You have GDPR to thank for the recent assault on your inbox.
Indeed, if you’ve ever given your email address to a company, there’s a pretty good chance that, like us, you’ve been getting emails about updated privacy policies these days. And if you’re like me, you may even be getting five a day from random apps that you downloaded in 2007 and forgot all about.
And unless you send emails for a living (or are a data security consultant), in which case you have probably been panicking for the past nine months thinking about May 25th, you may be a bit confused by the sudden onset of companies professing how important your privacy is to them. And honestly, many of these emails are more confusing than helpful, referencing their goodwill as well as “changing legislation,” but not much more.
So why are companies sending these out? Short answer: GDPR. Long answer: the General Data Protection Regulation coming into effect on May 25th.
To paraphrase the wikipedia article, GDPR is the new European regulation of personal data adopted on April 14, 2016 and taking effect May 25, 2018. The goal of this regulation is to provide European Union citizens with more control over their data, as well as simplify the complicated regulatory environment in Europe.
GDPR actually covers quite a broad range of topics, from data storage and anonymization to consent and the right to be forgotten (making it a super fun read).
It is largely built on the principles of the 1995 EU Data Protection Directive and goes further with regards to data privacy - so let’s use these principles to go over your rights under GDPR. Legal geeks can read the full text over here.
The Gist Of GDPR
Purpose: GDPR states that businesses need to have a lawful basis to process data, through explicit consent or contracts, legal and contractual obligations, or legitimate interest. Your data can only be used for the purpose that it was originally collected for.
Notice: You should be given notice that your data is being collected
Consent: Going further than notice, GDPR requires that you give explicit consent for your data to be collected, stored, used, disclosed, shared with 3rd parties, as well as to receive communications. This consent can’t be implied, so you’ll be ticking lots of boxes at the end of forms starting this week. Also, you should be able to remove consent at any time through unsubscribe links in all communications you receive (I recommend responding to spammy emails without unsubscribe links as a fun way to let out some steam).
Security: Your data needs to be kept secured. GDPR states that companies should design their processes and systems with data protection in mind (data protection should be included by design, not just by default). GDPR also adds strict rules in case of a data breach, as well as the necessity for many companies to have an employee in charge of data protection (the Data Protection Officer, hippest job of 2018).
Access: You have the right to access any of your personal data and know how it is being processed. If you request access to your personal data, companies have to comply within 30 days (they can charge you for this), and send you your data in a readable format. You also have a right to data portability, so taking your data from one provider to another. Moreover, you have the right to be erased - you can request any personal data related to you to be permanently deleted.
Accountability: You can hold companies accountable for what they do with your data by appealing to a national Data Protection Authority.
Bonus! Explainability: This GDPR provision states that you may have a right to an explanation about any decisions made by an algorithm, as well as a right to question that decision if you consider you have been wronged by it (e.g., if you’re refused credit because of an algorithmic decision).
So Why The Emails?
You may have noticed that many companies have actually sent you emails requesting you to make your consent explicit (or re-subscribe), but not all of them. It seems that many B2C companies appear to have taken re-subscribing more seriously even though GDPR may not require this, probably because they handle more personal data and may use it to personalize emails and product recommendations.
You may also be getting these emails even though you are not an EU citizen. The most obvious reason for this is that companies have no way of knowing whether you’re an EU citizen or not - regardless of your IP address or your current country location, you may have a European nationality. A lot of businesses are worried about GDPR because it’s a new regulation, so no one knows how the courts will chose to sanction businesses, and the fines are pretty scary (they can go up to €20 million or 4 percent of global turnover). Many companies are also taking this opportunity to restate their commitment to protecting their users’ data.