Tag Archives: gdpr

Two Good Reads on GDPR

The transition period to the new European privacy regulations, GDPR, will end in May after which compliance is needed. To me the GDPR is extremely interesting. First because it introduces a few novel concepts. Second because good data governance means openness, personal data protection and information security are all approached in the same way, which makes the GDPR important for my open data work. That open data work has been steadily shifting towards creating meaningful digital-first data governance.

One of the exciting novel concepts in the GDPR is that the legal obligations follow the data. The GDPR applies to any organisation holding data about EU citizens, regardless where they reside themselves. Another is that EU citizens must be able to clearly understand how data about them is collected and used. Terms of service where the snake hides on page 312 of a document full of legalese is no longer acceptable. This means that your data usage must be out in the open, as every individual has the right to verify how their own data is being collected, stored and used, as well as to export that data and withdraw consent. Compliance is recast from being a disadvantage to being a precondition and source of competition. To me it seems the GDPR is bringing the law much closer to our digital times. It paves the way for ‘ethics by design’ concerning data, and use it as a distinguishing factor. It also sets a de-facto global standard (although not everyone seems to realize yet).

The GDPR creates or reinforces a range of rights in law. Some of my clients have mentioned how they perceive this as a large heap of new work, but to me that’s not really true. It is true if you approach the GDPR as yet another administrative exercise to proof you are compliant, yet that is the old way of approaching privacy: Do whatever you want internally, and take precautions on the edges with the outside world. To reliably implement the GDPR and to be able to provide audit trails and pro-active proof of compliance (note that absence of this ability is interpreted as non-compliance), the most efficient way forward is embedding compliance in the data systems themselves. The ‘by design’ approach is mandatory for new systems. Knowing where in your data sets personal data resides, having consent as part of the metadata etc. This brings personal data protection firmly at the level of data governance and at the level of data system and structure design. Openness, personal data protection and information security can no longer be gates put around the data, but need to be part of the data, an ‘everything by design’ approach.

Two good articles to read are:
The report of a Berlin panel discussion, addressing the more general meaning and impact of the GDPR in 8 insights, by Sebastian Greger. (HT Alper Çugun)
A handy overview of the rights created under the GDPR and their meaning for e.g.
website and other tech design
, by Cennydd Bowles.

Mailchimp Meets GDPR

Last week I received an e-mail from Mailchimp saying

Starting October 31, single opt-in will become the default setting for all MailChimp hosted, embedded, and pop-up signup forms. This change will impact all MailChimp users

When I read it, I thought it odd, as in the EU the double opt-in is needed, especially with the new General Data Protection Regulation coming next year.

Today I received another e-mail from Mailchimp that they were rolling their plans back for EU customers.

…because your primary contact address is in the EU, your existing forms will remain double opt-in. We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion.

Now I am curious to see if they will send out another e-mail in the coming week also reinstating double opt-in for everyone else. Because as they already say in their own e-mail:

Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.

That includes any non-EU business that has clients or indeed mailing list subscribers in the EU, as the rules follow the personal data of EU citizens. All those companies are subject to the GDPR as well.