GDPR – What if you could sell your privacy?

GDPR – What if you could sell your privacy?

I have been thinking for a while whether there is an easy way to obtain people’s personal data. After all, personal data has a price on which social networks are valued and how they are seen. They see our personal data as commodities to be traded, shared, sold on and huge profits made from it. For instance when Microsoft bought LinkedIn it is believed each LinkedIn user was valued at $50. This the value they put on each of our privacy. Rather than big corporations how about us making some money from our personal data and our privacy? How about us selling our privacy?

Is it really that absurd an idea?


Monetising privacy

These companies are making money out of our data that we are giving away for almost nothing. Should they not be sharing some of their spoils with us? You have the social networks who are using not only our registration data in exchange for providing platform to socialise. they are profiling, carrying out behavioural monitoring and aggregating all sorts of privacy information into big data to be sold, exchange and or used later for God knows what in the future.

They go through all sorts of loops and jump hurdles in order to gain this information. Generally overtly but sometimes covertly. Would it not be much easier and simpler for both parties to agree to a business arrangement where the subject gives certain bits of information about them for a fee? Starting with basic information such as:

  • Name
  • Address
  • Email address
  • Phone number
  • Mobile Number
  • Medical information
  • Shopping habits
  • What you are shopping for int he near future?
  • Where you will be going on holiday

Each piece of information monetised, each holding a set value. For example, name could be £1, address, could be £2, email £3, mobile £5 and so on. The more sensitive the data the more it is worth, the more we can charge.

Demographics, income, status could also be used to create additional charging models for high value subjects. This could be then further monetised to per per use. Every email advert or popup could be £0.10 and so on. I wonder how many people will complain or install ad-blockers if they could earn money from each popup or email.

This personal data could be leased for a years and then they would have the option to renew. It would be incumbent upon the data subject to maintain the integrity and accuracy of the data and not the controller.


A consensual and equitable model

This takes away another risk from the data controllers and data subject too. This would provide for much more accurate and targeted adverts, rather than drive-by adverts or spray and prays. This provides a much more effective and transparent collection collection and use if data. It is a win win situations for both the subject and the controllers.

It is fully consensual, the subject has even more control over their information. They can control what information to release, to whom and for how long.

A true PPV – Privacy Per View or PPU – Pay Per Use.

You have pay per view TV, Sports events and pay per use software licensing, why can’t we have PPV or PPU for our most intimate and precious information – our privacy?


Control and empowerment?

You would not need something like GDPR, which would be out of date on implementation. All GDPR is doing is policing the free use of our information. It is giving us real control however monetising model would give the subject real control and empowerment. GDPR or other privacy regulation is unsustainable as technology is moving too fast for unwieldy regulations that require legions of lawyers and privacy experts from across the world to draft and take years.

If the DPA took 20 years to become decrepit, the GDPR will take 5 years. Who is going to protect us then?


Protecting privacy is so old skool

The notion of privacy and marketing is changing and the perceptions and value are generational.

Personal data proliferation will be very difficult to control because most of this information is already out there, either through legitimate or illegitimate means. What we should be concentrating on is who and how it’s used and whether the subject is happy with it.

Is it that absurd an idea? It seems to make sense.

Privacy genie is out of the lamp, we may as well use it to our advantage and get our three wishes.


This and other articles can be found at

Author : Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF – is a certified GDPR and Cybersecurity practitioner. He as a security practitioner has written, tested, embedded many incident management plans and process and dealt with many incidents and data breaches. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers

If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.

If you are interested in our One day GDPR How-to Master Classes please register here at Cyber Counsel.

Copyright Cyber Counsel