GDPR: the hard parts are still hard

I took a trip to France and England a week before GDPR goes into effect, and did not really get an impression that the implementations of GDPR were underway, in the way they were in US. The signs were the little things, such as asking for names and email addresses when logging into public wifi, and SNCF automatically signing me up to their marketing emails after a train ticket purchase (which ironically gave an error when I tried to unsubscribe).

To me, as a consumer, there are two main parts of GDPR. The first is marketing emails. This part has been most visible in the past few weeks as companies send consent emails asking permission for marketing communications after GDPR takes effect. Most of these emails, before and after consent, are already properly implementing the unsubscription workflow. The rise in popularity of commercial off-the-shelf marketing and email tools make unsubscription more standard. The result is win-win for both consumers (being able to unsubscribe) and websites (getting a higher quality mailing list).

The other part is the use of personal information. This aspect arguably is more of the spirit of GDPR, but is harder to enforce. As a consumer, and without a court order, it is almost impossible to know if my information is being used, or when and where if they are, or to verify that it is not being used if I do not give the proper consent. This is more of a problem when the information is processed for others to consume, as the recipient has little incentive to ensure that my rights are being protected. For example, if a company is selling market reports, will the buyers really ask for the legal basis on which the underlying data is collected, and make purchasing decisions based on the answer?

In the end, I think GDPR is still a good thing. There is a fine balance between the size of the EEA market and the requirements of the regulation. Too small the market, or too strict the regulation, and businesses will simply walk away. It is also likely the most publicised regulation relating to security and privacy, bringing some healthy spotlight to the industry.