How this actually affects you as an end user mostly depends on whether or not you’re in Europe and how much you care about privacy. For the most part you don’t need to do anything, though it might be worth checking the emails from your most-used services just to see if there’s something important in there.

The good

Since this is an EU law, the biggest visible changes will be in European countries. Even with Brexit, this includes the U.K,, as they are still technically part of the EU and even afterwards will probably still do a lot of business with the mainland. The biggest changes are invisible to consumers because they mostly apply to behind-the-scenes data handling, such as encryption methods, storage protocols, etc. For anyone residing in Europe, there will be a few visible changes, including:

Informed consent: Companies will have to ask permission for more things. This basically means that you’ll have to check more boxes saying, “It’s okay for this company to use this data about me in this way.” Right to erasure: You’ll have an option to permanently delete your data on both the website that you originally gave it to and on any websites that they subsequently shared the information with. If you tell a company that you don’t want to be on the books anymore, they are legally required to forget everything they know about you. Right to access: You’ll be able to see the information they have about you. In theory, you’ll have full access to anything a company knows about you, and, as per the “Right to Erasure” rule above, you can also have that info taken off the records. This may also eventually mean better data portability – the ability to take your data from one service (say, Facebook) and migrate it to a different one. Customer service: “If you’re not the customer, you’re the product” is no longer very accurate. Companies are now required to respond to your complaints if you don’t like what they’re doing with your data or if it’s inaccurate.

The bad

It’s expensive: Companies have to retool products and hire new people and may lose some advertising revenue. Some companies are shutting down: Faced with an expensive and difficult overhaul of their systems, some companies have opted just to stop existing. The most notable shutdown so far (though GDPR was only partially responsible) has been the social media scoring company Klout. Some companies are blocking Europe: U.S-based media sites like the LA Times and NPR are either blocking European users altogether or redirecting them to a stripped-down version. Email-unsubscription service Unroll.me, online game Ragnarok Online, and Pinterest-affiliated Instapaper have also left the market, in some cases temporarily, in some cases permanently. So many emails: You’re probably tired of them, but as companies continue to adjust to the new rules, there are likely to be some more. Ironically, Ghostery, a browser extension meant to keep you more private, accidentally revealed thousands of email addresses when it was sending out its privacy announcement, so this has not been an entirely incident-free transition. But maybe fewer emails in the future: Some of the emails you’ve gotten probably say that if you didn’t opt in by May 25, they will delete you from their mailing lists. It’s too late now, but if you haven’t seen your “Cat Facts” newsletter in a while, you may have the GDPR to thank for that.

What about the rest of the world?

Technically, unless you’re in Europe, the GDPR doesn’t apply to you, but so many companies have at least one or two European connections that most of the world is affected by in some way. Since it’s generally easier for companies to apply the changes to their whole system, users everywhere will see stricter data standards put in place. Some companies, like Facebook, have already said that they are offering GDPR-compliant services to all of their users, regardless of location. Some, as mentioned above, are opting not to participate in the European market anymore. Unless you live in Europe, though, you’ll probably only see a few companies making serious changes.  In the long run, it is likely that companies becoming GDPR-compliant now may just be saving themselves time in the future, when other countries begin following the EU’s lead.

Conclusion: Is it the right way to go?

Data protection is a massively complex issue and one that’s only recently become such a large-scale problem. The GDPR addresses some deficiencies in the current market, but it imposes some harsh costs as well. Other solutions, such as decentralized identities on the blockchain, may work better in the future, but for now, the online world has gotten a bit safer, and we’ve all gotten an even bigger collection of unreadable user agreements. Image credit: Eurosceptic, DLA Piper Data Protection