As I’m sure you know (unless you’ve been living on Mars or otherwise out of pocket) on May 25, 2018 the General Data Protection Regulation (the “GDPR”) will enter into force.

The aforementioned innocuously named GDPR, is actually not so innocuous at all and is in fact, in my modest opinion, a Globally Disruptive Privacy Revolution.

Why Global? the GDPR is a European regulation.

Indeed, the GDPR is “just” an EU regulation, but it most definitively is having a global impact. Organizations anywhere in the world must comply if they handle, store, manage or process just about anything relating to EU citizens. So practically speaking, if you do any business whatsoever with Europe, even if you are located in Timbuktu or on the moon – the GDPR applies to you.

Why Disruptive?

A technology or innovation is usually called disruptive if it disrupts an existing market and value network. Autonomous vehicles are disruptive, as was the internet, and credit cards. The GDPR is “just” an EU regulation and not a new technology.

I am not contending that the GDPR is as disruptive as any of the previous examples, or even as disruptive as Airbnb or Uber but, the digital marketing industry is being asked to return to 1997[1] and the GDPR makes all non-consensual[2] consumer tracking in the EU – illegal.

Furthermore, companies that trade in personal data and whose value is a function of the data they collect[3] and sell are going to have to rethink their business model where it comes to Europe (and not only – see above.).

Also, and this is where it will effect technology, the GDPR introduces “data protection by design and default” which means that only the minimum amount of personal data can be collected for a specific purpose and processed; the extent of processing is limited to that necessary for each purpose; data is stored no longer than necessary, and access is restricted to that necessary for the purpose. This is going to change the way digital products are structured.

So, there are going to be lots of changes and intrusive and annoying Internet marketing as we know it today, will hopefully be a thing of the past.

Why Privacy?

I find it interesting that the regulation is called the General “Data Protection” regulation and not the General Data Privacy regulation. The word privacy is conspicuous by its absence.
Protection, asks the question – protection from what? From who? The stated aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. The GDPR seeks to protect all EU citizens from parties that seek to monetize their personal data without consent. The GDPR is all about a person’s right to privacy, a person’s right to control their personal information, their public image, their data and any information relating to an identified or identifiable person is defined by the GDPR as personal data[4] and protected.

 So, if you have any personal information or collect any personal information or process any personal information of EU citizens– I suggest you consider the Practical Implications below carefully.

Why Revolution?

Last but not least, the GDPR is a game changer. Individuals are getting back the control over their personal data.  Data collectors and processers will have to be transparent about their collection of data and ensure that they have a lawful basis[5] for such collection and processing.

In addition, all those millions of companies and freelancers that make money on the basis of direct marketing, profiling and similar such activities are going to have a serious problem.[6]

Practical Implications for those who collect or process personal data:

  1. Organizations have to absorb the fact that they need to change the way they collect, process, store and share personal data.
  2. The first step is to understand what information you have, how you collect it and what you actually need and use.
  3. The next step is to do a gap analysis: You need to assess your business’ current level of compliance with the requirements of GDPR.
  4. Don’t panic – make a plan. Becoming GDPR compliant is an ongoing process that is just beginning. Rome wasn’t built in a day and nor will your GDPR compliance be watertight from day one. A good plan, which has seriously begun to be implemented should be a good defense in the event that you are targeted by a regulatory body or an individual[7] for not meeting the GDPR.
  5. If you have any shares in companies that broker personal data – I would think about selling them[8].




[2] According to the current market research only 5% of consumers will opt-in and allow a similar level of tracking that exists today.

[3] When WhatsApp was acquired by Facebook it was not profitable, and yet Facebook paid WhatsApp US$ 30 for each of its 600 million users, a similar calculation was used when Facebook purchased Instagram and also when Minecraft was acquired by Microsoft.

[4] A low bar is set for “identifiable” – if anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is personal data, so data may be personal data even if the organization holding the data cannot itself identify a natural person. A name is not necessary either – any identifier will do such as an identification number, location data, an online identifier or other factors which may identify that natural person.

[5] The lawful basis for processing data are set froth in Article 6 of the GDPR and include consent which must be clear and specific, necessary to execute contract or meet a legal obligation, and necessary for your legitimate interest or the legitimate interest of a third party.

[6] According to recent surveys, a large majority (80%) of online users will most probably fall into a group of users that can only be reached anonymously, or via targeted placements. It will be forbidden to show these users personalized ads based on their preferences, interests, previous visits to particular websites or clicks on previous ads without their express consent. The smaller group of visitors, to whom ads can be personalized based on preferences and interests, is expected to develop into a hotly contested premium market for advertisers.

[7] GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular:

  • any person who has suffered “material or non-material damage” as a result of a breach of GDPR has the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial loss.
  • data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80). Although this falls someway short of a US style class action right, it certainly increases the risk of group privacy claims against consumer businesses. Employee group actions are also more likely under GDPR.


Beverley Zabow

About Beverley Zabow