GDPR is three years old this month – has it really disrupted the business of data?
We all remember it: the onslaught of emails from every newsletter we had ever signed up to asking us to confirm we were happy to stay in their database. The introduction of the General Data Protection Regulation three years ago threatened to cause ruptures in the way we dealt with our information. It can seem niche, the stuff that belongs to tech and data geeks, the trade negotiators and CEOs. But its impact has been felt by everyone.
I have worked with GDPR since before it was introduced. We’ve seen school bursars made responsible for privacy, along with operations managers, theatre ticket boxes and marketing agencies.
I’ve watched it create new career opportunities. I’ve seen small operations working hard to stay on the right side of the regulations. I’ve seen some of the panic it caused initially, the fear of fines give way to the spirit of data privacy.
Despite the initial anxiety about GDPR, the sky didn’t fall down, and the biggest fines we have seen were harsh, but fair. They were confined only to the biggest companies who made the biggest mistakes. In October last year, British Airways was fined £20 million and Marriott £18.4 million for substantial breaches of the rules.
The chasm in understanding between GDPR and the Data Protection Act which preceded it is vast. The two are not very different. But few paid little more than lip service to the old one.
The conversation about data is happening between friends and at home. There is a shifting awareness that data privacy is a right worthy of strong protectio. This has had a ricochet effect for companies leveraging their privacy credentials for a commercial advantage. Apple’s last iOS update is a testament to this. One of the cornerstones of the update gives users control over their data, with the ability to decide which apps can track their activity.
Companies are more concerned these days about the reputational damage of a breach than a fine itself.
It’s not all perfect. Article 14 of the regulations leaves those who don’t deserve fines vulnerable. It spells out the right to be informed if someone is looking into your personal life. Even if you are researching publicly available information, from the minute you start, you have to notify the person of what you’re doing. And they have a right to tell you to stop doing it.
Journalists lobbied hard to be exempt – and they are. However, charities in particular are affected by this. Ahead of going in to meet a big potential donor, charities will research that person’s philanthropic habits, their children and the schools they attend, their spouse, holiday homes and more.
This is because philanthropy is often driven by personal experiences. Perhaps they support a children’s charity because they had a sick child. Perhaps they care about environmental issues because they’ve been regenerating land somewhere.
When charitable funds are on the line, you really don’t want to put a foot wrong by mentioning a relative, who you didn’t know had recently died, or a friend who you didn’t know has been embroiled in a scandal.
When a big donor is meeting with a charity, they expect the charity to have done their homework. They are busy people who expect their reputation to precede them. They don’t want to explain things about themselves that others should already know.
People in the business of lobbying are in a similar position. Once again, it’s often the personal life that informs someone’s willingness to support a political campaign.
It’s not practical and creates unnecessary fear. In the last three years, there has not been any enforcement action from the UK’s regulator, the Information Commissioners Office (ICO), over Article 14.
The other area we are at risk of falling behind in is training. Three years on, there is still no certified training course for GDPR. Globally, the International Association of Privacy Professionals is seen as the gold standard. But it doesn’t have approval from the regulator.
So, we’re three years in and there’s a way to go. There are still organisations across the UK on a journey to compliance. And there is still not nearly enough conversation about the human rights surrounding our data.