How many emails asking you to review your privacy settings or update your newsletter subscriptions have you received in the last month? Of these, on how many of the links included in the email did you actually click? We made a quick poll and found there were two common answers. The first was “we delete them, they are cluttering my inbox”. “I quickly read them and don’t take any action” was the second. The General Data Protection Regulation (GDPR) enforced today, wants to give people more control over how organisations – public or private – use their personal data. It encourages each and all of us to give explicit consent to organisations to use our private data for different purposes. Among them, for example, is the crafting of personalised online interactions, including the ads we see on our social media feeds. We can hardly exert our rights when we don’t know them properly or when we don’t understand the scope or what impact they may have on our lives. The intention of this article is to look at the GDPR from the users’ perspective, explaining basic but key information to understand the regulation. It also shares some thoughts about the GDPR’s opportunity.
The GDPR decoded
While previous EU privacy measures like the Privacy Shield and the Data Protection Directive gave citizens certain control over their personal data, the GDPR enlarges those measures. In summary, with the new regulation we have the right to be informed about how organisations collect, process and use our personal data, including third parties in relationship with those organisations. We can also access our data and ask for rectification, to restrict the processing, and even to request erasure (or “the right to be forgotten”). The GDPR gives us the right to easily ask to take our information away and to move it to a different service provider in a usable format, as well (or the so-called data portability). Finally, we can object and restrict automated decisions (the ones algorithms make) and a process called “profiling”, or the classification of individuals using personal data.
The emails and smartphone apps’ notifications you likely have received lately are, in fact, a step that organisations are taking to comply with “the right to be informed”. The GDPR wants “opt-in” actions to be the norm, leaving behind the “opt-out” practice a large majority of online services were keen on using and taking advantage of, until now. As from today, organisations cannot collect or share our personal data unless we, the users, have explicitly authorised it. This also applies to social networks or on-demand streaming services for example.
What happens when you opt-in?
While some requests to read an organisation’s new privacy policy or review your privacy settings are informative and do not necessarily require you to take any opt-in action, emailed newsletters need your explicit consent to continue to send you information. Similarly, websites you visit have started to ask you what type of cookies (a piece of code to track your actions when you visit websites) you allow them to use. The common message ‘by using this site, you accept cookies’ is, from now on, insufficient to comply with the GDPR. The regulation demands detailed information about the use of cookies, and must provide a mechanism to limit or impede tracking.
What happens when you opt-in? Once you give any organisation consent to process your personal data, you become a data subject. In practice, being a data subject means you are identifiable and targetable and, for instance, you could see online ads related to the services you opted in before, or even receive emails from a third organisation in partnership with the one you gave consent. It’s important to be particularly aware of the type of consent we are giving and what the extent of it is.
We all, at some point in time, become data subjects, even if we decided to opt-out for all email subscriptions we’ve received until now. Have you applied for a job, booked a flight or used your credit card online? Then, you have already disclosed some personal data and you’re a data subject.
Personal data isn’t only your name. It doesn’t have a nationality either
According to the GDPR, personal data is “any information related to an identified or identifiable natural person”. To identify individuals, organisations could use assorted information, from obvious data such as names, ID numbers, driving licenses, etc., to IP addresses, online user IDs, global positioning system (GPS) data, cookies, unique mobile device identifiers (UDID), and even biometric information. Sometimes a piece of data doesn’t make us “identifiable”, but a combination of them does. What is considered personal data relates to how organisations collect and process those data.
If you are a European Union citizen or resident, then GDPR is there to give you more control over how your personal data is used. However, although this section of the regulation isn’t clear, it seems it also protects other countries’ citizens when they are physically present in the EU (e.g., on vacation, studying, or ex patriates).
All organisations established in the EU have to comply with the GDPR and so do organisations from outside the EU that use EU people’s personal data to offer targeted product and services. A large majority of organisations from all over the world will adapt to the GDPR, which is meant to become the world reference for future data protection laws.
The GDPR has been enforced, so what?
Implementing the GDPR and any similar laws that ask for active people’s involvement in the process, require ambitious outreach campaigns across Europe, and long-term education initiatives.
Much of the current hype around the GDPR might be gone in 3 or 6 months, leaving behind a bunch of unread emails in people’s inboxes. Will they have understood what it is and what kind of rights they could exert when it comes to managing personal data? Though the GDPR puts much of the burden on organisations’ shoulders, it’s set to make people responsible for the choices they make when giving up personal information, especially online. Most of us like personalisation, and we enjoy receiving information fulfilling our best interests but we are also urged to be more accountable for our digital lives.
For the GDPR to be an effective regulation framing the terms and conditions of online interactions between organisations and EU inhabitants – citizens and residents alike, we all would need to become more digitally mature. When could a person possibly achieve this status? Any potential attempt to answer that question is welcomed but likely debatable as well. On-time or ahead-of-its-time, the GDPR may be the opportunity to learn together, it’s an excellent “experiment” to obtain first-hand invaluable information about people’s digital maturity, what measures to take for a more successful adoption of digital-focused laws and how ready local authorities are to rule and sanction when needed, among others.
The GDPR is about permission and consent, but also about building an open and responsible internet, together. What if someone finds a way to use the regulation to limit what others say about her? What if the “right to be forgotten” turns out to be a mechanism to break other laws? Could restricting free speech be an unexpected outcome of this new ambitious regulation?
The need for GDPR-like regulations in these digital times is undeniable. Robots become omnipresent, smartphones replace our personal assistants, and devices connect to each other and share information. All of them have one common fuel: human-based data. At this point, we are the commodity and we’re the end user. If we could possibly be Amazon for one day: wouldn’t it be smart to track the disclosed pieces of our personal data, know where they are stored and be sure they are safe and sound, and used the way we need?
Fortunately, you don’t need to get so far. The GDPR is there to help you. For now, take a moment and read more thoroughly the emails and notification you’ve receive about data privacy. Be trackable because you decided to. It’s up to you.
What we think
Frédéric Vonner, Advisory Partner
The management of data privacy changes as from today. With the GDPR enforced, all stakeholders –users, organisations and regulators – have a great responsibility but a learning opportunity as well. We all want to enjoy the advantages of digital, but we also want safety, responsibility and accountability to be part of the equation. The GDPR is to become the world reference for upcoming data protection laws. We’re looking forward to seeing what the digital world under the GDPR will be.
