GDPR Post the 25th of May
GDPR Post the 25th of May
I don’t know about the rest of you, but I was very tired of getting emails that asked me either to read the new privacy policies OR to click a button to “opt-in” so that I could continue to receive material from an organisation post the 25th of May. And there are websites that I now no longer can get into as I guess the organisation has deemed that sorting out GDPR rules was too challenging so they just blocked non-USA (in the case of the company that has blocked their website) customer access.
Now that we are past the date when all organisations that have GDPR obligations should be compliant the legal challenges have started. First, as you would suspect, Google, Facebook, WhatsApp and Instagram have been targeted. European consumer rights organisation Noyb argues that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given. They argue that your only choice was to delete the account or hit the agree button – that’s not a free choice.
While GDPR may not be perfect and some individuals and organisations believe that should have the right to keep their Facebook account and have all the benefits of GDPR in whatever configuration they want the legislation is significantly better in respect to protecting personal data than in most other parts of the world. Noyb’s main argument is about money. The issue at stake is whether the processing of data for targeted advertising can be argued to be necessary for the fulfilment of a contract to provide services such as social networking or instant messaging. Noyb is arguing that organisations like Facebook should seek separate consent to use your data to target advertisements.
While I have sympathy with the argument, I am also a commercial person. Why should Facebook or anyone else maintain a social platform with a limited ability to make money? And the very smart algorithms and analytics in platforms like Facebook are not giving your private data away – they are using it to market and sell to you a product that they think you would be interested in based on your behaviour, profile and website usage.
Different organisations have taken different approaches to meet the GDPR requirements. These range from: -
- Forcing you to re-opt into a newsletter or other service
- Blocking people from the EU altogether from a site – I got this message “you are not in a location that can access this site.”
- The US media network NPR to users that they could either agree to the new terms, or decline and be taken to a plain-text version of the site, looking for all the world like it had last been updated in 1996.
It almost felt like we were in the year 2000 transition process on Friday – in fact, it feels to me like more things stopped working globally due to GDPR than the year 2000 technology challenge. (NOTE – for those too young to remember – the year 2000 issues was many older systems were not written with four-digit year formats and so when it went from 1999 to 2000 the year coding would cause many problems and had to be changed in many different applications creating work for lots of COBOL programmers).
Whichever techniques your company opted to use there is a need to have a “post 25th of May” process to make sure that all of the future changes you make to technologies and processes continue to conform to GDPR.
Article by Mary Sue Rogers
References used: -