By Niall Bennet, Corresponding Author at Betipy,
Everyone has been receiving a lot more emails than usual lately, as companies seek to find out whether their mailing list members wish to remain in touch or not. The GDPR (General Data Protection Regulation) has an impact on everyone; companies and their customers. It came into force on 25 May 2018 and affects everyone and their data.
This new regulation, which in the UK is coupled with an updated version of the Data Protection Act, gives individuals more rights over their data than previously. Companies have been contacting their customers to find out whether they want the company to continue to hold data on them. In some cases, if the customer does not respond, they will be removed from the mailing list and their accounts will be closed. For those people who never read half the emails they receive anyway, this will probably come as a welcome relief.
For organisations which collect personal data for professional reasons, for instance healthcare providers, GDPR makes the process more transparent to the individual. Patients will have the right to request a hard copy of the data that the organisation holds about them and the right to request that data is erased.
The idea of GDPR is to enforce tighter regulation on companies and attempt to prevent misuse of data. It also standardises the handling of personal data across the EU and how companies worldwide handle data on EU citizens. The additional updates to the UK’s Data Protection Act will ensure that this legislation remains valid even after Brexit. The legal requirement is for companies which operate in the EU or sell goods or services into the EU to adhere to this new regulation. The infographic 55 Things you Need to Know about GDPR gives more information, and many places have been producing additional handouts for staff and customers.
Personal information and special category data
Personal information is defined under GDPR as any information which can identify anyone. Names, job titles, locations all come under the standard definition of personal information. Special category data includes information held in health records, addresses and telephone numbers and human resources records of employees.
The Information Commissioner’s Office (ICO) has been working with companies to help them be ready for the implementation of GDPR. Firms which do not comply can be fined, and some companies have already decided to shut areas of their business either permanently or temporarily while they evaluate the situation.
And it’s goodbye from…
The BBC reports that some US news sites are temporarily unavailable to EU readers due to concerns about GDPR. Many social media and email sites are insisting that users reconfirm their agreement to hold a profile and review the third party consents they have granted. This makes sense, as no one remembers the one time they had a burning need to comment on a random article but needed to sign in through social media in order to do so, thus granting the random website the right to use their social media data for marketing purposes.
Meanwhile the Guardian offers a list of GDPR casualties including Instapaper (temporary closure), Unroll.me (permanent withdrawal of services to EU citizens), History.com (blocking all EU visitors) and Ragnarok Online (switching off EU servers).
Massive fines for non-compliance
One thing’s for sure. The risks of non-compliance are huge. The big names have already been affected. The BBC reports that complaints have been filed against Facebook, Google, Instagram and WhatsApp over their use of targeted advertising. This could lead to fines and changes in the way the sites operate. These fines could be 4% of turnover or a maximum of €20 million. At present the sites show sponsored content on each user’s feed. While most of us scroll through the ads and think no more about it, the fact that the branded content is offered based on the words in our profiles and the demographic of people we follow is an issue under the new GDPR regulations.
Active opt-in consent
Under GDPR, every company must be active in gaining consent to hold information on customers. In theory this should cut down the number of emails and stop at least some of the junk mail through the letterbox. Just because someone didn’t see a box asking them to agree to receive ‘carefully curated third party content’ is no excuse any more. In fact, it could land the company concerned with a large fine.
Under GDPR the user is in control. Individuals have the right to request that organisations erase the information held on them (the ‘right to be forgotten’). Companies which do not comply will face the consequences.
At present it is unclear what effect that will have on the social media giants and enormous tech conglomerates, but certainly the way they handle data has been much in the news lately, with Mark Zuckerberg facing an uncomfortable grilling by Congress and others over Cambridge Analytica’s involvement with Facebook. Some will likely say that GDPR couldn’t come quick enough and should have been enacted years ago. Others will be grateful that it has now been made law, and will be enjoying watching the tech giants squirming as a result of the tighter regulation. For the individual, handing control of their data back to them can only be a good thing.