Schadenfreude as you probably know is a German short-hand term that means the pleasure derived by someone from another person’s misfortune.
Some of us may have been tempted to a wry smile watching Mark Zuckerberg over several weeks trying to explain and make some amends, for the many ways in which Facebook have sold our data to third parties.
Others of us may have more serious concerns as a result over the way companies like Cambridge Analytica and Aggregate IQ apparently amass enormous quantities of personal data for explicit political purposes.
Still more may be concerned over the sheer number of organisations that know a great amount about how we live our lives.
One very good thing that will come out of all this media coverage will be a raised awareness of the rights that actually apply now to our personal data, even before the General Data Protection Regulation (GDPR) comes into force. In some senses, the GDPR adds very little to the rights set out under the Data Protection Act 1998, the right to be forgotten (erasure) being the main one – in fact the number of principles have been reduced to 6 from 8. But what has changed, as we all know, is the scale of the penalties for breaches and we wait to see exactly how sharp the GDPR’s teeth are in trying to get to grips with organisations like those above.
However, while we can all give at least two cheers for organisations that play fast and loose with our data being brought finally to book, we may also need to look at the way our own organisations handle personal data.
It can be very easy to inadvertently to let the purpose for which we originally collected personal data slip into something else – that address to which we sent that item, did the recipient specifically give consent for us to send them marketing data ? Did they also clearly and freely give consent for that data to be passed on to a third party? Is the data collected appropriate and limited for the purpose we stated? One common mistake, for example, is to collect gender or age information when this is not needed for us to carry out the series of transactions we want. Another is to yield to the temptation to hang onto personal information for far longer than it is either legitimate or even commercially useful.
One thing is also for sure, large organisations possess the resources to do things properly and to play by the rules. For them it is a matter of corporate will. The vast majority of smaller companies know that their commercial reputation is built upon trust and they cannot afford to be seen not to care about how they treat personal data. The snag is that to be compliant takes time, time that Facebook et al can afford to allocate. It is proportionately far more difficult for SMBs. Maybe that is where JEM can come in useful….