Disclaimer: this post expresses my personal opinion, which might not necessarily match the ones of past and current employers, clients, or business partners. It is also subjective and might contain assumptions which are factually not correct. Please, always refer to the official documentation, and let me know if I need to add corrections.
I bet you don’t really know what GDPR (in German, Datenschutz-Grundverordnung (DSGVO)) is, but if you live in the EU, you sure have heard people talking about it. The closer the end of May approaches, the more people will start mentioning it. Chances are, if your business has anything to do with serving users or customers online, it has probably gone through setting up a GDPR-compliance plan. But what is really this GDPR thing, and why are businesses so concerned about it? Let me try to explain.
The European Union has always been overprotective with regards to protecting the rights of European citizens online. And, perhaps, for a good reason. Our privacy has become a currency. We have given part of it up, in exchange for products and services that look seemingly free on the surface. Their creators monetize the development of those products and services, as well as the ongoing operations, by providing a portion of the data their users provide, to third-party businesses. Granted, no one is really interested in singled out data points, so this data are usually aggregated per gender and demographics group. Second, due to data-protection laws that pretty much every country in the world has implemented, these data are almost always anonymized.
Anonymity is however a term that different entities interpret in different ways. Some consider hiding the real name and address enough, while others go as far as protecting all forms of reaching out, both physically and online.
Another very serious concern is that user data rarely gets fully erased, even upon the explicit concern of the user. Often, it gets anonymized instead, but kept inside businesses’ databases for historical and statistics reasons. Having mentioned the various degrees the term anonymity encompasses, it makes one wonder how much information tracing back to the user is actually left after deleting. With the ever increasing security breaches, it is something that should be taken seriously than thought of as a minor nuisance.
All of this has led the European Commission to reconsider the way entities collect and keep the data about their customers. It is in the process of implementing the General Data Protection Regulation (GDPR). When it finally gets into effect, GDPR will further restrict the access to personal information. It is a unification and extension of existing privacy protection laws across the EU countries. It also applies to entities operating outside the European Union,so long as they collect and keep data of EU residents.
I won’t go into detail about everything that GDPR provisions. Here are a couple of the most important points that are worth mentioning:
- A user’s right to get their profile and all the associated data deleted. When I say deleted, I don’t mean anonymized, but really, disposed of in a permanent manner.
- Put simply, if you run an online business in the EU and I’m your customer, I have the right to get my data deleted from your servers, unless this infringes an ongoing contractual obligation. Businesses need to provide a clear and concise way of doing this.
- Extends and standardizes the notion of “sensitive user information” across jurisdictions that deal with EU citizens. When put in place, this should ideally remove some of the inconsistencies regarding what should be considered sensitive and what not.
- Adds increased transparency over who has access to sensitive data and who hasn’t. This should be a concern to companies, where access to the shared database is shared among employees. Those companies should make sure to provide restricted employee access to the sensitive user data, logging at best the times when these data were accessed.
- Requires businesses to obtain an explicit permission from their users, with regards to how online communication proceeds.
- In simple terms, the old opt-out would have be replaced by an explicit opt-in on the side of the customer, especially when it comes to non-direct contractual communication (promotional newsletters and notifications) Where companies used to open a direct line of marketing communication as soon as a user signed up, they would have to explicitly request from the user to agree, before sending him promotional materials and unrelated information.
- Of course, there will probably be exemptions of this rule, when it comes to direct contractual communication (e.g. information regarding the buying or selling of a particular product or service)
If I haven’t managed to bore you to death by now, let me just briefly share my two cents on the whole story. I can clearly feel the pain of businesses, having to add all this rules into their processes. The company I work for, communicates with thousands of customers on a daily basis. Having to implement all the measures might look like a setback, and perhaps, even a technological progress blocker. Ultimately, though, as an EU citizen having hundreds (if not thousands) representations online, I believe that this step is ultimately for the better.