The last few weeks our email inboxes have overflown with messages where companies ask consent for using our data and for continuing our subscriptions. This flood of messages is a direct consequence of the General Data Protection regulation (GDPR) that came into force on Friday 25th May.
Despite the long transition period, there seems to be many who don't have a clear understanding of what the four letter abbreviation GDPR really means. The emails flooding our inboxes are just one sign of the uncertainty in companies.
What puts most pressure on companies are the sanctions, which can amount to as much as 20 million euros or 4 % of the company's global turnover.
Many companies have not known how or have not wanted to act as required by the regulation. Last Friday, when the GDPR came into force, many US media houses decided to play the game safely. For example, the Los Angeles Times, the New York Daily News and the Chicago Tribune blocked European users from their sites to avoid any unnecessary penalties.
GDPR sends shivers down companies' spines
The US method is by no means the only example of ambiguity regarding the regulation.
"For example, in communication between companies, GDPR has caused unnecessary fear. If the company has any legal grounds for processing the information contained in the personal data register, for example a legitimate advantage, it is not necessary to request consent. The only thing that's needed is the possibility for the individual to unsubscribe from the company's marketing communication”, said Henrik Lagercrantz, GDPR Expert at ID BBN.
Lagercrantz points out that data processing does not necessarily require consent if the ultimate purpose is to communicate about issues related to the registrant’s work. But even in that case, marketing messages may not be sent if the recipient has refused receiving them.
One of the reforms brought by GDPR is the right for individuals have personal data erased, but in reality the right to erase your information is not always possible.
There are situations in which an organization is entitled and obligated to process personal data and, in these cases, that obligation overrides the individual's request. Example situations include regulatory identification, product liability and business-related customer identification.
New and more transparent practices are welcomed
"It will be interesting to see how these situations will be interpreted in the future, as companies had very different views already during the transition period”, Lagercrantz recalls.
According to him the situation will be stabilized once practices become commonplace.
”The reform as a whole was very much needed. The collection of personal data is increasing along with the technical development and globalization. Now operations will become more transparent. GDPR provides companies with a good opportunity to go through their ever-growing personal data registers and remove unnecessary contacts and data. Clear rules also alleviate the growing concern about how companies use personal information”, Lagercrantz points out.
You might also be interested in: