The hashtag #GDPRjokes is currently trending on Twitter. Here is a flavor: “Knock knock. Who’s there? John. The following question is optional and is not a precondition to being let in. John who?”; “Doctor, Doctor!” “Why have you captured my professional title when it isn’t relevant to your stated use of my data?” It seems there is no traditional joke template that cannot be re-written to take account of the imminent General Data Protection Regulations which come into force in the EU later this month: “My dog has no nose – How does he smell? – I don’t know, he hasn’t opted-in to me contacting him.”
The jokes are mostly pretty terrible – but they do bring a little lightness to what can be a rather dull topic. Most GDPR seminars could use a little humor. But they are also illuminating – not just because they refer to some aspects of the rules – and some common misconceptions – but because they are there at all. Regulatory changes happen all the time – new standards in revenue recognition for example, or other accounting standards. But very few people ever hear of them. You are not likely to go to a party and be asked about the ramifications of SOC 1, for example, and there are no jokes that I know of about ASC 606. But GDPR has escaped from the world of regulatory compliance to become a subject of general interest – as well as the jokes, there are articles about it in mainstream newspapers and it is a subject for discussion on TV and radio.
The global impact
GDPR is not just a matter for the lawyers and the IT experts – it will affect everyone, in their business and in their personal lives. Although it only has legislative force for EU citizens, GDPR appears likely to have a global impact. Businesses which access EU citizens’ data from say North America, will also have to comply in the way that the data is stored and used. Other countries such as Brazil, Argentina and Canada are now contemplating introducing similar rules. Many international companies are planning to change the way they store personal data across their organizations, giving all of their customers and employees the same rights that Europeans will have. This makes sense – savvy consumers everywhere may prefer to work with social media and other companies which offer the highest standard of data protection rather than be treated as second-class citizens.
That is in part because of the growing awareness of the degree to which private information has been shared and applied without people’s knowledge or agreement over recent years. I’m going to illustrate this point with another amusing story which is doing the rounds – about a man who tries to order a pizza to find the pizzeria has been taken over by Google. He is told: “For you, we recommend the cheese-free pizza with extra spinach due to your high cholesterol.” He responds: “But I take medication for that.” – “You don’t though, do you? You haven’t bought any in six months.” When he says he is off to a desert island to get some privacy, the answer comes: “Well, sir, you will need to renew your passport first – it expired five weeks ago!” Recent revelations about the use of data scraped from social media sites to produce highly targeted political advertising have also increased awareness of this issue.
More control over personal data
Against this backdrop, GDPR aims to increase individuals’ control over their personal data and to ensure more transparency about what it is being used for. A social media user for example will be able to see which other companies are allowed access to their data. If they do not wish to receive targeted political adverts for example, they ought to be able to opt out. If someone wants to move their personal data from one social media site to another, they ought to be able to do this.
In my view, GDPR is a positive change. I would estimate that 80% of what is needed to comply with it is already best practice. There are some misconceptions about it – it doesn’t bar all marketing communications for instance – you can still make contact with people if it is in the legitimate interests of your business. That should protect companies who want to reach out to people who they have a genuine reason to believe may be interested in their product.
If you are a customer-centered organization which values transparency, you will be doing a great deal of this anyway. But it is a good moment to overhaul data management processes. Making sure the information that is held on employees, customers and partners is appropriate and relevant is a basis for building better relationships with all of these key people. And of course, how did the pirate Blackbeard safely and securely enlist his crew? GDPArrrrr, of course!