21 August, 2017 Percy Pig meets GDPR
I’ve just eaten a whole bag of Percy Pig sweets whilst delving into a piece written about GDPR. Whilst I was reading I kept popping my hand in the bag. It was if the sweet, sugary, chewiness of each pig was helping me get to the end of the article.
GDPR is big, that’s for sure and what piqued my interest was the article’s opening statement of “The new General Data Protection Regulations (GDPR) will determine how your business does business”.
Of course, it bloody well will. Won’t it?
I’m the head of an agency that uses customer data on behalf of clients and advises on strategy that is increasingly using much more personal data, behavioural profiling and social data farming to spot trends and sales opportunities.
We’ve been working under the old Data Protection Act 1998 and the Privacy and Electronic Communications Regulations (PECR) that sit alongside it for many years and it’s worked pretty well for us and our clients.
I believe that data can be put to good use. It can help to personalise content for a consumer and help them in what might be a difficult purchase decision or choice. This, though, has to be a consumer’s choice. Simply ‘nicking’ social data to try to bend my thinking is not acceptable.
There are some good things in this new legislation. I particularly like the ‘right to be forgotten’ change that allows the consumer to have their held data erased. Imagine that. Currently, the data subject can only demand to delete their data if they provide the controller with “compelling legitimate grounds” to do so. The GDPR flips this burden and states that where a Controller processes data under the legitimate interest basis, the data subject can object at any time, and it will be for the Controller to prove compelling legitimate grounds for processing the data.
Most of the other changes make reasonable sense but there’s daft stuff such as in this example of profiling; credit scoring data subjects do not have the right to avoid being profiled, but they do have the right not to be subjected to a decision based on purely automated profiling.
That’s all well and good, but who’s going to police this?
A recent Quocirca survey showed that the Information Commissioner’s Office (ICO) has been fining 17% of the maximum penalty available over the last two years.
Here’s some highlights:
- The average fine was £80,000
- Of the 87 fines, 48 were PECR related
- A further 13 were to charities for misuse of data
- Eight were for some sort of data processing issue (average £68K) and 18 for data leaks (average £114K)
When it comes to GDPR, the maximum fine could be much higher; the maximum penalty under GDPR is €20 million, or 4% global turnover, whichever is higher. So, do you think that the ICO are going to be quicker off the mark to fine the bad guys under GDPR? If their past record is anything to go by; then probably not.
And one more thing. How many emails do you get spelling out that your business is doomed by so-called GDPR experts. They promise to make you compliant. Hang on. Where did they get my data from…?