After more than two years living and working with GDPR, I have seen a lot of frustration from companies, been in meetings with lawyers, and received an avalanche of emails asking me to confirm my consent. All of this shows but one thing: GDPR is working as intended!
Most people started noticing the effects of GDPR when their inbox filled up with emails that all stated something like this:
We value you and your privacy. Due to new EU-regulations (known as GDPR) we need you to confirm that we can continue sending you emails, newsletters, marketing and the like.
Please click the link
People were understandably annoyed with getting 200 of these every week. But they demonstrated something important: All of these companies had reached the conclusion that they did not have their customers "explicit and informed consent" to continue sending them emails. GDPR forced them to make this clear, and to give all their customers a real choice in whether they would like to get marketing from them in the future.
The same goes for the more "complicated" process you now go through when you sign up for a service, or buy a product. You almost always have to decide whether you want a newsletter, if the company can send you text messages, or if you have any issues with their salespeople camping out in your garden for a couple of weeks. Previously these things just happened, and if you complained, someone would happily point out that on page 142 of the terms and conditions you had given the company the right to do this. Thanks to GDPR, you now a real choice!
For those of us working with software development, there has been a boom of discussions regarding personal identifiable information (PII). "Is this piece of information PII?", "Are we allowed to use this information for that purpose?". In the days before GDPR, these questions might never have been asked, but now they are front and centre in any new feature, and in re-working old code. Developers and product owners can no longer chose to ignore the privacy implications of their decisions.
This focus has been brought in by the uncertainty for businesses, fearing that the EU would knock in their door an demanding 4% of their yearly income. This has proven to be the stroke of genius that made GDPR work so well. The only thing that can truly motivate a corporation to take action that is not directly aligned with increasing revenue, is the threat of fines that actually matter. If the fines had been capped at some arbitrary level, the biggest companies could just view the fines as the cost of doing business. But with relative fines, this is just as scary to the board of Google as the board of some small scale business.
The opponents of GDPR will tell you that it places an undue burden on businesses, stifles innovation, and makes EU less competitive than the rest of the world. That can only be true if the businesses you are thinking of have a business model that is in direct opposition to privacy. Sure, if the only way you can make money is by selling my location and interests you may have problems making a buck, but that is the whole point. The EU does not want you to be able to profit off of my personal data, at least not without me knowing about it, and consenting.
And if you are not convinced that the GDPR is actually protecting your data, take a look at what Facebook did after Brexit. Facebook earns its money collecting and selling as much of your personal information as possible. They will be moving Facebook users in the UK to American jurisdiction, free from pesky privacy laws and user protections.
If all this GDPR-talk made you a little bored, I'll recommend my favourite GDPR-themed playlist: