In less than three months time, the European Union’s General Data Protection Regulation (GDPR) takes effect. The penalty for non-compliance is astronomical: 4% of annual revenue. Faced with the need to follow GDPR, how prepared are public and commercial service providers and broadcasters?
We have found that most media delivery companies in the Nordics are not following the requirements of GDPR. There is no precise method to opt out of or into personal data collection. Consumers cannot quickly remove data, and most companies do not explain how they use consumers’ confidential data.
Figure 1: So how does the Nordic region fair regarding GDPR compliance?
Who did we survey?
We have reviewed materials currently available to end users across twenty-one service providers in the Nordic region along with two global providers: YouTube and Netflix.
Figure 2: The 21 Nordic service providers surveyed. Several of the providers serve multiple Nordic countries. The label “Commercial” and “Public” service providers represent the broadcasters.
Right #1: The right to access information
Public broadcasters are less compliant with this requirement; those that offer login capabilities or track social media usage are the only ones that give access. Service providers that focused solely on Video on Demand services had full compliance. Most of the remaining service providers offered access but not as many as expected, as will be explained.
GDPR stipulates that if customers request information on the data collected about them, providers must deliver the information in electronic form. Many service providers still need customers to request their data by letter, which is old-fashioned to say the least and not a convenient way to request information that will be delivered electronically.
Figure 3: The right to access information chart
Right #2: The right to opt in for collecting private data
Because most consumers do not read the terms and conditions of most services, under GDPR, it will no longer be acceptable for service providers to neglect to ask consumers’ permission to collect personal data.
In practice, this means there needs to be an added checkbox asking permission to use the customer’s data to (for example) send them promotional material. If the consumer must actively un-check the permission box, then it is considered an “opt-out” choice. If that box is not preselected, then it is an “opt-in” choice.
Only 19% of the companies we looked at give an opt-in choice, and 33% offer opt-out. The remaining 48% did not offer consumers the opportunity to opt in or out of confidential data collection. The service provider must explain the benefits of opting in using simple, plain language and examples. If the reason for using personal data is beneficial to consumers and explained to them, most—at least most younger than 30—will agree .
Figure 4: The right to opt in for collecting private data chart
Service providers should explain to consumers what they are asking them to opt into. YouTube does a decent job of informing consumers of their choices, although they currently appear to be focused on letting consumers opt out rather than asking them to opt in. They explain the data they are collecting and how the consumer can disable the collection of each type of data. The figure below shows how they do this for search and viewing history. End users can also review their viewing history and remove individual items.
Figure 5: YouTube example of opt in
Right #3: The right to be forgotten
GDPR requires that personal data can be forgotten, including information on the content a consumer views (for example, whether they have used video on demand or watched live or recorded content). Netflix does this well. Consumers can even remove individual titles from their history. If a consumer asks to have an activity removed, Netflix takes it away within 24 hours. GDPR does not need deletion on a per title basis. It does need providers to give consumers the choice to opt into collecting information on their viewing history, as YouTube does.
Figure 6: Netflix example of forgetting viewed titles
The local Nordic providers do not offer the same level of “forgetting” as Netflix or YouTube provide. Only 14% of service providers’ privacy policies state that they give consumers the choice to have their personal data forgotten.
Figure 7: The right to be forgotten chart
Service providers in the Nordics who give customers a choice to be forgotten typically offer an all-or-nothing choice. They do not give consumers the choice to omit individual content items. Moreover, Nordic service providers do not make it easy for consumers to exercise their right to be forgotten. None of the providers we reviewed offered an online interface.
Right #4: The right to know how the collected data is used
Companies like Netflix and Google run on the algorithms they use and insights they gain from data they gather on consumers who use their services. Service providers that do not use analytics to better understand their customers are likely to fail. Having access to personal data can help predict churn, understand audience segments, or monetize the collected data. Successful companies like Facebook and Google have language in their privacy policies explaining how they use consumer data. They give clear steps for consumers who do not want to share data, and they do not have all-or-nothing systems.
If service providers clarify how they will use data, consumers are most likely to grant access. If not, they will withhold consent. Service providers that use data without consumer permission will face not only legal but also public relations consequences when GDPR enforcement takes hold.
Figure 8: The right to know how private data is used chart
Half of the Operator service providers did not explain how they use data. YouTube, on the other hand, does explain how they use watched videos, and most importantly, how giving such data will contribute to the user’s experience. When a consumer makes the choice to opt out, another message appears that reminds them of the benefits they will miss if they make this choice.
Figure 9: YouTube example of explanation of usage of collected data
“Wait and see” is not the right approach to GDPR. Instead, service providers should take proactive steps to understand the regulations and reach full compliance. By setting a clear policy for data collection that the company and its partners will follow, service providers can better understand what data is available for them to use to conduct their business, to innovate, and possibly to monetize the information they collect. The investment in reaching full GDPR compliance should, in the end, not just mitigate risk, but also give companies a positive return.
The input to this article can be found in the Nordic GDPR Compliance Barometer (see link below). The website is a convenient way to filter the results based on type of industry and country. Note that the information may be updated as new information is collected. See https://www.dativa.com/nordic-gdpr-compliance-barometer/
 Using Analytics to Improve Customer engagement, by Sam Ransbotham and David Kiron, published January 30, 2018