Inside the Personal Data Economy Part Two: What's in it for Us?


As people, we like to be in control. We like to control our environments, our schedules, our relationships, and most of all, we like to be in control of ourselves. Learning that our personal data is constantly being collected, bought, and exchanged – without our knowledge or consent – pretty much snatches up any last bit of control we had to begin with.

The personal information economy (see my previous post) raises big questions about consumer autonomy and data security. In learning more about this economy, consumers have two big questions: 

First, why don’t have we have control over our own personal data?

Second, even if we do consent to this data being collected, how do we ensure that this data is secure?

In May of 2018, the European Union passed the General Data Protection Regulation (GDPR) which aims to answer these questions and ease consumer concerns.

How the GDPR gives consumers CONTROL

The GDPR aims to reinstate consumers with a sense of control over their data by extending 8 rights to all individuals:

  1. The Right to Access: the right to access all data that has been collected on them.
  2. The Right to Rectification: the right to correct inaccurate personal data.
  3. The Right to be Forgotten: the right to have all personal data erased.
  4. The Right to Restrict Processing: the right to halt the processing of their personal data.
  5. The Right to Know: the right to be informed of how their personal data is being used.
  6. The Right to Portability: the right to request their personal data file.
  7. The Right to Object: the right to forbid companies from using their data for certain purposes.
  8. The Right to Reject: the right to reject the use of automated decision processing and profiling through personal data.

With these 8 rights, consumers are provided complete control over their data. Not only must companies obtain consent before collecting and processing consumer data, but consumers can alter the terms of that consent at any time.

How the GDPR gives consumers SECURITY

The GDPR aims to hold companies accountable for keeping personal data safe and secure by implementing the 72-hour rule. The rule requires that in the event of a data breach, the company must carry out an investigation, report the breach to a supervisor, identify what personal data has been affected, develop a containment plan, and alert any consumer who may be affected or harmed by the breach – all within 72 hours.

The GDPR requires that all firms that offer services to EU residents, collect data from EU residents, or operate in the EU abide by GDPR guidelines. While this regulation may only affect some US companies, data protection regulations are quickly appearing in the US as well. The California Consumer Privacy Act (CCPA) will go into effect in January of 2020 and Massachusetts recently expanded its state data breach law.

The GDPR makes notable strides to equip consumers with a sense of control and autonomy, while also protecting them from the rising risks of the digital era – as will the CCPA and other regulations which arise. However, this regulation has also been said to have thrown a wrench into the most fast-paced era of innovation we have ever seen. Is it possible that restricting access to data could do more harm than good?

Read Part 1 here 

Read Part 3 here

Every month we collect the latest insights from our research and client work to share.