A couple of days ago, Aviram Galim shared his thoughts on GDPR from the perspective of a very digital savvy person who also highly values his privacy. You can read his article here.
When we shared the article, an interesting discussion was sparked. One of my LinkedIn connections, Adriele Gonçalo, asked me what my own thoughts about GDPR (General Data Protection Regulation) are and I answered, realizing that my own thoughts tie into concepts I have been carrying around, believing in and promoting since an early age.
This post will be my personal take and it will talk about concepts that are somewhat philosophical and go with me way back to my Political Science degree (see? I wasn’t always an Internet nerd!), so be warned… it’s not going to be (all) about digital and marketing, for a change.
First, here is what I answered on LinkedIn:
“A great, much needed and welcome step in the right direction. More than making organizations take responsibility, it raises the awareness of the public to issues they never thought of. The primary principle being “choice”. Tell me transparently what you are doing with my data, let me choose whether I agree or not. But to do that, I need to be able to understand. So legal and tech mumbo jumbo don’t cover their behinds any more. Regulations are not a bad thing, they don’t take away freedom. They merely force people to take responsibility. Thus, they actually return to you freedom you don’t really have now…. I also believe more industries must be regulated in the same way. Especially healthcare (“informed consent”…. Really? Show me one patient who actually understands, really understands all the procedures and consequences… And show me one doctor who, when facing a patient who researches and asks a lot of questions, doesn’t revert to the “I’m an expert, you need to trust me” approach) ; and food (with more than 50 names for MSG and more than 56 names for sugar, do you *really* know what is in the food you eat? You don’t.). I could go on but it will become a very looong reply :)”
The link between Freedom and Choice
Freedom is a concept people live and die for, they fight for it and about it, they define it in many different ways, but throughout my almost 44 years on this earth (there, now you know) I have come to realize that most people think they “deserve freedom”, that freedom should be “given” to them, that it is their “right”. You know what? It is. It is a basic right and I will not argue with that. But you have to be very naïve to think that you can attain any degree of “freedom” in any aspect of your life, without taking some responsibility. In other words, Freedom is not about “doing whatever I want”. It’s about “Doing what is right for me when it’s right for me”. Now, to do what is “right for you”, you have to be able to know what that thing is, which means: know the alternatives, understand them, weigh them in and decide. Make a choice. An informed, aware, choice.
Responsibility – it’s up to you to know
The last paragraph is, in fact, a concept I was developing for my thesis way back when… but never got around to finish it. I will not post the whole paper here, no worries. But I do want to talk about the link between the Choice you have to make and “responsibility”. Most people think that when they choose something, whether it’s to buy this shirt or another, to buy this brand of food or another, to vaccinate their child or not vaccinate, to vote for Candidate A or Candidate B, they are making an informed choice. They truly believe that they have been presented with options and have the freedom, and the knowledge, to make a choice. The sad reality is, it’s nowhere near the truth.
Most of the data we are presented with is partial, manipulated or deliberately structured and worded in ways only experts understand. Take it from a marketer – no one wants you to know what is really in the food you’re buying, what the side effects of the drug you are prescribed are or what candidate A will really do if and when elected. The more complex and scientific we make things sound, the more you are likely to take them at face value and buy them. The more legal and tech lingo is thrown at you, the more you are likely to just click “ok” not even realizing what you just agreed to, just to keep reading the article you started to read.
The bottom line is: you must be aware that you have to take responsibility for your own choices and make sure you learn as much as you can, research everything in depth, make sure that you understand it all and only then, make a choice. Otherwise, you are not really free. Your choices are not really your own if they’re based on misguided information and half-truths.
Cue in GDPR
The connection between the philosophical talk above and GDPR is, at least to me, clear. While companies (especially non-EU ones but such that work globally and with the EU) will find GDPR restricting and annoying with all the changes they must implement to comply, for the average user this is a blessing and the dawn of a new era (I hope). It means that companies, whether they are a small local blog or a giant like Facebook or Google, can no longer hide or mask what they do with our Data. They now have to make it very clear, in layman terms (!) what they save, why, what they do with it, how they use it, where it goes and give us the right to agree or disagree. They must also now give us the right to “be forgotten” – delete our digital footprint from their specific databases.
No, I am not naïve enough to think that this will solve the problem. Yes, I am well aware that even by using a mobile phone (old school one, not a smart phone) companies can still track me, my locations and movements, and that unless I go live in a cave I am never going to be “off the grid” so to speak. But I finally have the ability to really understand who holds which information of mine and how it is used; and I have the ability to choose what is done with the information and who I give it to. At least more than I had before.
I have no more excuses for not taking the responsibility to read through the notifications, make sure I understand them, search for alternatives and then choose. Gone are those days and I have the EU and GDPR to thank for making me, once again, take responsibility and re-claim my freedom.
One more key parameter of GDPR is the “Breach Notification” which simply means companies now must notify users if their information/privacy/confidentiality were breached, within no later than 72 hours. This means that if someone hacked a website, even if they did not steal anything, you have to be notified (and offered help in protecting your information).
Sounds like common sense, right? Well apparently, until a regulation came along, forcing companies to do it, it wasn’t. It seemed ok to companies to not let you know that your information has been compromised. It seemed ok to them that people learned of such things only when someone used their information, or when it leaked to the press.
Here’s a very fresh example of things that happen with GDPR or GDPR like regulations:
Just the other day, as I was exchanging opinions on LinkedIn with my colleagues, I received an email. In fact both Aviram and myself received the same email, from someone we do not know and have never been in touch with in the past, telling us to “update the company profile” on some platform we never signed up for. Now, the strange thing is … he was referring to a new venture we’re involved in, which is in stealth mode. The only place the name of this venture along with our emails was given, was when we RSVP’ed for an investors event with another organization. Somehow, our names, email and name of the venture were given to that 3rd party, who then went as far as creating a “profile” for our venture on a public platform (remember? Stealth mode! We don’t want the name to be out in public yet!) and because he did not have “company emails” he even went as far as to invent (or guess) email addresses for us with that venture and put them online for investors to see (no such emails means if someone try to use them, they bounce back!). All of this without our permission or knowledge. In other words: This person chose for us whether or not to be included on that platform.
What do you think would have happened had we known that our information is going to be shared? Let me tell you what – we’d probably not go to this event. Yes, we’d give it up and not fill in this form.
How could the organizers do it better and still collaborate with whoever they wished? They could have notified us that our information may be shared with X, Y and Z and give us an option to choose which one, or opt out.
But there is no GDPR in Israel. So they don’t have to. And our secret venture name and some details are now out there.
So you see, GDPR is a regulation that will annoy the heck out of organizations but more than that, it’s a wake-up call to people. It’s a fight for our awareness in an era of numb technology addiction. It will force people to stop for a moment and think “wait, what?” and then “Why?” and finally “Am I ok with this?”.