Has GDPR really changed the relationship between businesses and their data subjects?

A blue digital map of the world with abstract decorative elements
(Image credit: Shutterstock)

In the wake of the Cambridge Analytical scandal, the methods that companies use to protect personal data and maintain privacy have come under increased scrutiny.

Those businesses that have been collecting what is regarded as highly personal information about their customers have enjoyed relative freedom to manipulate and even exchange such data with other enterprises. Consumers have, in many cases, come to accept access to their data as a necessary trade-off for using digital services, at least until now.

The arrival of the General Data Protection Regulation (GDPR) in May 2018 redefined the relationship that consumers and their data have with those businesses that harvest and manipulate such information. Valid consent must be clearly given to an organisation for whatever they wish to use a consumer's data for.

Yet it's not an isolated regulation. It's flanked by the OECD guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as Convention 108 the Protection of Individuals with regard to Automatic Processing of Personal Data which has been in force for several years.

On the surface, it may seem that regulations are beginning to reign in what was once a data Wild West, but have such moves really changed the way personal data is being used?

The data citizen

The exchange of personal information that's often freely given to businesses is a part of what it means to live in today's digitally-driven society it's why so many now consider data to be the new oil.

The data subject understands this relationship, and even though GDPR provides the means to effectively disconnect yourself from a company seeking to use your data, only a small minority of customers are actually doing so.

Research carried out by Broadband Genie revealed that 85% of respondents would still consider using a service even after it had been hacked, depending on how the company concerned reacted to the data breach.

Similar research from GDMA, UK DMA and Acxiom, found that 51% of respondents across four continents would share their personal data with business if there was a clear benefit to them. Moreover, 26% of global consumers are 'Data Unconcerned'; people who show little or no concern about the use or collection of their personal data.

Less than 1 in 4 (23%) fall into the 'Data Fundamentalist' segment; people who are unwilling to share personal information under any circumstances. Consequently, it is now the vast majority of global consumers (77%) who show no fundamental objection to engaging in the data economy.

"It is incredibly important these days to understand how consumers view data privacy across the globe and encouraging to see how similar they feel about key issues," said Sheila Colclasure, global chief data ethics officer at Acxiom.

It's clear there's still a trend towards the acceptance of data collection provided the relationship provides genuine benefits. Today, strong customer service hinges more on honesty and the actions taken in the event of a breach.

Indeed, innovative businesses are using the propensity of consumers to share information as the basis of new services. A good example is OpenActive, a platform supported by Sport England and delivered by the ODI that helps the sport sector open up data about when and where activities are taking place. This enables start-ups to build applications and services that make it easier for people to find gyms, clubs and classes near them.

In addition, Gladstone a leading leisure management software company has made it possible for all customers who use the platform to start to publish their data openly too, which a number have already taken advantage of.

Services like this are based upon their ability to connect personal data with a value it can deliver to its owner. More 'open' data doesn't, of course, mean less secure. A balance has to be struck where data is exchanged for a service, with the risks for potential data breaches minimised by both consumer and the business or organisation they are partnering with.

Big data, big responsibility

Despite a willingness to share, consumers often feel that they are not in control of the data they are asked to provide to unlock the goods or services they want to access.

One such service attempting to remedy this is the DECODE initiative, a set of open-source tools and protocols which aim to give people granular control over how personal data is shared. This includes the ability to decide who they share data with, for how long, and for what purpose.

The role of DECODE is to provide user-friendly tools that allow people to decide whether they keep personal data private or share it for the public good. From a business perspective, DECODE hopes it can be used by enterprises that want to build greater trust with their customers, while moving away from extractive approaches that are usually invisible to the end-user.

DECODE is led by the by the Technology and Innovation Office at the city of Barcelona and delivered by a consortium of 14 European partners, including innovation foundation Nesta. IT Pro spoke with Theo Bass, researcher for government innovation at Nesta, to ask whether consumers really have control over the data that is collected, shared and sold between companies.

"GDPR strengthens our rights to access, erase and control personal data. However, the use of these rights implies that individuals have full knowledge over who is collecting, storing and processing this information," explains Bass.

"The problem is the sheer extent of personal data collection nowadays, from 'smart city' technologies installed in public spaces, to the complex secondary data markets that collect information about us behind the scenes when we're browsing the web."

Ultimately a balance has to be struck to ensure the digital services that are now part of modern life can continue to be used safely within the framework of tougher regulations. This is possible, but it requires businesses to be willing to change the ways in which they collect data.

"We need much greater experimentation and willingness from governments and companies to build trust with citizens and users," adds Bass. "Governments at all levels should also educate the public to become savvier about data, as they now are about issues like plastic pollution, air quality or Fairtrade foods, rather than passively accepting any terms and conditions they are confronted with."

As Mark Settle, CIO at Okta, explains, as investment in technology increases, so too does the amount of personal data moving through the economy, which in turn raises questions about data ownership.

"While some of the responsibility will always be with users to determine what they share ultimately, most incidents of data leakage are due to organisation negligence," he says.

Given the nature of our data-driven world, tougher safeguards have never been more important, yet they don't necessarily signal a drastic change in the customer-business relationship. Companies are still able to extract just as much commercial value from the data they collect, they just now need to be honest about it.

In part 2 of this three-part series, we will be asking the question: is data the new currency?

David Howell

David Howell is a freelance writer, journalist, broadcaster and content creator helping enterprises communicate.

Focussing on business and technology, he has a particular interest in how enterprises are using technology to connect with their customers using AI, VR and mobile innovation.

His work over the past 30 years has appeared in the national press and a diverse range of business and technology publications. You can follow David on LinkedIn.