Data Protection Act vs GDPR
The Data Protection Act was signed into law in 1998 and was ahead of its time in providing a secure means of protecting the personal data of Britain’s citizens. Back in 1998 less than 10% of UK households were connected to the internet. The internet was merely seen as a business based connection device by most people, not even Google existed and email was a novelty.
It’s been almost 20 years since the DPA was passed into law and surprisingly it has not been replaced or updated significantly since. Only recently have the general public as well as government become fully aware of the level of data that is collected and stored without reasonable consent.
Many companies that collect this data simply state that the data is collected to provide better services, target ads or otherwise deliver positive experiences for users. However, due to countless security scandals the balance of trust has shifted far away from faceless multinational corporations which are predominantly US based.
In an era where more people are connected than ever, people’s digital rights and views are being shaped by their desire to regain control of their privacy. The internet is not just a tool anymore, it’s the world’s living room. People desire the right to the same level of privacy that they receive in their day to day lives.
The original DPA was a step in this direction, it was an attempt to secure the rights of people based on the digital and online world at the time. DPA was simply unprepared for the rapid technological advancement that has come about in the past twenty years and as such it is laughably dated in practical terms as well as its limited scope. One very obvious fault, it is not mandatory to alert the authorities of a data breach under DPA and this only changed in 2011. More than ten years after the original act was passed.
The DPA was created in an era without Google, LinkedIn, Social Networking, tracking and in a time where Advertising and Marketing companies used more traditional methods of customer research and respected the social norms attached to such data collection. Slowly the internet has become an extension of our day to day life even ten years ago, it was rare to find anyone over the age of 20 on a social media site. Unethical business models have commoditised personal information that the individuals concerned never gave their consent to. The transition from user to company focused is most evident on a face to face level by the changes YouTube has gone through in the last decade. The website was founded under the tagline “broadcast yourself” and largely served as a site which consisted of exactly that. Countless home videos, short films and other content created by the general public.
Then Google bought YouTube and slowly the user became the product, with personal information and details being shared with any company willing to pay for that insight with little to no controls as to who purchased that data and what it was used for. It was a cheap and effective way of building up a huge market research portfolio and was at the time considered the dream of many Marketers, businesses and even Governments. Nowadays that’s not so true, people have become aware of what goes on behind the scenes at these massive companies and they are not happy. The public are not happy, Governments are not happy and many digital companies are not happy either.
It boils down to this, the fundamental difference between the DPA and GDPR is an ethical resolution. The argument is not about companies rights to track and deliver services, it is about the people who’s data is being captured. It is about the right to ownership of privacy and the express consent that is needed from an individual to collect or even view their data from some of the largest companies on Earth who have until recently been unquestionable.
A simply ethical analogy; one day a man asks you if he can help you find products and you agree. He begins to follow you with a clipboard, when you go into a shop he ticks a box and when you buy something he ticks another box. You go home and begin to read the newspaper, the man ticks another box again, he didn’t ask to follow you home and he won’t go away because there is no legal basis for this denial of access to your home and privacy. You complain to your wife about this weird man with a clipboard who keeps following you around, tracking everything you do and guess what… the man ticks another box. The man is building a complete profile of who you are, so he can sell that information. This man has turned you into his product and without your express consent for this level of surveillance, the original intention of the consent being warped into something entirely different.
If this is unacceptable in the real world, then why is it acceptable in the digital world? The answer is that it’s not acceptable and this is what GDPR is trying to address. Further problems occur when details collected can be cross referenced with other information online and a complete, personal profile of the individual can be created. This is worrying, due to the fact that regardless of intention the individual has barely consented; in many cases not at all.
Companies that collect this data to develop their advertising or marketing need to understand that the privacy of an individual must be respected and that the person owns the data, not them. To pseudonymise the information collected is a fundamental step to effective GDPR compliance. Companies do not need to know every ounce of detail and to want such insight is quite frankly bizarre under any circumstances, online or offline. If digital, advertising and marketing companies wish to regain the trust of the general public they must learn to respect the boundaries of their investigative procedures, stop using third party Ad-Tech clients who are often more shady than they are honest and collect only the information that would be relevant to that particular instance through the express and direct consent of the individual concerned. The days of collecting vast swathes of personal data are over.
All in all, GDPR is evidently a positive development and not a hindrance. It is a chance for the digital realm to reclaim respect from an audience that has been soured by countless negative news stories and large scale data breaches. It is a chance for Google, Facebook and any other digital company to say “Hands up, we were wrong to do this and quite frankly – we are sorry, let’s move forward.”
It’s clear that digital companies need to reassess their data collection policies, to stop collecting information in bulk and to really focus on the specific areas they need to complete their tasks. The main goal of marketing is to put the consumer first, respecting them is part of that. This makes for a more ethical way of doing business and soon to be the only way.
GDPR is a step forward in improving the data protection of every person in Europe and anyone else dealing within Europe, all in all it’s a good thing and a welcome replacement for the DPA.