EU legislators were hailed as faithful consumer advocates when they drafted the legislation that would eventually become the General Data Protection Regulation (GDPR). That was a few years ago. Now more than two years into the May 2018 implementation, there are some genuine questions regarding just how effective the legislation is.
Consumers are especially curious as to whether or not the GDPR benefits them in any practical, meaningful way. It is one thing to peruse a summary of what the regulations are supposed to achieve, but it’s an entirely different matter to experience any perceived benefits first-hand.
There are also nagging questions about the lingering effects of the regulation here in the UK once Brexit is officially complete. We are now just a few months away from a full separation, with or without a deal. Thus, having access to a GDPR consultant in the UK after Brexit might be even more valuable than it is now.
What the GDPR Does for Consumers
Legislators decided nearly 10 years ago that modern technology had surpassed data security regulations implemented as far back as the 1990s. In order to bring regulations in line with technological capabilities, they wrote and passed the GDPR in 2016. It came into full force some two years later. Here’s what it does for consumers:
It Forces Consent – The GDPR forces companies to obtain consent from users before collecting, storing, and distributing their personal data. Consent must also be obtained in a clear and concise manner. In other words, organizations are not allowed to bury consent in long paragraphs of legalese users cannot possibly understand.
It Requires Documentation – Under the GDPR, companies must keep detailed documentation proving how they collect, store, and distribute data. Documentation must be furnished to regulators upon request.
It Gives Consumers Access – Consumers can request documentation detailing how their personal information is collected, stored, and distributed. Organizations must acquiesce to such requests in a timely manner.
It Establishes the Right to Erasure – Under the GDPR, consumers have the right to request complete removal and erasure of their data from all of an organization’s systems. Organizations must comply with such requests.
It Provides Opportunities for Correction – Consumers also enjoy the right to request inaccurate information to be corrected. Organizations are not allowed to knowingly continue using incorrect information once a correction request has been made.
It Provides the Right to Object – Finally, the GDPR gives consumers the right to object to how their data is used. How this particular provision is implemented at the organizational level is unclear. However, the right to object exists, nonetheless.
At this point, it must be made clear that the written language of the provisions may differ significantly from the actual experience consumers have. Consider obtaining consent, for example. The GDPR does not clearly define parameters for determining how consent can be obtained. What might seem clear to one consumer could confuse another.
It must also be noted that the practical benefits of the GDPR hinge on where consumer life, the websites he or she visits, and the companies the consumer normally does business with. A consumer who interacts very little with European entities may not notice any practical impacts at all.
Consumers Still Have a Responsibility
If there is any downside to the GDPR, it might be the fact that people have a tendency to assume all government regulations designed to protect them do so without any effort on their part. In other words, it could be possible that people believe the GDPR does all the work for them. It does not.
Consumers still have a responsibility to know and understand how organizations use their data. When visiting a European website for the first time, for example, it is up to the consumer to read the fine print before giving consent. That can take some time and effort. Checking a box or clicking a button without first understanding the details is to defeat the purpose of the GDPR entirely.
Individual responsibility will become an even bigger burden on UK consumers in the months following Brexit. Why? Because there may eventually be some notable differences in how the UK and the EU handle data privacy. Some differences might turn out to be significant enough to create genuine confusion in the minds of consumers.
Accountability Is the Key
When all is said and done, the GDPR’s practical benefits to consumers are rooted in accountability. This is one of the reasons legislators included the provision that forces companies to maintain solid documentation regarding their data handling practices. Companies must prove they are in compliance with the documentation they keep.
Consumers can file complaints if they believe a company or organization is not in compliance with the GDPR. Complaints are followed up by regulators who launch investigations and, where necessary, levy fines. The end result of it all should be a safer, more secure, and more private internet. However, the jury is still out.