We havent seen the end of changes to data handling – DMA talks GDPR and tech giants

John Mitchison DMAMore than six months on from the implementation of the General Data Protection Regulation (GDPR), opinions continue to vary on how much of an impact the regulation has had on the internet ecosystem. And questions still remain over the way the biggest tech firms are handling the huge amount of personal data they have at their fingertips.

“Big tech companies do have the opportunity to use people’s data in very powerful ways,” says John Mitchison, director of policy and compliance at the DMA (Direct Marketing Association). Seeing the negativity of this power, regulators have been working hard across the world to get a handle on the way the likes of Facebook and Google conduct business – with varying degrees of success.

“They have been reined in by regulators like the ICO,” says Mitchison. “Of course, the change in the law earlier this year with GDPR has forced not only Facebook, but Google and others, to rethink how they’ve been using data. And I think that will continue as well. We certainly haven’t seen the end of that, these are just the first steps of these big organisations either making voluntary changes, to further tighten things up, or they will be forced to do it by regulators or by future legislation, such as ePrivacy.”

Though big tech firms are being slowly reeled in by authorities across the world for their handling of data, the issue extends further to the astronomical amount of data they hold on people.

Mitchison questions how much of this data the likes of Facebook and Google really need. “It’s going further than you need to do, just because you can do it, doesn’t mean you should do it,” he says.

“I have a smartphone and I know, when I download an app, there’s often requests for permissions that don’t seem particularly pertinent to the app that I’m downloading – and sometimes I say yes, and sometimes I say no, and sometimes I don’t look at it that closely and just say yes because I want to use the app. I think companies have got away with that in the past.”

With the implementation of GDPR, however, we should begin to see the volume of data in possession of tech firms reduce markedly.

“Now that the people’s eyes are on it and the legislation has been tightened up with GDPR, the focus is now on those apps and they will have to close that down,” said Mitchison. “And, it’s not just in these types of apps, it’s across all of digital marketing where that has run away – the whole business of behavioural tracking, ad retargeting, real-time bidding for ads that show up on your screen, the way that data has been allowed to be shared or sent out to different companies for them to do various profiling. Again, it’s just been tightened up. People didn’t really know that was going on. You can do that kind of ad targeting without that much data being thrown around.”

Research conducted since the implementation has shown that major tech firms may still be falling short of the criteria set out by GDPR. Alongside this, tech giants – most notably Facebook and Google – have been hit with 10s of billions of dollars’ worth of lawsuits alleging that the companies are in breach of various aspects of the regulation.

GDPR has changed the approach to privacy policies because, in the past, “you had to have one, but it was written in legal language, it was 200 pages long, everything was buried in there,” according to Mitchison. Now, these policies “are no longer solely for the protection of companies, they are there to inform individuals.”

“I think that some of the bigger organisations have made movements in the right direction but would be fairly surprising for them to have it all perfect in the first attempt,” he said. “I think we’ll see them make future amends and that may be because people put pressure on them or it might be because they’re required to by regulators.

“I’ve seen images online of people who’ve printed out all of the privacy information and it’s a stack of paper, two-feet high – that doesn’t come up to the standard of GDPR. It has to intelligible, accessible, and understandable by the users that use the tool. That may be a difficult ask for some of those companies, but they’re going to have to get their heads around it eventually.”

Much of the difficulty experienced by companies around GDPR is down to the fact that data is now controlled, at least in theory, by the user.

Previously, tech firms have had an almost free rein to do as they please with the personal information of users. GDPR has “flipped that on its head,” in Mitchison’s opinion.

“Prior to GDPR, companies saw personal data as their own – something that they controlled, something that they had the rights over,” he adds. “They owned the data… Now, personal data is a person’s personal data. So, it has to be presented in a customer-focused way. All of that information in a privacy policy has to be presented to somebody so that they can understand it and they’re aware and fully informed.”