GDPR Is Going To Affect Customers And Businesses Quite Differently
I’m not entirely sure why I get so much unsolicited mail through my door. Every day I have a little routine of picking it up from the doormat, sifting out what is not junk and putting it to one side, then placing what remains into the recycling.
I have to assume that at some point I requested information for a product or service and ticked a box to allow ’carefully selected’ third parties to send me stuff. Or that my personal details got added to a particular list that was then bought, sold and generally wafted around various companies entitling me to all manner of unwanted junk!
This daily little routine may soon be coming to an end, as with GDPR looming these companies, if requested, must lay their cards on the table and allow me to reclaim some level of ownership over my privacy, my digital identity and any data that they have about me.
Having recently spent a day attending in on the new GDPR course for SMEs at the National Cyber Skills Centre, it dawned on me that the realities of GDPR for both consumer (i.e. me) and data holder (i.e UK Business Community) are quite extensive.
Let me start with a simple GDPR requirement – Informed Consent. This means that customers, like myself, must give suppliers consent to use any data pertaining to them that they currently hold. This consent must be informed and unambiguous. No more can we have those brain twisting phrases that have been the footnotes of so many email sign up forms – you know the ones – “If you do not want to be contacted by us, or selected third parties then please do not untick, the pre ticked tick box”. It must be explained in very plain English.
This consent also must be actively sought, so if investigated a company can prove that they have obtained it and how they obtained it. To add just a little twist of the knife into companies, they must also remember that consent that is valid today, may not be valid tomorrow!
This could be quite a herculean data cleansing task, especially as many companies have data spread across multiple databases, CRM Systems, financial systems and more.
So what other little tricks does GDPR have up its sleeve for us? Here is just a list of ‘rights’ for you to ponder.
An individual will have the….
- right to information
- right to access
- right to rectification
- right to be forgotten
- right to restriction of processing
- right to notification
- right to portability
- right to object
- right to appropriate decision making
What do all those mean in day to day terms, for businesses? In short, it means more work to effectively manage their data sources.
For customers, especially those who feel that for years they have just been bombarded with all manner of marketing collateral, they can slowly but surely rescind their consent and restrict access to their personal data to those who they wish to have it, with the exception of Government bodies. You can’t disappear from the tax man I’m afraid.
I would be willing to bet that as of today, not too many members of the public are aware of the positive changes that GDPR will mean for them. However, as we have recently been in a political climate of ‘taking back control’ I just wonder what would happen if a national newspaper or a well-meaning consumer televisions show starts informing the nation on how they can retake control of their privacy.
It could mean that come next May a steady trickle of calls, emails and letters start arriving on the desks of appointed Data Protection Officers across the land, with all manner of requests in relation to data.
If this was to happen and any company that was not prepared for such requests could find the Information Commissioners Office (ICO) breathing down their neck.
What might make sense is for a company to host a ‘GDPR’ compliant website page, where clients can login and see all the data that is held and then modify it to their desire – including asking to be forgotten – but would this make companies susceptible to more cyber-crime or data breaches?
Or maybe they could start now and contact all their customers in preparation? That would be good, that would be forward thinking.
However, the various industry reports that the National Cyber Skills Centre often re-post to their social media feeds state that many business are doing little or nothing in preparation for GDPR. But next May I’ll be getting in touch with a few purely to bring to an end my daily routine of letter box to recycling.