You have GDPR to thank for the recent assault on your inbox.
Indeed, if you’ve ever given your email address to a company, there’s a pretty good chance that, like us, you’ve been getting emails about updated privacy policies these days. And if you’re like me, you may even be getting five a day from random apps that you downloaded in 2007 and forgot all about.
And unless you send emails for a living (or are a data security consultant), in which case you have probably been panicking for the past nine months thinking about May 25, you may be a bit confused by the sudden onset of companies professing how important your privacy is to them. And honestly, many of these emails are more confusing than helpful, referencing their goodwill as well as “changing legislation,” but not much more.
So why are companies sending these out? Short answer: GDPR. Long answer: the General Data Protection Regulation coming into effect on May 25.
What’s GDPR?
To paraphrase the Wikipedia article, GDPR is the new European regulation of personal data adopted on April 14, 2016 and taking effect May 25, 2018. The goal of this regulation is to provide European Union citizens with more control over their data, as well as simplify the complicated regulatory environment in Europe.
GDPR actually covers quite a broad range of topics, from data storage and anonymization to consent and the right to be forgotten (making it a super fun read).
It is largely built on the principles of the 1995 EU Data Protection Directive and goes further with regards to data privacy — so let’s use these principles to go over your rights under GDPR. Legal geeks can read the full text over here.
The Gist Of GDPR
- Purpose: GDPR states that businesses need to have a lawful basis to process data, through explicit consent or contracts, legal and contractual obligations, or legitimate interest. Your data can only be used for the purpose that it was originally collected for.
- Notice: You should be given notice that your data is being collected.
- Consent: Going further than notice, GDPR requires that you give explicit consent for your data to be collected, stored, used, disclosed, shared with third parties, as well as to receive communications. This consent can’t be implied, so you’ll be ticking lots of boxes at the end of forms starting this week. Also, you should be able to remove consent at any time through unsubscribe links in all communications you receive (I recommend responding to spammy emails without unsubscribe links as a fun way to let out some steam).
- Security: Your data needs to be kept secured. GDPR states that companies should design their processes and systems with data protection in mind (data protection should be included by design, not just by default). GDPR also adds strict rules in case of a data breach, as well as the necessity for many companies to have an employee in charge of data protection (the Data Protection Officer, hippest job of 2018).
- Disclosure: You have the right to know what, why, by whom, and how your data is stored and processed. With GDPR, that notice is extended to companies having a clear privacy policy available publicly that explains why and how your data is collected (including cookies); what data is collected and how it is being used; how it’s stored and whether it’s accessed outside of the EU; and whether it is shared with third parties.
- Access: You have the right to access any of your personal data and know how it is being processed. If you request access to your personal data, companies have to comply within 30 days (they can charge you for this), and send you your data in a readable format. You also have a right to data portability, so taking your data from one provider to another. Moreover, you have the right to be erased — you can request any personal data related to you to be permanently deleted.
- Accountability: You can hold companies accountable for what they do with your data by appealing to a national Data Protection Authority.
Bonus! Explainability: This GDPR provision states that you may have a right to an explanation about any decisions made by an algorithm, as well as a right to question that decision if you consider you have been wronged by it (e.g., if you’re refused credit because of an algorithmic decision).
Okay, but why are you actually getting these privacy policy update emails?
So, Why the Emails?
All companies who store data from European citizens are concerned with GDPR and had to be compliant before today. In order to be compliant, they had to change their privacy policy to include many more sections, as well as make them more readable. When you gave a company your email in the past, it was considered that you implicitly gave consent to that company’s privacy policy, and those privacy policies state that you will be notified when they are modified. And they were modified.
You may have noticed that many companies have actually sent you emails requesting you to make your consent explicit (or re-subscribe), but not all of them. It seems that many B2C companies appear to have taken re-subscribing more seriously even though GDPR may not require this, probably because they handle more personal data and may use it to personalize emails and product recommendations.
You may also be getting these emails even though you are not an EU citizen. The most obvious reason for this is that companies have no way of knowing whether you’re an EU citizen or not — regardless of your IP address or your current country location, you may have a European nationality. A lot of businesses are worried about GDPR because it’s a new regulation, so no one knows how the courts will chose to sanction businesses, and the fines are pretty scary (they can go up to €20 million or 4% of global turnover). Many companies are also taking this opportunity to restate their commitment to protecting their users’ data.