It’s now been a year since the new GDPR came into force, and email servers everywhere ground to a halt under the strain of the deluge of emails asking us to confirm our marketing preferences.
Since then, what’s really changed? Is our data more protected? Are we less at the mercy of cyber criminals and email spammers?
I think not, to be honest. But knowledge is power, and that’s what we’ve gained so far from the GDPR. We know when we’re signing up to a mailing list or newsletter and we have the power to say no without it impacting our use of a website. We know that we can ask those who hold our data to tell us exactly what they have on us, and we can ask them to remove it if we feel it’s necessary. We know that our employers and those we deal with in business have an obligation to keep our data secure, and we know we can make a fuss about it if they don’t.
The landscape of data protection has certainly evolved, but who has gained and who has lost? As a consumer, a user of a bank account, a business owner and an avid internet user, my opinion is that the landscape has simply changed. Not better, not worse, just different.
This one is a win for the consumer, although like most people I’ve noticed no reduction in the junk that lands in my inbox. Since the initial surge of desperate emails begging me to remain on mailing lists, I’ve noticed that I’m far more aware of it when I agree to marketing communications, though. Companies are no longer allowed to force your hand by pre-ticking boxes or restricting access to material unless you sign up. Instead, if they want your data, they have to sell the idea to you with discounts, competitions and other such perks. They also have to make it easy and straightforward for you to take your name off the list again, giving you for more control than you had pre-GDPR.
Almost every website I visit now asks me to accept cookies. This is the website owners attempt at giving me ‘meaningful control’ over whether or not I share the data that a cookie requires. In reality this is a little pointless – many websites won’t function without the use of cookies so I have no meaningful control. In addition, many websites don’t actually need this consent to comply with GDPR. Your IP address alone doesn’t constitute personal data in the eyes of the Information Commissioners Office (ICO) and so those irksome boxes are basically redundant.
Who’s the winner here? The web designers who are charging overly anxious site owners to add cookies consent popups to their site.
The use of 'legitimate interest' as an excuse for cold calling can be both a good thing and a bad thing. If a company contacts you without your prior express consent to do so, it is because they feel they have a ‘legitimate interest’. This could be your boiler manufacturer calling you to alert you to a known fault, for example. The joy for salesman is that once they’ve played out their legitimate reason for communicating with you, they can then try to sell you their services. In this hypothetical instance I absolutely want to know that there’s a fault with my boiler. I’m less keen on the sales patter that will follow.
I’ve noticed that recruitment agencies (amongst others, I’m sure) are exploiting this term in the GDPR to openly cold call. I advertised a job 3 months ago and I’m still getting cold calls from recruitment agencies asking me if I’ve filled the vacancy. Even once I confirm that I have, they still launch into their terms and their rates, and try to invite themselves for a meeting. This is where the term “legitimate interest” could do with some clarification.
I’m not sure there’s a winner or a loser here – companies with a duty of care for their end users must retain the ability to call without express permission, but this provides a loophole for the less scrupulous in the business world.
We all seem to have a blind spot when it comes to our use of social media. Apps including Facebook, Instagram and Pinterest collect an inordinate amount of data about us; Facebook is the biggest collector using a whopping 63 pieces of personal data to personalise your experience.
This shouldn’t be a surprise to you as a reader. All social media platforms have had to disclose publicly which items of data they collect and what they use it for, and they’ve done so with great gusto. You can decline elements of this data collection of course, but you can’t even create an account without clicking away some of your control.
If your employer had asked for your shopping habits, your YouTube preferences, your Candy Crush level, your political biases, you’d be into HR in a heartbeat. For some reason though, we’re all OK with the social media giants having this level of information and more.
It seems that FOMO has outweighed our desire for privacy and control where social media is concerned, for now at least.
There are so many other things to discuss where GDPR is concerned. GDPR has created a whole new brand of geeks – cybersecurity professionals and information officers who have transformed themselves into GDPR specialists and Data Protection Officers. Fair play to them, they have capitalised on our need to be supported through the quagmire of new requirements and who can blame them.
How about the LA Times? Just one of many international news sites you can no longer view from the EU. They decided that the risk of breaching the GDPR was just too great, so rather than deal with it they’ve simply blocked EU access.
Realistically the positive changes that the GDPR sought to bring are yet to be seen. Action is most definitely being taken, with €55.96M fines being handed out. Bear in mind though that €50M of that came from the ICO’s first action under the GDPR – they went after Google. 200,000+ cases of data breaches have been reported but 65,000 of these came from well behaved Data Protection Officers, reporting their own breaches.
What the GDPR has done so far is to make EU citizens very aware of who collects their data, how it’s collected, what it’s used for, and how to say no. In theory it’s also given us a very visible course of action if we feel that our privacy entitlement is being violated, and the right to be forgotten, but there are multiple hiccups and loopholes in those processes.
The GDPR is still a baby really, and when it grows up it has the potential to be something truly great. For now though it’s mainly just causing sleepless nights and costing us a fortune, and giving us something to chat about on the bus.