In May 2019 GDPR will have been fully in force in the UK for one year – but what difference has it made?
GDPR and Consent
We all got buried alive in the ‘consent’ mails around May 2019. I for one looked forward to a reduction in unsolicited mails. I did see a fall off, but I am still being emailed by organisations I have never had any contact with.
The Information Commissioners (ICO) approach during the first year was more advisory than penalty based but we are all hoping for some action against repeat offenders. While I would never report a small business who is just getting it wrong, it is time to start reporting the big mailing houses who really do know better.
Has anyone been fined?
A couple of big firms who made tens of thousands of unsolicited text and automated phone calls were fined in June (though this was under the old legislation where the fines were smaller). It reduced the number of spam calls I got. But I still use a spam blocker on my mobile to filter out unsolicited calls.
Slowly customers are beginning to ask questions about why data is being collected and how it is being used. Some are even querying why their ID needs to be sent through insecure mediums where identity needs validating. The public are waking up to this – at least those who feel that stealing their identity would be profitable for someone, and those with money in the bank or good credit ratings.
Anyone who puts their work email into directories is still finding them ‘scraped’ or put into mailing lists without their consent. If you challenge these people they say they have a ‘legitimate interest’ or consent is not needed because it is a work email address (even though it is unique to you and uses your name). We are all looking forward to more clarity on this one. We are due updated e-privacy regulations this summer – though with all the Brexit kerfuffle it is not clear if they will arrive on time.
Other EU regulators have issued huge fines against Facebook, Google and other bit data controllers and processors. So far the UK has not taken any obvious action. The advisory period is coming to an end so we may see some more obvious action over the summer.
Why won’t they tell us what to do?
One of the problems businesses have with GDPR is that the Data Processing Act 2019 which brought it into force does not specify how to do what is required. The ICO site is very process driven with pages of advice that come down to ‘make an assessment’ ‘make a decision’ ‘use the best technology’ ‘ train your team’. Whilst all of this is true, if you are not used to the whole idea of data security, it is easier said than done to work out exactly how to do this in a way that allows your business to continue to function smoothly.
We have new clients joining our micropreneurs GDPR groups every month. Many were so confused by all the fuss last year they simply did nothing until they found a space in their business cycle where they could think and breathe. Others have started or changed their business since GDPR came into force and are working their way towards understanding what they need to do.
Myths about GDPR
We still see a lot of myths and misunderstanding about GDPR – with so many people working on the basis of a vague memory of a seminar they went to 18 months ago. And we are still seeing firms who have bought a lot of policies and issued them and taken very little real action to ensure the way they work is compliant. Some are stuck as they can’t quite figure out what to do.
Others are taking the view that there is not really an inspection force for the ICO and no-one will figure out they are not complying.
We are seeing our clients being asked by their clients to demonstrate GDPR compliance before they start a contract (or renew one).
Slowly the penny is dropping that it is not about an inspector knocking on your door – it is about being able to work to a standard that your clients and customers reasonably require. And slowly businesses are realising they need to sort out their contracts and systems with employees and service providers who have access to data about people.
Brexit and GDPR
Brexit has muddied the water as many businesses have not taken on board that this will no mean the end of GDPR – far from it as it is now part of UK law.
Other territories such as California are now creating similar laws.
Customer focus on this issue has been distracted by Brexit, and hundreds of other day to day issues, but one big data breach and their attention comes back.
GDPR is about trust
If you look at the comments on newspapers talking about data breaches you will already see people saying – but didn’t they have a duty to secure this information? I don’t trust them with mine.
The heart of GDPR is about trust between customer and supplier. At a time when trust is in increasingly short supply any business that can demonstrate they are worthy of trust is going to benefit. Now the deadline hysteria is over, the real work has begun. GDPR is an process, not a deadline, not a set of policy documents, or a project – it is slowly embedding into the way we expect to do business.