top of page

Behind GDPR: a conversation with one of its pioneers

Emily Pfiester

A photo of Zora Siebert
Zora Siebert; Photo: Sebastian Raible, licence: CC-BY-ND 2.0

GDPR (The General Data Protection Regulation) as we know it today in Europe became effective in 2018 and is widely seen as a benchmark for the rest of the world in compliance. Five years after platforms and national governments have enforced GDPR, the digital space that GDPR governs is evolving with new technology like AI-generated content.

What does this mean for digital organizers? We’ve reached out to Zora Siebert, Head of EU Democracy & Digital Policy Programme at Heinrich-Böll-Stiftung European Union, who was there at the beginning, working on the legislation that became GDPR for the EU. She filled us in on the values that GDPR was intended to protect, and what this means in the face of changing technology.

The GDPR origin story

Zora worked in the office of the German Green Member of the European Parliament, Jan Philipp Albrecht, back in 2012. At this time Jan was a young politician, and his appointment to lead the charge on forming the regulation around data protection was quite novel. The task ahead wasn’t simple, an overhaul from a directive set about in the 1990s when technology and digital regulation were completely different. Individuals had a different relationship with technology, and there weren’t so many international company players obtaining and processing individuals’ data. Jan and his team met with a variety of stakeholders to make up their minds and define the text that eventually became GDPR as we know it. Countless meetings and summits ensued with digital rights NGOs, corporate representatives across various industries, civil rights organizations, and political representations. There was concern that additional regulation would hamper technological growth or the ease with which users interacted in the digital space.

Fast forward to 2016 when GDPR was adopted by the EU and a two-year period followed for corporations and national legislation to prepare for the 2018 date when the legislation officially came into effect. Zora notes that there was slight panic here too as organizations tried to wrap their heads around how they needed to change their operations, including whether they needed a data protection officer or what steps needed to be taken to ensure GDPR compliance. The regulation came into place for processing EU residents’ data, and it became a model for laws in many other parts of the world.

Benefits and cookie clicks

With the implementation of GDPR, the biggest change for individuals is that we finally have the right to know what information companies collect, as well as the right to correct that data if desired. Companies are also finally held accountable as to how they retain data and could be fined a considerable amount if they do not properly process or manage individuals’ data.

The user experience with cookies changed immediately with the introduction of GDPR. We’ve all clicked to “accept cookies” as companies had to define and provide users options regarding what data is collected and retained.

One thing in particular that Zora would like to point out, is that we all have the opportunity to audit this benefit granted by GDPR. You have the right to file a “personal data access request” with any company or organization that collects your data. They are required to share what they have on file e.g. in terms of your browsing history and activity on their platform. Curious? Request your own personal data access on whatever platform you frequent often and you may be surprised to see what Netflix, Amazon, or Facebook collects about you!

Digital relationships and GDPR

Privacy, in the EU, is regarded as a fundamental human right. Data protection refers to protecting any information related to an identifiable natural (living) person. There is an article in GDPR specifically on the principles for data protection, specifying that when you process data it has to be lawful, fair, and transparent, and that there has to be a purpose limitation. This means that not only does all data have to be obtained legally, but only the necessary amount of data should be obtained and there must be a purpose for using it.

From an individual standpoint, this protection guarantees the rights of the user. From the standpoint of a platform, it means that when consent is given by the user, you have a certain responsibility on how the data can be used and the length of time that it can be retained. Data minimization refers to the obligation of a data controller to limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

If you work for an organization or political party that communicates with a base or list of some kind, chances are you have had at least a minimum encounter with GDPR compliance. Perhaps you’ve had to draft a privacy policy or ensure that subscribers are giving consent. It’s a part of list-building, fundraising platforms, email newsletters, and websites. Basically, all digital organizing activities have some element of GDPR.

The responsibility that comes with managing user data information also has a silver lining. As digital organizing and campaign guru, Ari Rabin-Havt says, “GDPR for Europe is your secret weapon”. What does he mean? When an individual agrees to give you their name, email address, or other personal information, they are confirming (sometimes multiple times) to be contacted by you. They trust your organization, company, or party to treat their data with respect and according to the law, and in return are affirming consent to be in touch with you. In the US (or other less-regulated parts of the world), where there are less stringent data compliance regulations, people may find themselves bombarded with communications from third parties or groups that they never gave consent to. This advantage for European digital organizers means that your lists are of quality, and consist of users that truly do want to hear from you.

What is on the horizon for GDPR

Zora understands that GDPR could offer solutions to some of the questions that we have about evolving technology within the digital realm. Take the introduction of ChatGPT in Europe, a large language model-based chatbot developed by OpenAI. When ChatGPT first rolled out in European states, Italy temporarily blocked it as they did not know how the data collected from its users was being used. As a result, ChatGPT became more transparent and allowed people to choose if what they put into the interface was to be used for training or not, something that was unclear at the beginning and not given as an option. This is an example of data protection regulation being used directly to improve transparency and user rights of new technology.

For further reading and learning on GDPR and compliance, Zora suggests the following free resources:

To read

  • GDPR explained- all the basics an organization needs to know to be compliant

  • everything you need to know about GDPR and compliance

  • A Digestible Guide to Individual’s Rights under GDPR by EDRi

To watch

  • Democracy- a documentary about the process of bringing about GDPR in the European Parliament

Sign up for our newsletter on this link and stay up-to-date on events and resources in digital organizing for progressive organizations.


bottom of page