There are no problems, only opportunities. So goes the saying that is either a mantra of optimism or a trite business cliche, depending on your point of view. But it’s a phrase that could have been coined for the EU General Data Protection Regulation (GDPR), a shiny new piece of legislation that galvanises the ‘problem’ and ‘opportunity’ camps.
As you might expect of data protection measures, the individual is at the heart of the GDPR. It’s an opportunity for us as consumers, users, people, to take back control over our data and to be able to go about our business with greater protections over our privacy. As such it embodies the key values at the heart of the Internet Of Me.
These are significant changes to the status quo – we’ll come back to the major ones a bit later – with huge ramifications for businesses, so it’s perhaps easy to understand why many feel this is an ‘opportunity’ they could live without. Yes, the GDPR will bring a lot of extra administration that will cost money.
But then, the status quo is what is holding back the burgeoning personal data economy from reaching its full potential – a broken model of low quality data sucked up, traded, profiled and spat back at us in the form of tracking and targeting that does long-term damage to trust and engagement.
What the GDPR offers is an opportunity to do things better. It’s not a question of the advantage either lying with the consumer or businesses when it comes to data. There is a balance to be struck where both sides benefit. The power the GDPR gives to the consumer is the opportunity for businesses.
Weighing up costs vs benefits
But first, the ‘problems’. It’s easy to see that a mass of bureaucracy from Brussels might not top many executive wish lists. And at 200-plus pages, the sheer size of the documentation might be a problem in itself for some. What those pages contain can seem onerous, certainly from a financial perspective.
Organisations must demonstrate far greater responsibility over how they handle data including carrying out audits and reviews and very possibly being obliged to appoint a data protection officer. Taking steps to reduce the risk of breaching the GDPR are vital, as failure to comply carries heavy penalties including fines of up to 4% of global turnover. Data must be processed not only lawfully and fairly, but also with transparency.
Being seen to comply is as important as complying.
Yes, these are overheads that might not have existed before, but processing personal data is always going to cost businesses money. Working within the framework of the GDPR will actually reduce many such costs. This is mainly because anyone doing business within the EU will now have a single bureaucracy to deal with rather than the myriad bureaucracies of the 28 member states.
And then there are the rights and powers the GDPR gives to you and me – the individuals whose data it protects. We must give clear consent before our data can be used – and have the right to withdraw that consent. The ‘right to be forgotten’ means that organisations must delete information if we do withdraw consent, if the data is no longer needed for the purpose it was collected, or if it otherwise breaches the rules of the GDPR.
Organisations must tell us if our information is hacked. Our data should be portable so we can take it to a new service provider without losing any of it. Information should be clear and straightforward, not obscured in the turgid small print of lengthy privacy policies. The measures do not stop there – there is more detail on individual rights under the GDPR on the digi.me blog and pleasingly clear legal explanations of it all here, courtesy of law firm Bird & Bird.
So these new rules might appear to some like yet more hurdles and red tape for businesses to clear – but then, just think about the alternatives to these key principles of the GDPR. What is the case for a business to use a person’s data without their consent? Or to refuse to be transparent about how it will be used? Or to gather more data than is necessary for the specific reason it is being requested? Or to object to removing data that is wrong, irrelevant or no longer necessary? How can failing to tell someone their data has been breached be seen as anything other than a cover-up?
Ultimately, what is the argument for not taking the handling of personal data seriously? What is the case for refusing to act in the interests of consumers?
There’s gotta be a better way
It comes down to whether businesses believe the current way of doing things is sustainable. Whether grabbing people’s personal information by any means necessary, hoarding it, trading it and using it to stalk consumers around the internet is something that is going to deliver long-term success.
The mountain of evidence to suggest that it won’t grows by the day. The popularity of ad blockers continues to soar, with the number deployed globally surging towards 300million, costing publishers £22billion a year. The number in the UK alone is expected to hit almost 15million by next year. And it’s going mainstream, with mobile operators such as Three making the option for blocking a feature on smartphones and Apple adding it as an option in iOS. Blocking ads, stopping tracking, and going incognito while browsing the web are all clear indicators that more and more people do not want their data to be mined while they are online, nor do they want to be stalked by targeted ads.
The ad tech industry currently represents a model that is broken and leaking toxic waste into the rest of the data economy with damaging consequences for what otherwise promises be an exciting future.
The EU GDPR goes some way to offer opportunities to fix it. Being honest and transparent with people about how their own data is used is clearly such a better way of doing business that it seems like stating the obvious. Who would rush to do business with a company that thinks otherwise?
But the biggest difference the GDPR will make is the amount of control that it gives to people. Central to that is consent. Again, to say that it is better to use a consumer’s data with their consent seems obvious – and makes the alternative sound deeply suspect. But it’s about more than niceties. When someone grants permission they are acting consciously, becoming an active participant rather than a passive source of data to be pillaged. Permission equals engagement. And engagement is the ultimate goal here, isn’t it? Businesses want to better understand and reach their audiences and potential customers. When those potential customers block ads and prevent tracking the only active thing they are doing is disengaging.
Honesty, transparency and permission are solid foundations on which to build relationships with consumers where trust and loyalty replace suspicion and frustration. And a level playing field where these principles are expected of all players? That looks like a real opportunity.
Now imagine if those consumers owned and held their own data rather than just exercising the control over it offered by the GDPR. That data becomes far deeper and richer for being brought together – a complete picture of the individual that epitomises a true Internet Of Me. When businesses can ask permission to us that data the opportunity becomes golden.