ExchangeWire: What information-sharing systems are currently in place?

Kory Willis: Wherever you go on the web, you are being tracked. Sites surveil the length and frequency of your web visit, the preference boxes that you select, and any information you make available. But, access to your data isn’t exclusive to the website you’re currently visiting – many sites share your information with hundreds of other third-party entities, like analytics sites that monitor traffic, widgets that edit the content you see across platforms, trackers that build profiles on you, and advertisers that buy those profiles in order to target ads to you.

How will the passage of GDPR open internet users' eyes as to how their data is shared between companies and third-party providers? 

As it stands right now, sites do not have to tell you if they’re sharing your data at all, let alone with whom they’re sharing it. When they do confess to making your data accessible to third parties, many will only refer to them as 'data partners', rather than revealing who actually has intel on your web activity. Once GDPR goes into effect on 25 May, however, sites will be required to be far more transparent with users. Those that do business in the EU will be required to secure consent to store your data. It will also be mandatory that these sites inform you before sharing your data with a third party.

Additionally, GDPR is expanding the scope of what data is protected. Your social media handles, your location data (so-called 'pseudonymised' information) all fall under the umbrella of GDPR, and are protected from being misused. On 25 May, internet users are probably going to face a barrage of consent forms. For some users, it could be startling to realise just how much information their favourite sites have been sharing with monitoring tools they never knew existed.

What are the largest changes GDPR will bring in terms of information sharing?

GDPR will certainly bring these data-sharing networks to light, but it’s hard to say whether the regulations will actually change the networks themselves. Sites are going to keep sharing user information, but they will need to become more transparent about the practice.

Data collectors are quickly coming to see that the GDPR is no joke. Any data controller that is not GDPR-compliant – that illegally supplements or shares user information – won’t survive long.

Will users want to control their online presence in a more managed way after GDPR?

Will this law actually affect internet user behaviour? I don’t think people are going to stop accessing sites that they’re accustomed to visiting. However, users are more wary of consent forms than we realise, as this study from 2017 shows.

Lesser-known sites that exploit extensive sharing networks could see a drop in traffic thanks to the GDPR. No matter what, this law will show web users that their information has value, and is worth protecting the same way as any other sensitive information.

But, to be clear, these regulations shouldn’t deter web users; they’re designed to protect us. This is where companies are failing to see a massive opportunity – GDPR compliance can establish trust with customers.

This is exactly what we’ve done. We have recently taken two key steps to ensure compliance with the GDPR:

- The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. Impartner PRM meets this requirement.

- The GDPR requires the control of data be given to end-users. While this can be a difficult to fully eliminate all traces of a person’s data, this is another requirement that Impartner PRM is helping to address.

For companies that still use spreadsheets or homegrown solutions to manage their partner data, GDPR could pose a threat to business, to the tune of a USD$2m (£1.4m) fine. With the enactment of these laws just under two months away, it is imperative that companies establish the level of transparency required to ensure GDPR compliance. It’s not too late to make the change to a compliant solution, one that can be up and running in as few as fourteen days, and can prepare these companies for the regulations going into effect – and the regulations still to come.