A lot of comment on social media is about the impact (or lack thereof) of GDPR on Direct Marketing: “Another company still sending me emails, despite me saying no!” sums up a whole slew of Tweets.
I’ll cover some specifics on the opt-in/out controversy and the PECR later (hint – it’s not as straightforward as people want to believe). But it got me to thinking – are we “data subjects” focusing on the wrong thing?
The GDPR is first and foremost about Data Privacy. About organisations not only saying they’ll look after your data, but actually doing so. The big difference in GDPR (and DPA 2018 let’s not forget) over previous Data Protection laws is the 7th Principle: ‘must be able to demonstrate compliance’.
It could be argued that not respecting opt-out wishes shows a lack of care or understanding: and it is true, it may well be a symptom of a culture that is not taking privacy seriously. And that is Very Important.
But is that what people are getting irritated about? – I get the sense it is more about the inbox-full of unwanted junk mail, than the process behind it.
If I make a Subject Access Request then, and perhaps surprisingly, I am probably less concerned about the actual data they’ve got on me, more about how they are looking after it and what they’re doing with it.
I want to know that they have done the risk analysis, to have taken adequate, proportional and reasonable steps to protect my data. I want to know that they know who they’ve shared it with, and why. And if something does go wrong, that they have a log (of breaches and near-misses) to learn from: a process to evaluate what happened, to reduce the chance of it happening again.
Both elements – what actual data is held, and the approach an institution is taking – are important, and a SAR should reveal the two different aspects.
Don’t forget: A data breach isn’t necessarily in contravention of the GDPR – but not planning to reduce the likelihood or impact certainly is.
Back in our social world, I guess it’s just easier to tweet about a cluttered in-box than to express concern about risk-management strategy failures. But maybe more of us should try.
Is your organisation ready to share your risk reduction strategies? Call us if you’d like help preparing to do so.
SEP
2018
About the Author:
With over 30 years’ experience in the IT sector, Jim is ideally placed to lead and support initiatives in data handling and data security. He is both a Certified DPO (IBITGQ 1000104) and qualified GDPR Practitioner (IBITGQ 982862). As well as data privacy, he is very happy to talk about travelling, cycling, skiing or basketball. But it's mainly privacy.