I may have spoken too soon about GDPR. Despite the conflicting legal advice and the general level of vagueness around the new legislation, a head of steam has been building up behind the notion of privacy. In significant part, it has been helped by the scandal around Facebook, Cambridge Analytica and so on — despite various authorities railing for years about social media playing fast and loose with our data (hence GDPR, of course), it has taken our august media to raise the level of public awareness alongside a frisson of panic among data controllers.
To be fair, this was difficult to predict but it has had quite an effect: the need for headline-grabbing material really is a two-edged sword. The consequence is that many organisations are treating the looming threat of GDPR non-compliance like a hot stone, to be dropped at the earliest opportunity. I’m sure I won’t be the only person to have received a raft of emails from various commercial and non-commercial sources, saying that if I don’t opt into marketing, I will never again know about the wonderful offers they might put on the table.
They may be over-doing it: as I understand it, organisations are within their rights to keep sending me stuff if I have bought from them before, unless I decline it. But organisations face a Hobson’s choice — they can spam me with requests for consent now (thus forcing them to fall on their own swords later, if I don’t respond), or face the uncertainty around what the law actually says. Tricky. So, for example, I’ve had currency card companies asking me whether it was OK to keep sending me currency-related information, and train operators asking me whether I wanted to know about special travel offers.
I have also had Facebook asking me whether it was OK to send targeted marketing, or to recognise my face. Which is all a far cry from the attitude of just a few months ago, certainly from the big boys who saw privacy as a bunch of doors to be pushed, or lines to be crossed (which reminds me, strangely, of training a spaniel). “Ask forgiveness not permission” has been a highly successful business strategy, enabling Facebook et al to grow phenomenally, and deliver a fair amount of innovation. This isn’t the place to knock Facebook — I know few people actually choosing to boycott it, which says something.
There’s a deeper point to all this knee-jerk reacting and giving the law the benefit of the doubt: that organisations are moving, nay running away from the idea that they can do whatever they like, with whatever data they like. This breaks with the assumed convention in thinking, that (personal) data is to be harvested, collated, aggregated and mined regardless of where it comes from, or whether it is known to have value. These notions surrounding monetisation of data are no longer valid: data: it may still be the new oil, but it isn’t necessarily your new oil, to do what you like with.
What does this mean in practice? First, it forces organisations to say, and therefore to think, in advance about what they require personal data for. This is no bad thing: it’s called strategy or design, depending on what level it is being considered. Indeed, it turns the binoculars around: rather than asking, “Why do we need this data point,” and looking for vague answers, a better starting point is to say, “What are we trying to achieve?” and then working out what data is needed to achieve it.
A second consequence, then, is a changing dialogue with the source of the data — that is, the identifiable person. It’s a requirement of GDPR to say what you will be using the information for. Of course, many organisations will look for loopholes in the regulation, though on the aspect of non-ambiguity it is pretty tight. While this is still to be tested, simply saying “to improve our services to you” may no longer be enough. Even Google — whose model is based on a “we don’t really know you” stance — is coming under the cosh.
Third, though this is wishful thinking on my part, is that we may arrive at a point where individuals appreciate the true value of their data. The net worth of many companies is currently calculated on the basis of how many active users, or customers, they have. So, what if (let’s say) a social media giant paid me for the privilege of accessing my thoughts and needs? If, at the end of every month, I received a cheque for having just been myself? I know, it’s been tried, but perhaps the right model is yet to be found.
Let’s get one thing straight. Marketing in general, and advertising in particular, isn’t going anywhere. The play on personal apathy and ignorance will continue, and as I have said previously, I don’t think our lives will be any more private as a result of GDPR. However, and even though it only currently applies to EU citizens, the new law is catalysing a sea change in how personal data is treated. One can only hope this ushers in a new era, in which data also serves as a backbone for transparency and value exchange between data creators and those who can make money from it. Put simply, if data is going to be monetised, we should all gain.