GDPRmageddon: 'Don't panic!' is the message
Two weeks after new data protection regulations came into force my various email accounts (and letterbox) have finally breathed a collective sigh of relief as they have survived the barrage of GDPR-related spam. My favourite emails were the unsolicited sales messages offering me training, support and consultancy on how to make sure I became GDPR compliant and didn’t send out unsolicited marketing in the future.
Having gone through the GDPR compliance process for First4Lawyers I can firmly say that I’ve been baffled and bewildered by the new rules at times. As such I thought I’d share my views on GDPR data protection laws and data best practice (I’m at pains to point out that this is an opinion article and not advice on how to ensure you are GDPR compliant – I can’t afford to pay any multi-million pound fines).
The 25th May rolled by fairly quietly. There wasn’t a sudden avalanche of consumers up in arms reporting businesses across the land for misusing their data, but privacy groups did lodge complaints against some of the larger organisations such as Google, Facebook and WhatsApp. Instead, most people were probably glad to see the back of an avalanche of emails, requesting they either consent to receive emails in the future, or that an organisations privacy policy had changed. Interpreting the regulations has been the biggest challenge. If processing a consumer’s data in a particular way is integral to the service you offer then you didn’t need to gain consent to keep using it. If however, you wanted to use it for some other form of purpose and hadn’t previously got a proven hard opt-in, then you needed their consent.
Putting this into context, if you ran a website such as Autotrader and customers had signed up to receive alerts about particular vehicles that were of interest to them, then this would be deemed a material part of the service. As such, Autotrader would just need to inform their clients that they had made changes to their privacy policy and normal service would have resumed. If however, they chose to try and use that mailing list to promote a different product or service and hadn’t previously sought an opt-in, then they would have had to cease this advertising.
Many argue that the new regulations are long overdue, strengthening personal data rights, including the way companies handle your data and redress for misuse of that data. The more cynical of us feel it is more like using a sledgehammer to crack a nut and whatever changes are made those persistent offenders will continue to offend.
The naysayers will argue that personal data in the hands of big business is bad and yes there are some pretty astonishing examples of where people have done bad things with personal data. However, it is my opinion that data brings benefits for the consumer. It allows businesses to understand customer needs and wants and allows you to become more personal in the way you communicate with them, by sending more relevant messages. This way you see higher engagement and more loyalty from people receptive to receiving communications from you. Yes inform them about how you use their data and give them the option to opt-out easily, but don’t just spam them with irrelevant one size fits all messages.
Has GDPR sent the world mad? Quite possibly so. I’m a Scout Leader and how we hold, store and protect data has had to change because of GDPR. If we go on a camp or excursion we have a contacts list that has all parental contact information should the need arise to let little Jonny’s parents know he’s not well and to ask them to come and collect him. One copy is with the leader of the activity and another with a home contact, who acts as liaison should we all get stuck up the side of a mountain. Now, in order to protect this information, both lists need to be kept in locked and secured storage boxes, with the home contact only able to view the information should the need arise. So the next time you see a Scout Leader half way up a mountain looking pained at the weight of their rucksack, it’s probably not the tent they are carrying, but the safe for the contact list.