Protection for the People

From May 25th, EU firms wishing to handle client data will have to comply with new legislation, snappily titled the General Data Protection Regulation. You’ve likely heard it being called GDPR.

This change to how private firms gather and look after customer data is the largest shift in over 20 years of EU policy. GDPR will replace the EU’s 1995 data protection directive and the UK’s 1998 Data Protection Act, both created way back when the Internet was getting started. Given the explosive growth in all things relating to the Internet, this upgrade is timely and necessary.

When it comes into play, a host of companies will be affected, especially those in financial services. Many have been slow in assessing the risks posed by mismanagement of client data. Not any more. The roll out of GDPR looks set to return online power to the consumer.

GDPR explained

GDPR will redefine how the Personally Identifiable Information (PII) of EU residents is treated. Experts say it’s the most complex piece of legislation that the EU has ever introduced. Made up of over 99 articles and 173 preliminary comments the EU says that GDPR will ‘harmonise’ data privacy laws across Europe, as well as offer greater protection and power to individuals.

The 99 articles focus on providing new rights for individuals and obligations for organisations. These include giving people better access to data a company holds about them, an obligation for companies to gain consent from those they want to hold information about and a new fines regime, which can be the greater of €20m or 4% of global sales for rulebreakers.

GDPR aims to clarify where PII is stored in any given organisation. For this to be effective, it requires all businesses to conduct an inventory of how information is collected and used. And the legislation isn’t static. A company must constantly update its approach, proactively using technology and in-house resources (data protection officers, for example) to stay up to date.

The legislation also reaches beyond Europe, applying to businesses around the world wanting to collect data from EU residents. Further, the UK is implementing its own Data Protection Bill which includes GDPR provisions. So post-Brexit, we will still have to comply.

Business as usual

Whilst the legislation is far reaching, here at Origin we’re not directly in its firing line. GDPR was crafted to assess companies’ handling of PII, of which we hold very little, other than our inventory of business email addresses and phone numbers for our users. We’re not gathering, storing or analysing individual consumer data.

The only updates we’ve made are to our contracts, making sure that we’re treating our clients’ employees’ personal data correctly, and ensuring all of our subscribers ‘opt in’ to our regular news and views emails. Compared to our fintech friends in consumer-facing sectors, we march on relatively unchanged.

Why GDPR is interesting

Whatever business we’re in, GDPR is significant. It could signal a wider change in how companies interact with prospects and clients. For too long, the rights of consumers have been a secondary concern to profit and growth. Some aggressive companies, especially, it has to be said, in fintech, have tried to expand at the expense of correct procedure. This must change.

Recently, with data leaks at the likes of Yahoo! and scandals involving Facebook, consumers have become increasingly aware of both the boon but also the burden of technology. Every day, we all trust providers – social media companies, dating apps, banks – with swathes of valuable, private information. We assume it is safely stored. In truth, we don’t actually know if it is.

GDPR should help here. The implications it will have for companies that consider data their core asset will shape the technology landscape for years to come. If we’re seeking to build a safer, more efficient and more sustainable tech-led world, this should be a good thing. The EU is leading the way, but it’s likely that other global jurisdictions won’t be far behind.

One knock-on effect could be the end of the Internet’s “Grand Bargain”, in which we give up data in exchange for free experiences and content. Are we willing to accept this change? Do we really want to start down this road? Given the scale of the scandals we’ve seen recently, some retreat is necessary, although how much remains to be seen. A middle ground – facilitated by progressive regulation, like GDPR – is likely a good solution for now.

Transparency is crucial for the next stage of growth of the Internet and the global economy that depends upon ‘too big to fail’ tech giants. The Internet’s explosion over the last two decades has been astronomical, and so it’s no surprise that regulation has taken time to catch up. If growth is to continue, progressive regulation is vital, putting consumer rights above the wants of corporations. But, if that is to happen, consumers must be willing to pay a price, too.