One Year Later, A Conversation on GDPR

May 27, 2019

May 25, 2018 represented a sea change in the protection of personal data globally when the EU began enforcing the General Data Protection Regulation (GDPR). GDPR, which aims to enhance and harmonize data protection laws across the EU, continues to reverberate globally. To celebrate its first birthday, Adrian Whelan sat down with Emerald De Leeuw, CEO of EuroComply Data Protection Technology, to reflect on GDPR and to take stock on what’s changed, what remains the same, and the broader implications for asset managers. Here's their conversation.

Adrian Whelan: So Emerald, times flies, it's been a whole year since GDPR went live. How has the data privacy landscape changed since GDPR's implementation in May of last year?

Emerald De Leeuw: The awareness of the questionable way certain organisations handle personal data has changed dramatically. This is not only due to the GDPR but also some very high-profile data breaches we have seen. Media reporting of data privacy is at an all-time high and the unthinkable happened last May when Google searches for GDPR overtook searches for both Beyoncé and Kim Kardashian (shocker I know!!).

An area we've focused on a lot in our firm is the effect that GDPR has had on marketing and product distribution efforts in financial services. Can you talk to us a little bit about that?

Financial services has been impacted by GDPR in an identical way to how it has affected marketing across the board, millions of annoying consent refresh emails were sent out just before May 25, 2018. There has been a misconception that GDPR solely governs rules on advertising. It is in fact the ePrivacy Directive 2002 that sets the general marketing standards and this Directive has not changed. The only thing that changed is that the standard of consent needs to be GDPR grade consent, and not to get too technical but this means that the consent must be freely given, specific, informed, and unambiguous.

However, if you are marketing to existing customers or clients you may be able to rely on "legitimate interest" for your marketing activities. Be mindful you must meet all the requirements of the so-called “soft opt-in” to be able to do so. Organisations have become a lot more careful, lists have been purged, and there is a greater sense of awareness that if you annoy clients too much they will stop engaging with your business, or worse, could file a GDPR complaint. No one wants to be on the radar of the regulators.

GDPR was framed very specifically by EU policymakers to protect EU citizens data privacy rights in an increasingly digital and data driven world. Has it delivered its desired outcomes for EU citizens?

To a degree, yes. We have had data protection laws for a long time, but they were largely ignored and outdated. The new regulatory framework with its principles and the fact that the GDPR is technology neutral allows for longevity. Furthermore, there is a self-enforcing element within the GDPR, data controllers are now responsible from their entire data supply chain. This means that a demand for such compliance gets baked into contracts globally. This quite obviously benefits European residents, but we are also seeing countries outside of Europe implementing similar laws. Most notably in the US with the Californian Consumer Privacy Act. 

So, you suggest partial success. Which desired areas of GDPR still remain to be accomplished?

An effective way of getting real meaningful consent remains elusive. Consent under GDPR doesn’t really work online, particularly in advertising technology as the chain of data recipients is very difficult to discern. This is as much an issue for asset managers as it is online retailers. We need to figure out how to properly inform individuals without annoying them with popups that drive them to immediately click “I accept” without reading what they are consenting to. 

I couldn't agree more about the impacts of vendors who have been overly intrusive with their consent requests. Personally, that's driven me mad at times. On another note, when you and I spoke last year before GDPR took effect, we speculated that GDPR would become the global standard for data privacy. Has that prediction proved correct? 

Yes, it certainly has extra territorial scope, which means if you target European residents with your product or services or monitor their behaviour you must comply. Also, for countries that wish to make it easier for their residents to do business with Europe, it is desirable to have free flow of data between and be considered a country that offers “adequate” protection. For example, Japan now has “GDPR adequacy” which means data can flow freely between EU member states and Japan.

GDPR has influenced non-EU policy making on data privacy. You've already referenced Japan and California changes. Have there been others? What was the single biggest lesson learned from GDPR implementation in your opinion?

Don’t underestimate the time it takes to sort out your data processing legal agreements. And, sending constant consent refresh emails is a bad idea.

Your 2018 GDPR prediction proved spot on regarding global standards. What data privacy prediction or hot topic should we look out for in the coming 12 months?

Again, I think you should brace yourself for the California Consumer Privacy Act as it works similarly to the GDPR. It has global reach which means countries in the EU will have to comply with Californian State law if they fall within its scope. It’s not too dissimilar to GDPR in terms of what it requires but it is yet another law to comply with. Since California is home to many of the world’s largest social media and technology firms, again this one will likely have global effect. This will have an impact on all companies with a Californian presence but also anyone who does business there, including non-US firms with US clients since these requirements, as we know from GDPR, tend to impact the entire data chain of an organisation. 

Getting back to the global view, are firms globally on the same page in terms of the GDPR implementation? How are EU vs non-EU firms engaging differently?

The same page? No, not at all actually. A lot of companies incorrectly believe that they won’t get fined if they aren’t established within the EU. Companies with a European HQ naturally are doing a better job. 

I know you've been busy in your business but how have other businesses been impacted by GDPR?

The impact has been profound. We are seeing more jobs created, more new people joining the data privacy industry, and more companies looking at data governance as a competitive advantage as opposed to a mere compliance cost. There is value in being a data privacy friendly organization and there are career opportunities in the area of data governance globally that simply didn't exist a few years ago. 

As always, you've been a fountain of data privacy knowledge. Before I let you go, is there anything else you want our readers to know?

Yes, privacy and data protection are more than just the GDPR. We can all say that privacy is dead because we make more money that way, however is a world without any respect for our boundaries really what we want? We don’t have to choose between innovation and privacy, we should be able to have both.

The views expressed in this material are those of the author as of May 24 and may or may not be consistent with the views of Brown Brothers Harriman & Co. and its subsidiaries and affiliates (“BBH”), and are intended for informational purposes only. Neither, Brown Brothers Harriman, its affiliates, nor its financial professionals, render tax or legal advice. Please consult with attorney, accountant, and/or tax advisor for advice concerning your particular circumstances. BBH is not affiliated with Emerald De Leeuw.

Brown Brothers Harriman & Co. (“BBH”) may be used as a generic term to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries.This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. All trademarks and service marks included are the property of BBH or their respective owners.© Brown Brothers Harriman & Co. 2021. All rights reserved.

This browser is not fully supported by our public website and may not display or function as expected for this reason. Please note, the Infuse Portal and BBH client applications fully support the IE 11 browser.

Important Information for Non-U.S. Residents

You are required to read the following important information, which, in conjunction with the Terms and Conditions, governs your use of this website. Your use of this website and its contents constitute your acceptance of this information and those Terms and Conditions. If you do not agree with this information and the Terms and Conditions, you should immediately cease use of this website. The contents of this website have not been prepared for the benefit of investors outside of the United States. This website is not intended as a solicitation of the purchase or sale of any security or other financial instrument or any investment management services for any investor who resides in a jurisdiction other than the United States1. As a general matter, Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) is not licensed or registered to solicit prospective investors and offer investment advisory services in jurisdictions outside of the United States. The information on this website is not intended to be distributed to, directed at or used by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. Persons in respect of whom such prohibitions apply must not access the website.  Under certain circumstances, BBH may provide services to investors located outside of the United States in accordance with applicable law. The conditions under which such services may be provided will be analyzed on a case-by-case basis by BBH. BBH will only accept investors from such jurisdictions or countries where it has made a determination that such an arrangement or relationship is permissible under the laws of that jurisdiction or country. The existence of this website is not intended to be a substitute for the type of analysis described above and is not intended as a solicitation of or recommendation to any prospective investor, including those located outside of the United States. Certain BBH products or services may not be available in certain jurisdictions. By choosing to access this website from any location other than the United States, you accept full responsibility for compliance with all local laws. The website contains content that has been obtained from sources that BBH believes to be reliable as of the date presented; however, BBH cannot guarantee the accuracy of such content, assure its completeness, or warrant that such information will not be changed. The content contained herein is current as of the date of issuance and is subject to change without notice. The website’s content does not constitute investment advice and should not be used as the basis for any investment decision. There is no guarantee that any investment objectives, expectations, targets described in this website or the  performance or profitability of any investment will be achieved. You understand that investing in securities and other financial instruments involves risks that may affect the value of the securities and may result in losses, including the potential loss of the principal invested, and you assume and are able to bear all such risks.  In no event shall BBH or any other affiliated party be liable for any direct, incidental, special, consequential, indirect, lost profits, loss of business or data, or punitive damages arising out of your use of this website. By clicking accept, you confirm that you accept  to the above Important Information along with Terms and Conditions.

1BBH sponsors UCITS Funds registered in Luxembourg, in certain jurisdictions. For information on those funds, please see

captcha image

Type in the word seen on the picture

I am a current investor in another jurisdiction