The multifarious effects of GDPR
The General Data Protection Regulation (GDPR) is a milestone in the regulation of data and privacy of individuals residing in the European Union (EU). It is an instrument that establishes the minimum level of personal data protection throughout all 28 EU Member States. In that sense, individuals’ names, photos, posts on social media, and personal IP addresses fall within its scope. In addition to the processing rules, GDPR “gives” individuals in the EU the right to be forgotten online. This implies that all personal data will be erased as soon as this right is invoked. The Regulation also addresses the policies on “exporting” personal data outside the EU.
In April 2016, companies and organizations were given a two-year grace period to prepare for the implementation of GDPR. Thus, by May 25th, 2018, they were expected to create transparent procedures for their data privacy settings and to engage in data mapping solutions in order to establish secure options for storing private data and erasing data upon request. From May 25th 2018, civil fines for GDPR non-compliance could be enforced. The fines range from $20 million to 4% of a company’s annual income. These civil sanctions can affect any company or organization and smear its public image.
Social media platforms operating in the EU are also mandated to create opt-in programs for giving consent on sharing individual’s information. This includes ensuring that there are no pre-selected boxes on social media platforms allowing individuals’ data to be mined or shared from their profiles. GDPR has also impacted the social media marketing strategies, since marketers’ abilities in obtaining personal information from EU individuals have been substantially hindered. Social media marketers relied heavily on customer analytics to predict consumer behavior through the use of ads and direct mails. With the Regulation coming into force, digital marketers need to have persuasive and creative strategies in place for attracting EU individuals. More importantly, they have to provide clear privacy settings explaining the steps of the data collection procedures. Finally, they have to persistently educate users about their new rights and requirements.
According to the new rules, when personal data is processed with a person’s consent, this consent needs to be based on an informed decision and expressed through an affirmative action. Every user must carefully read the terms and conditions and optimize their privacy settings so that platforms do not process and disclose to third parties data that has not been subject to user consent. In 2019, 27000 Europeans were asked about their social media habits: although majority of them did try to change their privacy settings (56%), there is still a large share that did not (43%). The main reasons for failing to do this are that people trust social media platforms to provide appropriate privacy settings, or they do not possess the knowledge and skills to change the settings themselves.
Experts also predict that GDPR will have a massive impact on future technology development. Compliance with GDPR can be considered a strategic opportunity for gaining a competitive edge in the contemporary data-driven world. Since GDPR has strict norms for data controllers and processors in the ways in which they must handle personal data (including data protection by design and default and recording all processing activities), organizations will have to conduct a thorough internal assessment for their technology platforms and data architecture and set various information systems (websites, databases, data warehouse and data processing platforms) to better understand which personal data have been collected and where it resides within the overall architecture. To meet these requirements, companies need to invest a lot of manpower and resources in upgrading their technology platforms, updating the privacy policies, changing the advertising practices and adjusting the data storage and processing procedures.
GDPR also affects the development of Artificial Intelligence (AI) applications by increasing the costs of their design and limiting their application scope. For instance, Article 13 and 22 of GDPR require that certain algorithm decisions need to be reviewed and explained by humans. Such restrictions greatly increase the labor costs and break the inherent balance between accuracy and transparency.
American and Chinese companies experienced significant impact from the GDPR implementation. Being the two leading global economic powers, both US and China have developed complex business relationships with many EU companies. According to the PricewaterhouseCoopers survey, 68% of American companies are expected to spend between $1 million and $10 million to meet the GDPR requirements, and 9% are expected to spend more than $10 million (PwC, 2017). Such high costs will eventually be passed on to consumers and may even weaken the competitive advantage of Chinese and American enterprises. Some of these companies have already taken the necessary actions to comply with GDPR. For instance, Huawei, the Chinese telecommunications giant, has appointed data protection officers, whereas YouTube has stopped supporting third-party advertising services on reserved buys in Europe after May 21, 2018. Unfortunately, GDPR has also produced negative consequences for the businesses. Yeelight, a large smart-lighting device company in China, announced that it will no longer provide services to European users. Facebook and its subsidiaries WhatsApp and Instagram, as well as Google, were immediately sued for their “forced consent” just hours after GDPR came into effect.
The GDPR strict requirements for securing personal data bring the opportunity for companies and organizations to establish new types of relationships with their customers. In the recent years, scandals about personal data security and vulnerability, and cases of improper use of personal data have aroused general concern. Although GDPR may create barriers and challenges in some aspect, those who are successful at following its rules and prescriptions are more likely to gain the trust and respect of their users, which is a valuable asset for their future activities.
Compiled by Media 21 Foundation (2019) from:
- The Impact of GDPR on Global Technology Development
- Take control of your virtual identity