Who doesn’t love an acronym? Well, here’s a new one for you: the GDPR. If it’s not already a familiar combination of letters, it will be very shortly.
So, first things first then. What is it?
Yes. Good point. What we’re talking about here is the General Data Protection Regulation: new regulation about the use and storage of personal data for EU members. It was rolled out in 2016, but the final deadline for adoption is May 25, 2018 – a date that should be in everyone’s diary, if it isn’t already.
That sounds kind of important…
Absolutely. Given the amount of personal data that is collected online, there’s quite rightly a concern about how that data is being managed and shared, and this regulation addresses two main issues:
The first: up until now there has been a lack of consistency in how data is collected, used and stored across the EU. The resultant regulation will make data protection procedures more or less identical across this area.
The second is that it puts EU citizens back in control of how their personal data is being used. The issue of transparency is an important one and at the heart of the regulation.
Why now? What’s it replacing?
The Data Protection Directive of 1995. Clearly a lot’s happened in the intervening 20 years: the amount of data now available for collection is one thing, the multitude of ways to collect it another. A key difference is that the old directive could be interpreted and implemented differently by each country. The GDPR is enforceable law that will be implemented in the same way across all EU countries.
What constitutes personal data, then?
Well, while things like bank details and addresses are the obviously responses, really it’s anything – or any combination of data – that is unique enough to identify you. A phone number and IP address might be enough to do that, but it can also be by a combination of other data too. To take CI’s Chief Data Officer, Ilija Susa’s, point: “The name ‘James Smith’ cannot be considered to be personal data as there must be hundreds of people with that name. However, if we know the he is 42 years old from Belfast, has three kids, works in a bank and likes bowling, that’s pretty unique and specific and would be enough to identify him”
It’s a point well made: the more data available, the more likely it is to be able to identify individuals.
This is starting to sound pretty serious…
Absolutely. The regulation reinforces the belief that data is the property of its owner, and as such should be treated accordingly, with their permission. The regulations aren’t there to prevent data collection, but rather to ensure that the individual (what we’re referring to as the data subject) has given their consent to its use, and that it is being used within those agreed terms.
Let me get this straight then: if I’m an EU citizen and I contact a company, they can’t sign me up to receive marketing emails without my say-so?
Yes. That’s certainly a part of it and it’s part of a broader need to improve the UX so that users are aware of how their data might be used in future.
Simply put, is this kind of putting the onus on people to ‘opt in’ rather than relying on them to ‘opt out’?
Yes, it’s about making the entire process more transparent. UX has a lot to do with that by making it as simple as possible for people to understand how their information may or may not be used.
It’s a regulation, not a directive, which in non-legalize speak means that it’s enforceable without government legislation – so take note! You are responsible under this mandate.
Well, that’s cleared up the basics. Presumably there’s more to know?
Isn’t there always? We’ll be running a monthly blog series on this until deadline day: next month we’ll be looking at the rights of the data subject.