GDPR and why you should care about Data
Black Magic, or Building the Future?
Today, the GDPR (General Data Protection Regulation) comes into effect, enacted by the European Union. Adopted first in 2016, the regulation replaces the previous DPD (Data Protection Directive) of 1995, as a result of the recent unprecedented growth of technology and accumulation of data. The stats tell a staggering story — 90% of the world’s data has been created in the past three years alone, and by 2020, over 30 billion connected devices will continue to collect even more.
So, necessarily, more stringent and comprehensive regulations are called for, regulations which are almost as complex and confusing as the endless pile of data itself — the full text of the GDPR is comprised of almost 100 articles. It’s hard to know where to start, especially for companies outside of the EU who are wondering how these regulations will affect them, which articles they need to pay attention to, what steps to take — and also for the public at large, as the ethics and agenda behind data collection practices are brought under scrutiny.
What is GDPR?
Technology, internet and data related policy laws are not new phenomena — Google actually already offers a Takeout Page, which allows you to create a downloadable archive of your personal data, and Apple recently launched a “privacy portal” for EU accounts so that users can download all information the company connects with their account.
You may have noticed recently that your inbox has been flooded with emails from companies (Hubspot, Squarespace, Mavenlink, Quora, to name a few) to whose mailing list you may be subscribed, announcing updates to their Privacy Policies, improvements in how they outline their their practices, and options you now have with regards to your data. This is all in advance of the GDPR, which is unique to previous policy enforcements as it represents an extra leap in the effort towards increasing transparency in web practices. As mentioned before, the accelerated growth of the internet is quickly outpacing our abilities to control where our private information ends up, and how we leave data trails of our identity across the web.
Legal frameworks like the GDPR respond to this by providing greater protection and rights to individuals over their personal data (or, as referred to in the US, “PPI.”) Personal data includes information like home address, emails, phone numbers, health, financial and school records, demographics, age, and areas of personal interest. The three most important rights introduced by GDPR allow website users to:
1. Access and view what data a particular organization is holding.
2. Correct or modify the data which is currently being stored.
3. Request that all data be completely deleted and erased from your user profile or records.
Consent is therefore the running theme of the GDPR, and this needs to occur before any of the user’s data is processed. As a responsible party, companies (with an online EU audience — we’ll get to this later!) now need to be able to answer to these requirements and furthermore demonstrate to the Data Protection Authorities that they can protect user information, in the case of a data breach, for example.
Why is GDPR important?
The introduction of and increased media coverage around the GDPR (almost as an initiative in itself) now provides consumers and website users with a new awareness about their level of autonomy and responsibility when engaging with internet services. It also prompts the opportunity to educate ourselves about the basic workings of the web, a world which appears so far away and out of reach to many.
Remember, the information you post about yourself on the internet stays on the internet forever and can never be deleted, right? This has been the automatically accepted notion for decades, and let’s be honest, it hasn’t stopped us “selling our souls” (or personal data, rather) to platforms like Facebook all these years without considering whether things could be done differently (how many times have you hesitated at that moment when you log into a site “via Facebook,” and a pop-up immediately demands you grant access to “all of your information, contacts, locations, etc.” ?).
Understanding technology is inaccessible to many, but regulations like the GDPR act almost as a wake up call to the average consumer, letting them know that yes, control is in their hands now, and we have a choice as to just how enshrined our identities become in the cluttered attic of web data. The population now plays a role in how internet activity is recorded, and with that in fact comes great responsibility, as it points to a future where we cannot place blame for mishaps solely on organizations who hold our data, as we now play an active role in allowing this information to be accessed.
Why should I care about data? The good and the…black magic.
Another positive knock on effect of the new GDPR framework is that it encourages website users (whether protected by the laws or not) to take a closer look at what is going on behind the scenes regarding human data, and educate themselves on what exactly is being recorded, and why. As human beings, we are naturally both curious and sceptical when it comes to external forces mingling with our personal lives without our knowledge, so it’s safe to say that the majority of the population will search immediately for the negative agenda which drives and motivates data collection. On the other hand, many users are content to let this slide — surely my data is useless, why should I care if these details are stored among billions of others?
So, why is personal data so important, and why is it stored in the first place?
The internet is smart, and so is business. What is most important to a customer? Convenience. Step 1: The user needs to arrive where they want to arrive when they begin any process on the internet — ticking a box along the way and giving away all their data is just another “Yeah, whatever” moment in the hurry to get there. Step 2: You spend a half hour every few days browsing your favorite clothing shop online, open a new tab with that gorgeous pair of shoes to view later, and eventually forget about it. Step 3: You’re flicking through your Facebook or Instagram feed the next day — and there they are. The shoes. The exact pair of shoes.
But how did they know?
The truth is that as the internet collects troves of your data, whether behavioural or demographic, it is then sold on (literally) to advertisers, who can then target you with their ware. And while this may seems no more harmful than being slightly annoying at times, there is always the possibility that our data be used for more sinisters means. Claims were even made which attributed the election of Trump to data malpractice. Whether true or otherwise is not the point: what matters here is that the availability of our data makes it possible. As noted by Franccois Chollet, regarding data-storing platforms like Facebook, “We’re looking at a powerful entity that builds fine-grained psychological profiles of over two billion humans, that runs large-scale behavior manipulation experiments, and that aims at developing the best AI technology the world has ever seen. Personally, it really scares me.”
So even though we may continue to give away our data without noticing, the GDPR now allows us to back-track if we so choose, and to become more conscious of our role as active citizens as we enjoy the “free” services of the internet.
However, it’s not all black magic and manipulation of the naive consumer. Access to public data can be a means to positive engagement and efficient, effective production, which has beneficial impact. The Guardian, last year’s ‘Data Storytelling Awards Grand Prix’ winner, for example, takes a data-driven approach in order to understand those who consume their content, and use this information to personalise their publications and meet consumer needs and interests. Its customer charter, “Why your data matters,” launched in 2014, demonstrates how data transparency translates to an improved publication. Personal data is also being used to improve infrastructure, share knowledge, and improve Artificial Intelligence capabilities. It is indeed true that data drives the future.
Therefore, the GDPR should be regarded as not just a regulation, but a chance for us all to be a part of “the most important change in data privacy regulation in 20 years.” In the language of the GDPR, consent must be “freely given, specific, informed, and unambiguous.” So now we know. Sites like Gmail, Google, Facebook (to name the big ones) all scan your data for information that can be used to market to you. The GDPR doesn’t exist to stop this, but to bring the power back to the people, and to provide us with fundamental rights with regards to our online identity.
Does GDPR affect US companies? What steps can you take towards compliance?
Although enforced by the European Union, the GDPR has an encompassing geographic scope, due to the nature of the internet. It doesn’t just apply to organization websites based within the EU, but to all companies which deal with or store an EU citizen’s data, or who offer services to EU residents. This means that if you suspect you have European data in your database, you should definitely be taking steps towards making sure your privacy policy is in line with the stipulations of the new framework. US based hospitality, travel, ecommerce and software services are most likely to need to act on the heads-up, as the fines now in place reach up to 20 million euro.
At the end of the day, in practice, the law is designed to protect EU citizens, and there are of course some instances when this won’t apply (for example, if a European browser accidentally ends up on your site). Our CEO, Jason, here at Blenderbox has put together his top 5 tips on the first steps towards making your US-based website compliant, but everyone needs to do their homework and get professional legal advice according to their own company context.
Will the US introduce similar regulations?
The introduction of GDPR in Europe marks a big change and advancement in the technology world, and as American companies will inevitably need to scramble to become compliant anyway, it is worth reflecting whether similar data regulations will be enforced in the US in the near future. At the moment, Americans outside of Europe cannot make data access or erasure requests. With programs such as NSA surveillance coming under scrutiny, however, we can say with confidence that significant steps are being taken to ensure the power balance between technology, the web and its human counterparts does not become completely overwhelming and out of reach.
