Unless you’ve been living under a rock, or refusing the check your emails for the past six months, you’ve probably heard about GDPR.
While the influx of GDPR-related emails can be irritating (trust me, marketers hate sending them as much as you hate receiving them), the GDPR itself is actually a bloody great thing for consumers. No, really. I promise.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new piece of EU legislation that comes into effect today (25 May 2018). It’s basically an updated version of the Data Protection Act that applies to all EU member states (and anyone who has customers in the EU).
It was devised for two reasons. Firstly, most data protection laws across Europe are woefully out of date. Think about it; the Data Protection Act became law in 1998, when the internet was still practically a baby and Mark Zuckerberg was only 14. The majority of our data protection laws were written before social media, Big Data and election-rigging Russian bots.
Secondly, before GDPR, each European country was free to write their own data legislation. That meant that privacy laws varied widely between countries, which made conducting business internationally a bit of a ballache. So the GDPR was introduced to bring consistency to Europe’s data protection laws.
Great. Why should I care?
The GDPR is a mammoth piece of legislation, and breaking it could incur fines of up to 20 million euros, or 4% of annual turnover, whichever is greater. It encompasses a lot of things, from how you store data to how to you report a data breach, and a million other boring (but important) things in between.
But the thing that’s really interesting (okay, I use the term ‘interesting’ loosely) about GDPR – the thing that makes it important for you and me and Auntie Jane Cobley – is that the GDPR introduces a whole set of robust rules around consent.
Under the GDPR, anyone who wants to collect, store, use, and process data must have your explicit consent to do so. That means if Facebook wants to sell your data to Russia, they have to ask you. If the hairdressers you went to once wants to send you a promotional email, they have to ask you. If your local takeaway wants to sell your data to a PPI company, they have to ask you.
Isn’t that already the case?
Technically, companies already have to have your consent to process your data. But the way they gather your consent can be pretty sketchy. Think hideously long Terms & Conditions that everyone knows you’re not going to read, and pre-ticked consent boxes on online forms that you always forget about.
Under GDPR, none of that is allowed. According to the ICO (the people in charge of upholding the GDPR in the UK), consent must be ‘unambiguous’ (that means you know exactly what you’re consenting to), ‘positive’ (that means you have to actively consent to something, rather than having your consent assumed as default) and ‘freely given’ (that means they can’t force you to sign up to their mailing list in order to get the product or service you want).
It also has to be easy to understand (no legal jargon) and unbundled from the Terms & Conditions – so you can’t accidentally give Facebook permission to use your data to influence political elections just because you didn’t read the Terms & Conditions.
So what does all this mean for me?
Well, it should mean a lot less spam, for one thing. The reason you’ve been getting a thousand and one GDPR emails in the last few months is because companies are only allowed to contact you going forward if they have GDPR-level consent from you. That means anyone who used pre-ticked boxes or confusing Terms & Conditions to get you on their mailing list will no longer be allowed to email you unless you agree they can.
More importantly, it means you have control over your data. You control who has it, and what they’re allowed to do it – and, importantly, you can change your mind at any time. Under the GDPR, every citizen has the Right to be Forgotten. Which means you can contact any organisation who holds data on you and ask them to completely erase you from their systems. Not just mark you as inactive, or remove your public Facebook profile but keep all your data on the systems – actually, fully, 100% forget you.
The GDPR means consumers – ordinary people like me and you – are once again at the heart of the internet, rather than just being a resource for companies to mine data from.
But wait – what about Brexit?
The GDPR applies to any EU member state – but it also applies to any business that has customers in the EU. Which means that even once we leave the EU (*sob*), British businesses that want to operate in the rest of Europe must be GDPR compliant.
The GDPR laws were also four years in the making, and the UK was involved in making them from the very beginning. Most experts agree that even when we leave the EU, we’ll adopt our own updated data protection laws that mirror the GDPR. Because why stay in the EU when we can leave it and just do what the EU says anyway?
Ultimately, GDPR might seem confusing and boring and completely irrelevant, but if you’re a person who uses the internet and cares about how their personal data is used, the GDPR is unequivocally a good thing. Even if it’s a pain in the arse for people like me who work in data-led marketing.