Articles From the Team
Authority in silence – last GDPR thoughts before R-Day (Regulation)
The great dawn of personal information security is coming upon us, no longer will companies be able to unnecessarily store or process data without explicit consent from individuals. In my opinion this is one foot onto the path of users ending up getting paid for their data and to use services such as Facebook. We've seen an uplift in companies needing data privacy lawyers to conform to both present and upcoming regulation and there will be strong demand for some time yet.
Capitalism is all about margins, efficiency, competition and innovation. If a service that looked and acted like Facebook offered you a 1 click transfer of your profile (including pictures and friends etc.) and then offered to pay you money to use the service in the same way as you use Facebook today, would you do it? Sure you would, along with everyone else. That’s progress.
Your information is valuable and monetisable to businesses but only with your explicit permission under the new rules. Companies are going to have to work a whole lot harder to keep that permission.
I`ve taken great delight over the last few weeks in unsubscribing from all marketing emails in my inbox. If companies want to speak to me they are going to have to go the extra mile during our brief periods of interaction, assuming I ever see they exist. They are going to have to start offering me something or they will be met with a deafening wall of silence.
For those that choose to continue to attempt to contact me after the 25th of May 2018 I will initially politely refuse. If they continue to do so then I will report them to the ICO, I've said it before and I’ll say it again; if I could buy shares in any organisation in the World right now it would be the ICO. Please Elizabeth Denham let’s have an IPO!
A business has precious little time left now before the window of opportunity is closed on 25th May 2018. Here is one final checklist for in house lawyers to ponder over regarding the GDPR (by no means exhaustive):
- Do You Know Your Data? What types of personal data do the company collect and where will this information be stored or sent?
- Consider Consent. How do you get consent from people to collect and use their data? How will this consent be stored for regulatory purposes? How long after business use will the data be stored?
- Data Protection Officer. Will the company employ a data protection officer? If not, who in the organisation will be in charge of data protection? The goal is to ensure regulation-ready data privacy and security policies.
- Breach Notification. What are the processes to comply with the 72-hour data breach notification rule? How will you demonstrate the nature of the breach and who was affected?
- Third Party Obligations. What are the processes to review how vendors, suppliers and outsourcing partners are using the personal data provided them? How are you auditing the readiness of your third party data processors?
Wetherspoon’s approach to delete their entire database of customer data and their social media accounts seems extreme but in some ways is a very safe course of action. Why spend a fortune playing the regulatory game when the perceived benefits of maintaining that information are minimal? They obviously looked at the numbers and thought the loss in footfall was the preferred option Vs adopting and implementing the regulations.
In a way by staying silent I am helping organisations avoid ICO fines, how noble. For those that want to attract me back then it will show that my side of the negotiation has found authority in silence. I`m expecting big offers for my personal data, maybe not today and maybe not tomorrow but sooner than companies would like.