GDPR turns one year old

Jen Daly • May 21, 2019

Where are we now?

It’s now been a year since the new GDPR came into force, and email servers everywhere ground to a halt under the strain of the deluge of emails asking us to confirm our marketing preferences.

Since then, what’s really changed? Is our data more protected? Are we less at the mercy of cyber criminals and email spammers?

I think not, to be honest. But knowledge is power, and that’s what we’ve gained so far from the GDPR. We know when we’re signing up to a mailing list or newsletter and we have the power to say no without it impacting our use of a website. We know that we can ask those who hold our data to tell us exactly what they have on us, and we can ask them to remove it if we feel it’s necessary. We know that our employers and those we deal with in business have an obligation to keep our data secure, and we know we can make a fuss about it if they don’t.

The landscape of data protection has certainly evolved, but who has gained and who has lost? As a consumer, a user of a bank account, a business owner and an avid internet user, my opinion is that the landscape has simply changed. Not better, not worse, just different.

Email Marketing

This one is a win for the consumer, although like most people I’ve noticed no reduction in the junk that lands in my inbox. Since the initial surge of desperate emails begging me to remain on mailing lists, I’ve noticed that I’m far more aware of it when I agree to marketing communications, though. Companies are no longer allowed to force your hand by pre-ticking boxes or restricting access to material unless you sign up. Instead, if they want your data, they have to sell the idea to you with discounts, competitions and other such perks. They also have to make it easy and straightforward for you to take your name off the list again, giving you for more control than you had pre-GDPR.

Cookies

Almost every website I visit now asks me to accept cookies. This is the website owners attempt at giving me ‘meaningful control’ over whether or not I share the data that a cookie requires. In reality this is a little pointless – many websites won’t function without the use of cookies so I have no meaningful control. In addition, many websites don’t actually need this consent to comply with GDPR. Your IP address alone doesn’t constitute personal data in the eyes of the Information Commissioners Office (ICO) and so those irksome boxes are basically redundant.

Who’s the winner here? The web designers who are charging overly anxious site owners to add cookies consent popups to their site.

Legitimate Interest

The use of 'legitimate interest' as an excuse for cold calling can be both a good thing and a bad thing. If a company contacts you without your prior express consent to do so, it is because they feel they have a ‘legitimate interest’. This could be your boiler manufacturer calling you to alert you to a known fault, for example. The joy for salesman is that once they’ve played out their legitimate reason for communicating with you, they can then try to sell you their services. In this hypothetical instance I absolutely want to know that there’s a fault with my boiler. I’m less keen on the sales patter that will follow.

I’ve noticed that recruitment agencies (amongst others, I’m sure) are exploiting this term in the GDPR to openly cold call. I advertised a job 3 months ago and I’m still getting cold calls from recruitment agencies asking me if I’ve filled the vacancy. Even once I confirm that I have, they still launch into their terms and their rates, and try to invite themselves for a meeting. This is where the term “legitimate interest” could do with some clarification.

I’m not sure there’s a winner or a loser here – companies with a duty of care for their end users must retain the ability to call without express permission, but this provides a loophole for the less scrupulous in the business world.

Social Media

We all seem to have a blind spot when it comes to our use of social media. Apps including Facebook, Instagram and Pinterest collect an inordinate amount of data about us; Facebook is the biggest collector using a whopping 63 pieces of personal data to personalise your experience.

This shouldn’t be a surprise to you as a reader. All social media platforms have had to disclose publicly which items of data they collect and what they use it for, and they’ve done so with great gusto. You can decline elements of this data collection of course, but you can’t even create an account without clicking away some of your control.

If your employer had asked for your shopping habits, your YouTube preferences, your Candy Crush level, your political biases, you’d be into HR in a heartbeat. For some reason though, we’re all OK with the social media giants having this level of information and more.

It seems that FOMO has outweighed our desire for privacy and control where social media is concerned, for now at least.

Parting Comments

There are so many other things to discuss where GDPR is concerned. GDPR has created a whole new brand of geeks – cybersecurity professionals and information officers who have transformed themselves into GDPR specialists and Data Protection Officers. Fair play to them, they have capitalised on our need to be supported through the quagmire of new requirements and who can blame them.

How about the LA Times? Just one of many international news sites you can no longer view from the EU. They decided that the risk of breaching the GDPR was just too great, so rather than deal with it they’ve simply blocked EU access.

Realistically the positive changes that the GDPR sought to bring are yet to be seen. Action is most definitely being taken, with €55.96M fines being handed out. Bear in mind though that €50M of that came from the ICO’s first action under the GDPR – they went after Google. 200,000+ cases of data breaches have been reported but 65,000 of these came from well behaved Data Protection Officers, reporting their own breaches.

What the GDPR has done so far is to make EU citizens very aware of who collects their data, how it’s collected, what it’s used for, and how to say no. In theory it’s also given us a very visible course of action if we feel that our privacy entitlement is being violated, and the right to be forgotten, but there are multiple hiccups and loopholes in those processes.

The GDPR is still a baby really, and when it grows up it has the potential to be something truly great. For now though it’s mainly just causing sleepless nights and costing us a fortune, and giving us something to chat about on the bus.

Coronavirus and Covid-19

by Jennifer Daly 11 Mar, 2020
With the British Economy now really starting to feel the impact of the spread of Covid-19, many of our Client's are expressing concern about their ability to continue to trade. Our advice to ALL of our Clients is to follow a basic emergency preparedness protocol. Identify your essential functions and put a plan in place for those before moving on to the less essential functions. Most businesses can survive a short-term crisis as long as they maintain their minimum operation level. You may need to focus on meeting your existing obligations, and pause any activity aimed at winning new work. Some key things to consider in advance: 1. Don't assume that all your staff have an internet connection and a PC/laptop at home. Check this with your team in advance and make individual plans where necessary. 2. It's likely that schools and childcare will be amongst the first enterprises to close their doors. How many of your staff will need to stay at home if the schools close? 3. Do any of your staff have existing medical conditions that make them more susceptible to complications? 4. Are any of the functions of your business impossible to sustain without free movement of staff? 5. How far can your workforce be reduced before it becomes critical? If you would like help to create a more robust Emergency Preparedness plan in preparation for the weeks to come, please feel free to contact us.

The "Good Work Plan"

by Jennifer Daly 09 Mar, 2020
April 6th sees the implementation of the “Good Work Plan”, an overhaul of existing employee rights. The primary impacts to employers are outlined below. New right to a Written Statement of Terms All new employees and workers will have the right to a statement of written particulars from their very first day of employment. Amendment to Agency Worker Rule Once agency workers have satisfied the 12-week qualifying period, they will be entitled to equal pay to workers who are engaged directly by the employer. Changes to IR35 rules for the private sector IR35 rules will be implemented for medium and large businesses in the private sector, setting out further rules about self-employment, taxation and penalties for evasion. Holiday pay reference period adjustment The holiday pay reference period will increase from 12 weeks to 52 weeks. New parent bereavement law Bereaved parents will have the right to two weeks of leave following the loss of child under the age of 18, or a stillbirth after 24 weeks of pregnancy. If you are unsure about how these changes will affect you, please feel free to contact us. We can help you to limit the impact and put compliant documents and procedures in place.
Show More
Share by: