GDPR now and what might come next

Charli Bregnballe
6 min readDec 6, 2018

It’s been 6 months with GDPR. Let’s take a look at how it has influenced us and how it affects the users and companies dealing with personal data. And concluding with a quick peak into what the future could bring.

For me the GDPR regulations haven’t changed much. It did not have the effect I had hoped for. The thing is I use a wide range of services, where I accept and understand that they use my data. I am okay with that. For a large part it is companies with products or content I find relevant to me. I actually consider the data-processing as service. (I am looking at you! )

What I hoped it would affect was some of all the spam mails that I get. I get tons of spam mails, both from companies I know, companies I’ve never heard of and regular scam and fraud mails.

I try to unsubscribe, but keep getting subscribed again. They are clearly violating the GDPR, but I don’t see how they can be stopped. I am sure they are all located in some obscure country outside the law of the land. I fear we will never get rid of this part.

I did put the GDPR to use at one point though. I got a call from a sales person from a phone company the other day. I got the chance to ask them if they had a permission to send me direct marketing? Because a phone call like that is direct marketing and without consent, it’s a violation of the GDPR. In regards to that, I would like to know from where they have my data and obtained the permission.
Unfortunately, the person on the other end was a young guy working for a callcenter. He had absolutely no clue. He just had a list of people to call, no questions asked.

It could be interesting to follow it through, because I do suspect that it was a violation. How did they get the list? Who made it and from what? I wanted to dive deeper into that.

User-centered company spinoffs on GDPR

Lately I’v seen a few companies who eyes an opportunity to make a business out of the GDPR in different ways. An example is services that provide users with an option to bulk request to a wide range of companies. The users can request data-deletion or data-extract with a few clicks.

This seems very convenient for the users and the idea could be good. If only the world could agree on one system, and one system only.

At my job we did get a few requests from different services. The only legal and correct way to handle this is to push the request back to the service. This is due to the fact that we can’t identify the person and thereby fulfil the request. If we could, then the service would be breaking the GDPR regulation and potentially cause a data-leak. Usually the services want the company to sign up for their service. They usually provide the option to answer and document the communication, in return for a small fee, of course. Forcing the companies to use ten different systems is not an option.

One of the issues with this, seen from the company’s point of view, is the bulk request. This will give the users an easy way to send a request to a huge amount of companies. And that is even though the company doesn’t have any data on the user.

This will create a lot of redundant work for the companies. It seems a bit unfair and to me it is the wrong way to interpret the GDPR.
The companies do have to provide an easy way to meet the users’ requests, but not like this.

Yes, protect the users, give them control of their data, but don’t be unfair to the companies. Let’s be reasonable.

Another twist regarding this is that we should always ask ourselves what kind of service we sign up to. You trust them with your personal data, but are you sure it isn’t yet another data-driven service? I bet no one bothered reading the actual terms and conditions when signing up to these services.

New e-privacy law

This is where it gets interesting.

The current state of cookie regulation is unchanged from the law from 2002. This is where we saw the “allow cookies” banner for the first time. The majority of companies do not give the users the option to actually turn off the cookies on the website. Usually it’s a condition in order to use their service.

Is this legal? Well, one could argue for both.

This is what the e-privacy regulations are about to address. It’s actually overwriting the old e-privacy law (or cookie law). I don’t think it’s a bad idea, since the ancient law from 2002 was born in another era of the internet.

The new regulations aim to make it illegal to process data by default without the user’s explicit consent. That goes for data, metadata and location-data. This means that the user has to get informed what data they store and to what purpose, BEFORE they use it. It seems very similar to the GDPR, right? Well, it is. This targets cookies and the use of them more precisely. So the companies will not be able to have the normal cookie text, where you blindly click ok to move on. There will be an option to say no and to go even further, you can select some and not all and so on.
It’s similar to GDPR and actually rides on top of it and in some cases overwrites it. The e-privacy regulations are add-ons to the GDPR, where the target is digital communication. GDPR is applied both in the digital world, but also in the physical world. It’s more general in terms of protecting the user and shifting ownership of the data.

You can read more about it here:

I used cookiebot as an example in my last article gdpr for latecomers and again, this would require all companies to have a system like this: the user is presented with a list of categorised cookies, like marketing cookies, cookies for statistical purpose and so on. The user will then be able to uncheck the unwanted cookies.

There are a few very interesting things attached to this.
Does this mean that retargeting will be illegal? If so, the RTB market will take a huge hit. Advertisers will not be able to follow their “customers” around on the internet with banners. It has a significant value in the RTB market. This will properly make a shift in the market where the “normal” advertising will be more valuable. It will still be possible to target relevant users through channels that deal relevant content or services.

It is difficult to predict the consequences. Hopefully, it will encourage another layer of creativity from the advertising companies.
It might even empower the rising market of content marketing. Who knows?

Whenever I think of this, it brings me back to a movie I once saw. The Joneses from 2009. It’s not particularly good, but it does bring up an interesting topic and it does have some very valid points.

The movie is about a family who moves to another city / location and brands their lifestyle.

They are very rich and have all the right clothes, cars and so on.

The thing is, it’s not an actual family, but rather actors who brand a certain type of lifestyle. They try to make other people spend more money on selected products.

So through their lifestyle they create envy from people around them. These people try to achieve the same level of happiness through the well branded products and materialised lifestyle.

That’s some real life content marketing right there.
I do not hope we ever get there.

I am looking forward to follow the birth of the e-privacy regulations. I believe it’s equally important to the GDPR. It is about time that we address the issues with the crazy dataflow that is silently flowing around on the internet.

I do believe that constraints set us up for more creative solutions, so it doesn’t have to be the death of advertising. But I hope it will be the death of dumb advertising.



Charli Bregnballe

Empathetic IT leader with a motivational and growth-focused mindset. Building exceptional teams and software through visionary leadership