Insufficient attention has been paid to how GDPR will change the way organisations perceive, and therefore engage with, their users.
The emergence of colossal global data systems has outpaced analogue security and governance apparatus. In a belated act of redress, the GDPR (General Data Protection Regulation) will come into effect on 25 May 2018. To ensure the free flow of data across European borders, the UK – despite Brexit – will be forced to comply.
GDPR will initiate major changes to the way data-controllers are allowed to harvest data, the very currency of their business model, from their data subjects. The rules affect everything from how companies report hacks and data losses to customer consent and the right to be forgotten.
A thriving industry has grown to help organisations ensure technical compliance with these new rules, but less attention has been paid to how this will change the way organisations perceive, and therefore engage with, their users.
A string of negative media stories affecting Facebook, Uber, Google and other data-controllers in recent years has compounded public perception that digital spaces are unruly and unregulated. In response to GDPR, but also this wider context of mistrust, Facebook COO Sheryl Sandberg announced a Facebook privacy centre. In an online statement, Facebook says the privacy centre will be ‘a new education campaign to help you understand how data is used on Facebook and how you can manage your own data’. The company has recognised that simple compliance with GDPR will not repair public mistrust. They and others will have to comply with not just the letter of GDPR, but also its spirit.
It won’t be easy. Notions of trust, transparency and privacy are constantly negotiated in a digital economy where the exchange value of data is opaque compared to a more familiar cash-for-goods system.
GDPR offers the perfect springboard for brands to start a conversation about how the provenance of data can be respected.
Cyborg rights activist Aral Balkan argues that companies have taken full advantage of this opacity and stolen data to use like speculative capital in the online marketplace. He points to the tangible market value our aggregated personal data has for data-controllers. Technologist Jaron Lanier takes this theory to its conclusion. In his book Who Owns the Future? he proposes that Silicon Valley giants deliver micropayments to its users in recompense for their keystrokes, search history and personal data. This would not just change the way data-controllers perceive users, but radically alter their business model.
Wired magazine co-founder Kevin Kelly offers an alternative framework to understand the issue. In our complex information age, he denies the practical possibility that data can be ‘owned’ but does admit that our relationship with big companies can be 'asymmetrical' and lack mutual benefit. In a podcast from The Guardian earlier this year, Kelly stated that we should strive for a more equitable and ‘symmetrical’ relationship between data-controllers and subjects with mutual, civil benefits. For instance, a symmetrical relationship exists when we trade our personal data with Netflix for helpful, personalised recommendations for what to watch.
The effectiveness of Facebook’s proposed privacy centre should be judged not on its adept centralisation of checkboxes and complex privacy statements. The more valuable prize for the company would be to deliver a participatory, engaging and educative framework – a renewed social contract with shared responsibility for the provenance and value of personal data.
Brands must take this opportunity to engage in proactive and educational programmes with civic groups and individuals. GDPR offers the perfect springboard for them to start a conversation about how the provenance of data can be respected, and the accrued advantages more equitably distributed.
Rosamund Picton and Kourosh Newman-Zand are co-founders of semiotics agency Axis-Mundi. Look out for more of our analysis of what GDPR will mean for brands from May.