their foothold in a market where expensive upgrades to maintain compliance move past the threshold of viability. The GDPR has proved cost-prohibitive for many firms.

The numbers speak for themselves: in order to finance the critical operations necessary for GDPR compliance, an average firm must outlay approximately $3 million. The economics simply do not add up for thousands of U.S. firms, and the resulting exodus of these organizations has led to an overall condensation of the market.

It has silenced free speech and expression.

Because of media and news reliance on data and associated infrastructure, GDPR has significantly impacted the operations of news sites and channels in the EU. Thousands of sites have shuttered their windows, and flagship publications such as the Los Angeles Time, the Chicago Tribune, amongst others, have precluded access to those who seek it. GDPR violations are costly, and the rationale behind many of these decisions revolves around self-censorship as a way to mitigate the chance of running afoul of the law. Whether or not these aspects of the GDPR would pass legislative tests in the U.S. remains to be seen; many aspects may simply be unenforceable or run contrary to existing protections provided by constitutional amendments and laws.

The GDPR threatens innovation and research.

Loyalty marketers know the importance of innovative technologies to capture all of the benefits that big data has to offer. Artificial intelligence, blockchain, machine learning, and new tools to process the enormous amounts of information businesses now have at their disposal all offer unimaginable forward steps to better connect consumers with brands. One side-effect of GDPR is the prevention of further development for these technologies due to the uncertainty of its tenets and the apparent conflicts of its enforcement. The environment which embodies these factors challenges forward thinking entrepreneurs and innovators and makes it difficult to maintain the progressive march of scientific advancement.

It increases cybersecurity risks.

It seems counterintuitive that very malfeasance which GDPR aims to eradicate can actually be further propagated under its reign. This is due to the fact that the international protections put in place to secure cyber-architecture can actually be undermined by the regulations, by preventing access of critical information by law enforcement agencies and security professionals. Even in cases where information should be technically available to concerned stakeholders, many of them are practicing voluntary censorship to avoid risking GDPR non-compliance and amassing exorbitant penalties.

This is part one of an assessment of some of the problems GDPR presents. Part two will follow tomorrow.  Our hope is that this assessment will provide context for deeper discussion within our industry.