go to ThinkTank

And through it all, she offers me (data) protection

The Cambridge Analytica scandal that rocked Facebook and forced Mark Zuckerberg to face US legislators and foreign parliaments highlighted one thing: data protection is under scrutiny, now more than ever.

As the new European laws on General Data Protection Regulation (GDPR) became effective, you have probably been emailed by just about every company that you have ever interacted with digitally.  For many of you, GDPR’s relevance will stop there – a brief inflation of the inbox, the occasional pang of nostalgia as you remember an independent coffee shop you went to four years ago but nothing more than that. 7 years in the making, May 25th signalled a new dawn for data protection. Read on for the ins and outs of the new regulation as well as a look forward as to what might happen next.

What is GDPR?

The rise of the tech giants has come hand in hand with a shift towards data collection and targeted marketing campaigns. Have you ever been surprised or even slightly scared at how well companies “understand your needs”? From a regulatory standpoint, the need for change was as clear as can be. In simplest terms, GDPR is a replacement for the 1995 Data Protection Directive. To describe this upgrade as long overdue would be a significant understatement.

Regulators across the EU worked together to demand companies reveal and/or delete the personal data that they have accrued over the years. They can issue fines up to the higher of €20m or 4% of the company in question’s global turnover – this can no longer be ignored.

What are the implications of GDPR?


One thing we can be sure of is that the largest impact will be on companies who have large scale data acquisition and exploitation at the heart of their business models. Consent from their customers to access and process their personal data now must be explicit and informed. Furthermore, this consent needs to be renewed if/when the use for the data changes in any way, shape or form.

For the GAFAs

Mark Zuckerberg, more than any other CEO, will now know the importance of getting this GDPR transition right. Facebook’s reputation took a severe knock in the wake of the Cambridge Analytica data scandal and cannot afford to be anything other than over-prepared and as transparent as possible. Notice the new ads?  It’s all about ‘when this place does what it was built for, we all get a little closer’. Its new unified privacy options and tools introduced to allow their 2.19 billion users to download the specific data held on them, check and delete it from the site, serve to remind people that this is a safe space to connect.

Apple has also introduced a privacy dashboard but has been very quick to highlight they had collected very little personal data over the years so their compliance with GDPR was no great hardship. Apple has also pre-empted the global shift by making the changes worldwide even though the regulation only applies to the EU.

Lastly, Google has taken a slightly different approach by attempting to fly under the radar and has updated its products and privacy policies with as little fuss as possible. However, this didn’t stop both them and Facebook being hit by monstrous lawsuits the day the regulation came into play.

For you and me?

Companies are no longer able to get consent to access the data of their customers through endless pages of terms and conditions that are jam packed with legalese and jargon. It now must be as easy to withdraw consent as it is to give it and the request must be clear and intelligible for the average customer.

Individuals must now be informed if a serious data breach occurs within 72 hours of the organisation first being made aware of the incident – this is a clear push for increased transparency as well as accountability, forcing companies who harvest customer data to invest heavily in cyber security.

The best improvement for individuals? Having the right to access the personal data a company holds about you for free and the ability to question its relevance and ultimately to have it deleted.

So, what now?

An interesting consequence has been a sharp increase in the demand for data protection officers (DPOs) and it is expected that 75,000 will be required worldwide.

Lawyers are also benefitting from its introduction.  The launch day was greeted by a wave of law suits against as individuals and companies locked horns over whether they have interpreted the requirements correctly. Most notably, Google and Facebook received a combined $8.8bn of lawsuits filed by Austrian privacy activist Max Schrems. Expect these battles to continue for the foreseeable future.

Lastly it is worth noting that there is considerable uncertainty surrounding the longevity of this regulation in Britain due to the impending yet somewhat unclear and increasingly chaotic Brexit. The government has however committed to maintaining it following Brexit. Theoretically, a future government could change the law again, but this is unlikely as any British company wishing to trade or do business with European companies would have to follow the legislation.

Through it all, it really does look like GDPR is here to stay – whether you’re right or wrong (to share your details online).

Next article is Does your brain mind?