GDPR is just the start, says Diana Marin David of Good Corporation. More regulation and hard work by companies will be needed to give consumers genuine control over their data
It has been four months since the General Data Protection Regulation came into force on 25 May this year. In the run-up to GDPR Day, consumer awareness of data protection legislation seemed to be at an all-time high. Flooded with updates, notifications and requests from corporations, for many consumers it was the first time they were able to get a clear picture of how far their personal data had spread. Simultaneously, high-profile data scandals, like the ongoing Cambridge Analytica case, helped more people to realize the extent to which their personal data has become a valuable currency.
While it is good that individuals have become more aware of their rights to data privacy, there is a risk that they will soon become fatigued by the approach some organizations have taken to ensure that they are compliant with the GDPR.
One user followed links for further details to find a list of over 250 third parties that could receive this data
Indeed, some approaches may breach the spirit of the legislation, such as when users face requests to agree to the transfer of their data to third-party partners and other profiling activities. One user, for example, followed links for further details to find a list of over 250 third parties that could receive this data.
In this example, both the number of third-party partners and the extra steps required to access information on them meant that the user was not necessarily making the informed choice on usage of personal data envisaged by the legislation. How this sort of approach to “informed consent” is treated by enforcement authorities remains to be seen.
Initial pleas that the GDPR would prove too burdensome have quietened recently. While some organizations have chosen to pull out of the EU market entirely, including some high-profile media sites like the Chicago Tribune and the Los Angeles Times, for the most part organizations have tried to adapt. In the run-up to May some bodies went into overdrive in their campaign to request consent for processing users’ personal data. Now, having received that consent, organizations will have the additional important task of ensuring that they are monitoring that database of users, keeping details up to date, and only using the data for the purposes for which the user has granted permission.
Other ongoing tasks include the need to complete data privacy impact assessments, responding to subject access requests and ensuring that breach monitoring is taking place effectively. Ensuring that these requirements continue to be met, and that resource levels remain up to dealing with the tasks, will be an important factor in organizations remaining compliant with the GDPR after the initial excitement and concern from senior management passes.
Eyes are now turning to the ePrivacy Directive (implemented in the UK as the Privacy and Electronic Communications Regulations 2011), which is to be replaced by a new ePrivacy Regulation, expected to be in place in 2019. While much of the directive is not directly applicable to individuals, it contains important provisions on direct marketing.
The final text of the ePrivacy regulation will have important implications for the way companies talk to their customers. For example, many organizations, even post 25 May, currently operate using a “soft opt-in”, which means that they can assume they have consent for direct marketing to their customers. If the wording around this soft opt-in changes, many bodies will have to re-examine how and why they communicate with their customers.
There are many areas of data protection 'behind the scenes' that require careful thought and planning
While much focus has been given to the facets of data protection that affect consumers most directly, there are many areas of data protection “behind the scenes” that require careful thought and planning from data processors, and several topics where individuals and companies are still awaiting guidance and a direction from the regulators.
These include areas such as the one-stop shop for data protection authorities, the Irish Supreme Court’s judgment on referring a case on standard contractual clauses to the Court of Justice of the European Union, and the direction that data sharing takes in a post-Brexit world.
Six steps to better data protection
On the other hand, there are a number of organizations that are really trying to inform their user base about the decisions they make around the use and collection of their personal data. Some areas of best practice include:
1. Ensuring privacy statements are clear and simply spelled out, without hiding crucial information behind multiple clicks
2. Evaluating their policies on sharing data with third parties and the number of third parties they choose to share that data with
3. Keeping up with data-retention policies that may have been drafted recently to comply with recent legislation, but not had cause to be used yet
4. Regularly monitoring data flows to keep on top of potential changes, ensuring that they follow up on any initial data-mapping exercises
5. Sustaining management commitment to ensure that data protection principles are embedded in the organization
6. Periodically evaluating measures they have in place to ensure they remain effective and relevant
The key principles to respecting data privacy and protection are similar to those required for any element of good customer experience: keep things clear, give people options and be transparent with your customer. Giving individuals more control over their data is vital, and when a company can show that it respects this it resonates strongly with users in this increasingly privacy-conscious age. It will be important for organizations to sustain their commitment to good data protection principles through continuous review and adaptation as technology and user expectations evolve.
Diana Marín Dawid is an analyst with business ethics advisers GoodCorporation.
This article is part of the in-depth Ethics of Digitization briefing. See also: