GDPR: Still Misunderstood
“And, I pray thee now, tell me, for which of my bad parts did thou first fall in love with me?”
– William Shakespeare, Much Ado About Nothing, Act VI, Scene II
“If I said I was madly in love with you you'd know I was lying.”
― Margaret Mitchell, Gone with the Wind
It has never been said that marketers love industry regulations, but this love-hate relationship with GDPR just keeps on giving. In spades.
The Global Data Protection Regulation is a law ratified by the European Commission in April, 2016 that is designed to protect European citizens from the evils of online profiling by allowing the public to control what data organizations can collect and use. Yet the regulations were written to extend beyond the European Union borders. No matter where European citizens should find themselves, either physically or virtually, GDPR protects them.
We love the fact that GDPR carries hefty fines for transgressors, because we all want to see the bad guys get what’s coming to them, yet we hate the fact that neither the European Commission or EU Parliament were GDPR-compliant after the two-year grace period. The European Commission even went so far as to say that they are above the law.
Here are a few more reasons why we love (and hate) the Global Data Protection Regulation.
Love It: GDPR Gives Power to the People
We have seen rampant abuse of, and damage to, average citizens when large dossiers are kept, especially by credit bureaus (see Facebook and Equifax in the U.S.) and governments. And nobody seems to be holding them accountable.
It is undeniable progress to give individuals more control over their data across the internet, and to allow those individuals to correct it or to request it be removed entirely. GDPR provides the “right to be forgotten” and the “right to rectification,” among other new rights.
GDPR is truly a step in the right direction, shifting the power back into the hands of individuals (called “data subjects”) so that people aren’t merely seen and treated as commodities just to get to their data.
Hate it: GDPR Ignores the Rest of Us and Real Technological Solutions
What gains the GDPR provides in protecting some victims from needless or illegal data collection are quickly overshadowed by the simple, but onerous, requirements that it imposes upon the rest of who use the internet day by day, going about our merry lives.
I’m referring to the privacy notifications, sometimes called “cookie bars” that show up at the top, bottom or side of the browser or even as a pop-up the first time you visit a website. The notifications are just begging to be dismissed, right?
This is a classic user experience problem. Much like the cacophony of medical device alarms in a hospital room, the notification bars and pop-ups demand to be dismissed, or worse, ignored. GDPR is perpetuating the internet “noise” that the EU Privacy Directive set into motion years prior. And it doesn’t take a Juris Doctor to tell you that more noise results in less attention (we actually teach this to our children).
There is a growing list of technological solutions out there, though: browsers’ adblock and privacy extensions are a couple of examples (see uBlock Origin and Privacy Badger). And Apple Safari, with the release of Intelligent Tracking Prevention, is just one of several consumer internet browsers to shine a spotlight on users’ privacy. But no complex legislation was needed to build these tools.
Love It: GDPR Leads the World in Privacy Rights
Like the previous European Data Protection Directive, it has been suggested that GDPR is the latest vanguard for global privacy rights, laying the foundation on which other governments will write their own (similar) legislation, protecting their own citizens.
And someone had to take the first step. And it’s a beast of a problem … because globalism and e-commerce and all. It’s not altogether clear which laws and regulations apply in which jurisdictions when computer systems span across multiple oceans and societies. But GDPR helps to solve this by creating a framework, and what some would describe as a global law.
We’ve known for years that we need to change our expectations for privacy and how companies and industries think about and treat people’s personal data. We’ve been waiting for a superhero to come along and save us from ourselves, and GDPR is the superhero who walked out of the phone booth.
Hate It: GDPR Doesn’t Build Consensus
You’ve heard it said, “when in Rome, do as the Romans.” We all know that when we cross a border, we will have to change our attitudes and actions based on a new set of expectations (and even laws). And these differences are what makes the experience of traveling to other places so exhilarating and exciting.
But what happens when one government demands to enforce its laws and norms through other governments? Should an American assume that American laws and cultural norms will govern him or herself in Spain, India or Thailand? These have formerly been rhetorical questions and classroom thought exercises, but are now very real considerations.
The way that the world has historically solved global problems has been with consensus-building so that a plurality of governments (and judicial systems, by extension) are on the same page, but GDPR only offers a unilateral approach. If such a global problem truly demanded a proper global response, then surely global consensus would have been an appropriate approach.
Fortunately, as written, the legislation does provide some loose guidelines for non-European organizations to determine if they could be in the enforcement cross-hairs: the language used on their website, the top-level domain name (like .fr or .it instead of .com), the currency they display and mentions of specific European clients and customers in their website content.
As a marketing agency, Nebo cannot offer legal advice or give clients legal advice as to how they could, or should, comply with the GDPR legislation. But at Nebo we do have some amazing design expertise, and we believe in building user experiences that astonish our clients and their customers, no matter what regulations they face … whether privacy or accessibility. Our human-centered approach aims to put the website visitor first, taking into account their needs, desires and aspirations, which includes privacy rights. And, gosh darn, we’ll just keep doing that!
Disclaimer: this article is an opinion of a complex legal issue and cannot be construed to be legal advice. Consult a qualified legal counselor for questions about the Global Data Protection Regulation or other regulations.