Be in the know about GDPR and data protection

Published: Posted on

By Dr David Houghton, Senior Lecturer in Marketing
Department of Marketing, University of Birmingham

Not everybody will care nor want to think about it, but being able to make an informed choice is always better than making the presumption.

The GDPR comes into force on the 25th May and replaces the Data Protection Act of 1998 in the UK. This means that businesses and organisations will need explicit permission from consumers to keep their data in their database and to continue to contact them.

What’s the fuss?

You may have been inundated with emails in the last couple of months from companies asking for permission to retain your details, often focusing on the fantastic benefits they can offer. But it goes beyond this. If you were speaking with a company directly and suggest that they contact your colleague/friend/family member/pet, the company may then need you to get their permission to show that they consent to being contacted. This is a somewhat extreme interpretation of the rules, but certainly not outside the realms of possibility.

Take a look back at any ‘e-marketing’ textbook from the early noughties. I pretty much guarantee that, in each one, marketing campaigns that are tailored to individuals are heralded as the savior of all things business. This is replicated in recent digital marketing textbooks, but with the addition of social media profiling, a picture with identifiable information builds, including data on other, unrelated activities.

Here’s the rub: did we ever stop to consider whether this was desirable or sustainable? Some did. Privacy research discussed concerns over information protection and ‘privacy harms’ induced by data collection and processing (Solove, 2006; Tufekci, 2008). But with technology becoming ever-capable and affordable to businesses, the process of easy, larger scale data collection continued.

Fast forward to 2018 and we see Facebook and Cambridge Analytica’s data collection practices called into question (see The Guardian’s news series). In concern of their privacy information, Facebook users started a huge (ironically online) campaign calling for other users to #deletefacebook, despite not actually being able to delete Facebook.

Understanding how our data is used

 It could argued that we become a victim of our own ignorance by neglecting to actually read the terms, but terms are often so complicated and full of legalese that it becomes impossible to know just how your data are being used.

In fact, even if we did know all the details, we suffer such bounded rationality that we couldn’t possibly understand how all aspects of our data are used at the time and what they may become used for in the future (see the many papers by Alessandro Acquisti and colleagues since 2004). For example, if you signed up for a Facebook account in 2005 when it was available only to university students, could you have known at that point what it would be used for in 2018, even though Facebook have informed you of the new terms of service and you’ve accepted them just to carry on using the site, ‘lol-ing’ with your multiple ‘friends’?

If we look at how the technological capabilities have increased over the last 15 years or so, as well as the demand for increasingly complicated algorithms and targeting capabilities, the GDPR shows a clear change in societal understanding and preference for informational privacy. That is, at least in Europe. I myself have called for a consideration of the echo chamber in which we are all operating, because such algorithms are limiting the spectrum of information coming to us.

So what can we do?

 On the one hand, this seems a bit mad. On the other, it seems somewhat sane. However consumers should be as aware as they possibly can, and ask themselves the questions:

  • Would I be happy at this point in time with this company using my data?
  • Would I be happy in five years if this company were still using my data?
  • How many other companies are involved in processing this data?
  • Would I be concerned if there were a data breach and my data were no longer secure?

You can never be 100% certain about data collection and storage. But, we cannot live in complete isolation; often we must give some of our data to access a service. However, we can think about cases where our data does not need to be provided in order to continue.

How can businesses comply with GDPR?

For businesses, it becomes somewhat simpler under GDPR: do we have explicit, continued permission to use this data? If the answer is ‘no’, stop using it, delete it responsibly and take advice for an alternative approach.

When designing consent forms to collect the data, ask ‘could a 13 year old understand this and reasonably make a decision?’ If not, then it’s overly complicated. Given that social media accounts can be used by people aged 13 years and above, we should take this into account more widely.

Other questions businesses should consider include:

  • Do we need the data to for this purpose?
  • Once we have the data, how secure is it?
  • What will we do if a data breach ever occurs?
  • What will collecting this data actually give us?

If we cannot answer these with a responsible and legally friendly outcome, then we should revisit the drawing board, perhaps drawing on a new prototype of privacy by design (see Vasalou, Joinson & Houghton, 2015).

The right to an informed decision

In spirit, the GDPR is trying to get businesses to be as explicit as possible about the use of consumer data. Not everybody will care nor want to think about it, but being able to make an informed choice is always better than making the presumption. Continuing to make the presumption will lead (and has led) to consumer deviancy e.g. signing up to websites with a ‘spam email address’ which undermines any targeting in the first place. A more cautious and tailored approach should only act to help both consumers and businesses co-exist online in the longer term.

If you are looking for specific details as to what is new in the GDPR and precisely what businesses can do, you will find them in the Information Commissioner’s Office consultation guide.


Solove, D. J. (2006). A taxonomy of privacy. University of Pennsylvania Law Review, 154(3), pp. 477–560.

Tufekci, Z. (2008). Can you see me now? Audience and disclosure regulation in online social network sites. Bulletin of Science, Technology and Society, 28(1), pp. 20-36.

Vasalou, A., Joinson, A. N., & Houghton, D. J. (2015). Privacy as a fuzzy concept: A new conceptualization of privacy for practitioners. Journal of the American Society for Information Science and Technology 66(5), pp. 918-929.

Leave a Reply

Your email address will not be published. Required fields are marked *