November 21, 2018
How GDPR Changed the Internet (and didn't)
May 25, 2018, was the first day that Europe’s General Data Protection Regulation (GDPR) took effect and began to be enforced. The world experienced this with a slew of new contracts, terms, and agreements sent out between tech companies and customers, regarding the way they gather data from each other.
What is the GDPR?
The GDPR is a ruling by the European Union back in 2016 that sets the standard for how businesses manage and share personal data. Theoretically, these new rules only apply to European citizens. The global nature of business, however, means that most of the world has to comply with these standards or lose their European customers.
The GDPR built its rules upon the Privacy Shield and Data Protection Directive privacy measures that the EU adopted. The GDPR sets a higher standard than ever seen before when it comes to obtaining personal data from customers. The default situation requires explicit and informed consent any time a company collects personal data. Also, users are required to have the ability to revoke that consent or request all the data a company has collected on them at any time.
Where This Hits Home
Many aspects of global businesses will be relatively unaffected by the GDPR. Manufacturing and R&D, which work with very little customer data will be unchanged. Even departments like shipping are unlikely to require significant changes to their processes and policies. The departments most affected by this ruling are Marketing Research and Advertising.
Internet marketing is fueled and directed by customer contact information, purchasing history, and preferences. Every advertising campaign is driven by this information, from its offer, deployment strategy, timing, and even the very tone of the words used in writing it. There are entire industries which exist only to acquire and sell this information to business marketers. These are the people and places that will be hit the hardest by the GDPR.
How will they be affected? The basic concept of personal data protection has been in existence already. The requirements for obtaining that have been raised, but the penalty for breaking these rules have been lifted significantly. The new maximum fine is the larger of 4% of a business’s global turnover or $20 million. The largest social networks could perhaps take that kind of hit, but it would knock out most corporations. May 25th, 2018 was also set as a hard deadline, and any company that did not comply by that date is subject to those hefty penalties.
The most noticeable changes that GDPR has made is that the existing pop-up boxes that ask your permission to gather information will be written much clearer than in the past. You may notice them a bit more often as well.
Additionally, there will be new ways to download your data that exists on other servers. Some may want to do this just to find out what all a company has on them. Google and Slack are utilizing this for other purposes though. They are providing opportunities to transfer data from one service to another. So, if you want to find a way to move all of your twitter tweets to a Google doc, there is probably a way to do that simply.
The biggest changes are happening outside the customer’s view. Those marketing companies, who used to sell the same data to several dozen businesses to make targeted ads now have to find ways to share their processes transparently with the individuals whose data they collect. They can no longer sell to secret partners without the customers express notification. What this boils down to is the end of a no-cost, data-sharing industry. Now, there are costs to selling personal data online.
While this requires much more thought put into those consent forms, the most significant complications come up with the possibility of breaches. If you give Google your info and they sell it to Krispy Kreme Donuts (with your permission), but then Krispy Kreme has a data breach, and your info is stolen, who is liable in this situation? The GDPR suggests that Google may end up with some liability because they sold your info to a system with security weaknesses.
The standards have been raised, and the penalties have been made much harsher. However, there continue to be data breaches across the globe, sometimes stealing billions of records to be sold and exploited worldwide. The GDPR does not stop cybercrime any more than adding more weapon restrictions for law-abiding citizens affects criminal behavior. It may force a few groups off the fence. We still have to be cautious with the data we put on the free exchange of information that is the internet.
It will not likely cut back on the ads we are bombarded with in our social media and email either. Entire industries are based upon this, and they will find ways to fight and adapt to these new regulations. It is not just marketers either. Political firms such as Cambridge Analytica and even the National Security Agency use this same data to watch groups and even particular individuals. While this may be worrisome for some, it may be seen as a form of protection for others. These groups will also find ways to adapt to the GDPR and continue the work they do.
A final emerging group that will be affected by this ruling is cloud-based services. SaaS entities, which are often applications and processes designed to do the work of individuals will require different kinds of consent forms and existing services may have to be redesigned to ensure compliance. Since there is not a human entity making individual decisions, the actual process designs will need to be altered to make sure no possibility of violation could occur… and that could be difficult since the actual enforcement of the GDPR is under a year old, and many of the consequences of this ruling have not yet played out. It is likely that these cloud-based industries will be in a state of flux regarding data acquisition for several years to come.