To great fanfare, trending hashtags, and far too many attempted jokes, the general data protection regulation (GDPR) came into force on 25 May, and with it came the greatest torrent of spam emails in history. That was just the build-up. On the day itself, many major foreign news websites became unavailable in Europe as companies struggled to ensure they were complying with the new legislative era.
More teething problems will undoubtedly emerge, and that is inevitable given GDPR is the single biggest overhaul to data protection in 20 years, during which time the world has witnessed a data revolution.
The digital revolution has transformed data into the lifeblood of our economy, vital for everyday work and at the same time lowering the cost of market entry for start-ups, enabling entrepreneurs and allowing consumers to get a wide range of goods and services for free or at historically low cost. The possibilities of data are enormously exciting, and combined with artificial intelligence it has the potential to change beyond recognition everything from medicine to banking.
Yet, in this big new data era, many people feel they have lost control of their own data, which is why GDPR was created. It will allow people to regain control of their data so that they will know who is collecting information on them and how that data is being used. There will be significant fines for data handlers if data is misused and users will have an unambiguous right to say no.
GDPR is a big step forward, but it is untested. Even big companies and online platforms which have the means to adapt to these changes are struggling to do so, as witnessed on 25 May. How are smaller companies going to cope? How is the part-time working mum or dad whose online business provides vitally needed earning power that fits around a family life going to manage adapting to such a vast new data protection architecture?
All the evidence we have is that they are struggling to cope. The confusion is evident in the many emails that we are all receiving, some asking us to opt in to continue receiving emails, others just giving us a privacy statement. Let’s also not forget the impact on amateur clubs.
I have had cricket clubs that rely solely on volunteers contact me in desperation, believing that this could be an existential challenge that threatens their very survival.
We need a soft-touch approach in these early days, a reasonable adaptation and grace period to give people a chance before litigation or fines.
When policymakers legislate such an overhaul of the rules, we have to comprehend that in the real world this takes time and there will be false starts in the beginning.
Undoubtedly the implementation of GDPR will highlight its flaws, particularly given the speed of digital development. We will be failing citizens if we do not adopt a ‘wait and see’ approach before legislating any further. Consumers want strong data protection rules, but this cannot be incompatible with innovation or ensuring online services remain free.
To those voices calling for us to seize this great moment and make further advances, I say get outside the bubble for a few hours, or preferably, days. See how this brave new legislative world is impacting ordinary people who do not have law degrees or the time to spend days contemplating the philosophy of the right to privacy.
Let’s see the contradictions and problems that GDPR raises and then address them accordingly. We have a legislative framework with which to do that, with ePrivacy rules. Yet rather than waiting, and using an updated ePrivacy legislation to address the issues that arise with GDPR once they become clear, the European Parliament has so far insisted that we should change the rules again, even before GDPR comes into force. This would be an act of gross negligence that would greatly damage small businesses, start-ups and the creative sector and would risk suffocating innovation in Europe.