On May 30th 2018, I received one final GDPR email, five days after GDPR was implemented. It was the last of only twenty-eight, compared to PWC’s estimated national average of around 100.
GDPR reassesses how user data is used and protected
The General Data Protection Regulation comes as the first large-scale overhaul of data protection rights since the 1990s. The changes it implements reflect the unprecedented directions taken by users and business with regards to the ease of access to information. GDPR reassesses how user data is used and protected by data ‘controllers’ (people who determine the use of personal data) and ‘processors’ (the people who process that data). In other words, these regulations target companies who hold your personal data. Processors are now to be held liable for any data breaches and must report them as soon as possible, while controllers must now guarantee contracts with processors follow GDPR law.
But to those of us who are neither data controllers nor processors, GDPR has become a buzzword. Complaining about the number of GDPR emails you received was generally the extent to which members of the public interacted with this legal upheaval. Given the response on Twitter, I wasn’t the only one sighing when I’d see one in my inbox – as if these emails were somehow more offensive than any other digital newsletter.
Of the twenty-eight emails received, I can’t remember opening a single one of them before marking it as ‘read’. The fact that many responded to such significant data protection changes in a manner similar to receiving a spam email indicates two things: 1) no one likes email, and 2) we’re still in the dark about what these changes really did mean for us.
GDPR grants new rights to ensure we have full access to any information we may have given away
Personal data is defined as any information which may result in the user being identified. This can range anywhere from date of birth to fingerprint scans. GDPR grants us new rights (and strengthens existing ones) to ensure we have full access to any information we may have given away. For example, you have the right to know how your data will be used. As a result, you may request to delete any useless or unused data about your person. Any request you make to an organisation must be returned within a month or responded to with valid reason.
Sensitive data has its own rules. This data – revealing ethnic origin, beliefs, health information and genetic data – may be used under strict circumstances, but generally not without your explicit consent.
These GDPR emails were tiring because they all relayed this same information. Seemingly a refreshing reminder of your new data protection rights, followed by a quick reminder to re-subscribe to their mailing list. Given the culture shock caused by Channel 4’s Cambridge Analytica exposé, our irritated (bored, even) response is a key reminder that, although we hand it out with much consideration, we may not be as savvy with our personal data as we would have thought.
Were we wrong to ignore those emails? It depends on who you ask (or where you read), but generally, no.
for organisations, GDPR represents a shift in liability
For organisations, GDPR represents a shift in liability for protection of user data. For us, it is little more than an opportunity to refresh your digital footprint (or the best shot at doing so, at least). In most cases, your data will be removed from email subscription lists and your inbox will feel lighter for it (although it may have been worth consenting to the GDPR emails from the services you enjoy hearing from).
It is fitting, though, that years upon years of automated newsletters, prize draws and special offers should come to end in one ginormous wave of almost-but-not-quite spam emails.