“Alexa, do you protect my personal data?”. This is the question that is at the heart of the GDPR, the new EU regulations that come into force today, 25 May. It has been over 20 years since the last data protection laws were passed in the U.K. and since then, the information battlefield has changed considerably.

Web 2.0 created a way for users to collaborate, participate, and interact with the sharing of information, giving rise to a new breed of personalised services: Facebook for social networks, Twitter for news, Amazon for purchases. The tracking and sharing of information between platforms, using tools such as single-sign ons (e.g. Facebook Connect), seamlessly expanded our digital playgrounds, mapping data points on our love lives, music tastes and political leanings and then reflecting those choices in the shaping of future content that is in constant orbit around us.

The unquestionable value of insights into personal choices sparked a data gold-rush, causing industries to experiment with how personal data could be collected and analysed in order to improve their product. The rules of engagement for free services were simple: your data in return for targeted advertising. As a result, a culture of self-entitlement to our data emerged and then spread, encouraged by the sophistication of data mining tools that could be hidden from plain sight.

The purpose of the new data protection laws is to move away from this lack of transparency epitomised by the ‘tick box’ culture, by extending the obligations on businesses to secure the integrity of their data collection, chiefly by giving their customers the necessary information to understand and control the use of their personal data. A move that is an “evolution”, not a “revolution”, according to the Information Commissioner, the regulator charged with responsibility for enforcing the new laws.

Fundamentally, the laws clarify the scope of ‘personal data’; it is ultimately about the monitoring and tracking of your activities, and this can happen without storing your name or address by the use of clever technological quirks. With greater fines for those that fall afoul of these regulations and businesses being held liable for the mishandling of information by their partners, this should result in greater due diligence for the collection and sharing of our data. However, bad practices are likely to return if regulators are under-resourced or seen to be weak in enforcing the regulations. To determine the likely consequences of breaching these new laws, many businesses will be paying close attention to see how the regulators treat Facebook over its recent data protection breaches.

The responsibilities and burden of the GDPR do not rest solely with businesses and law-enforcement, the onus is on data subjects (you) to enforce their rights. The laws simply provides the armoury to do so. Individuals can request a copy of their data and require its deletion should they wish. A key argument raised by Zuckerberg in defence of Cambridge Analytica at the recent congress testimony has been that “users have complete control over their data.” Clearly this is not, and has not, always been the case. The flurry of updates to Facebook’s services since the breach was publicised speaks for itself. Users can now view in greater depth the plethora of information behind the profile that is being monetised by Facebook. Zuckerberg’s reference to “complete control” should therefore be understood within the context of the deal on the table for its users: free access to Facebook in return for targeted advertising. For those willing to put in the effort and constant upkeep, this intricate data-DNA behind our identities can be monitored, tweaked even—but its continual evolution cannot be stopped.

If there are broader learnings to be taken from Cambridge Analytica—beyond finger-pointing at Facebook for its complicity in not recognising the inherent risks with amassing a data vault and commodifying it on an open-marketplace—it is that we must acknowledge our own naivety of participating and trusting this technology, without further thought to the broader consequences. The safeguards in the physical world do not easily extend to the digital, and the burden is therefore on individuals to investigate the boundaries within which their personal identity is being constructed and exploited, so that they may protect themselves accordingly.

It is questionable whether these regulations will significantly alter the attitude of businesses and their users to the sharing of data. While there has clearly been investment from larger businesses in the improvement of the security and integrity of their data collection, a ‘spring clean’ of their data systems, the updates to privacy policies to make them clearer, and the reaching out to customers to obtain their consent to newsletters has resulted in yet more clicking and ticking. The unbridled response from the majority of users has not been to enquire as to whether updated legal terms are useful, but to complain about the clutter that this has brought to their inbox and seamless experience of these digital services.

Perhaps there is a psychological hurdle that remains, with too many degrees of separation between our physical and machine selves, such that we do not feel the same guardianship for our digital anatomy that we assume for our physical. Alternatively, it’s possible that we, rightly or wrongly, believe that we have the requisite control; that we can consume the features and fads to enhance our digital lives, and then always unsubscribe from these services if they no longer serve our interests.

Clearly businesses still desire our data, and we are still willing to share it with them. Neither side is inclined to slow down this fast moving train—it is the exchange of information that has been at the epicentre of human evolution. The question is where is the ultimate destination? Facial recognition software in the latest mobile devices can store over 83 data points on facial features alone. On the horizon, artificial intelligence and machine learning will be able to gather enough data points to produce digital replications indistinguishable from their masters. What happens when these digital replications are then violated, or when we become so dependent on our digital assistants, that we no longer have the agency to unsubscribe? “Alexa, do you want all my personal data?”, “I’m not sure about that” it responds, seeking an answer to add to its neural network of information. It’s up to us to decide, for now at least.