On Friday, citizens of all European Union member states woke up to a new regulation to protect their data. It had been building for weeks; no doubt most of you had received requests in your inboxes for permission to continue to hold your data from organisations you’d long given up trying to unsubscribe. There is some debate about whether these emails are even necessary, especially if during the the original signup process, the company requesting that data had already followed procedure now required of GDPR (even if unwittingly).
There is little to be concerned about for consumers, at least from the perspective of how the new regulation is going to apply to all of us. It has, however, annoyed a lot of people who now cannot access certain websites, particularly those based in the USA. Despite being a regulation to protect EU data, any entity (that includes government, corporation, small business and media outlet) no matter where they are in the world are required to abide by GDPR if they want to handle, store and use protected data of any EU citizen. Simply – if you want to trade in and with our data, you have to abide by our rules. I’m not sure how the EU will enforce GDPR on organisations not based in the EU, but that’s for them to figure out if they haven’t already.
I’m Taking My Website and I’m Going Home!
We should not be directing our anger at the European Union over this, especially those of us who live in an EU member state. The world has had two years to be ready for this and in a globalised world, there is a need for organisations based elsewhere in the world to comply with localised regulations and laws. That has always been the case. However, when you see that some large American companies have now simply blocked access to their websites (some say this is temporary), several red flags should now raise up in our collective minds:
- Cutting off anyone located in the world’s largest trading bloc seems rather childish (throwing toys out of the pram, as we say in the UK – or simply having a big sulk) and damaging to their business at the same time in this global world where anyone who wants to can access almost any news site anywhere in the world.
- It makes you wonder precisely what they have been doing with user data; it suggests that, whatever it is, they have no intention of changing their practices. If it is the case that they’ve been trading data in a way that might be illegal under GDPR then I’m glad I no longer have access to these sites.
- Cutting off sites does represent a fundamental misunderstanding of geography. Even if an EU citizen travels outside the EU, their data should be protected. So, if you are a Brit going on holiday to Florida later this year and you access the internet there, any website you access must be GDPR compliant.
Others have taken a more pragmatic approach, offering people in EU member states the ability to access plain text version of their content if they refuse to allow international websites to harvest their data. This is perhaps a happy medium but still makes me wonder whether this was a lot of effort compared to the simple act of changing their policies on data acquisition and putting into place the simple steps for adhering to GDPR, even as a non-EU organisation.
In the wake of the Cambridge Analytica scandal, we all need to be much more aware of protecting our data. In that, GDPR has perhaps come in at about the right time. The next few months are going to be interesting.