GDPR is not going to roll over and die

For those who thought GDPR was a hammer to crack a nut, think again. Globally, countries are taking notice of the EU’s policy and smartening up their act.

Initially there was a lot of grumbling about GDPR being too draconian.

‘We only need a few tweaks to make this right’ was some people’s opinions. However, as the months roll on after GDPR’s implementation on 25th May 2018 we are beginning to realise this is not the case.

GDPR has shone a spotlight on just what behaviours were going on regarding our data.

Many of us had become a little complacent about our data thinking we had no control. We had simply got used to signing up for “free” social media platforms and thinking any abuses were just par for the course.

We now know that GDPR has demonstrated how ruthless companies have been in exploiting our data.

Once we had signed up for a service often that had been seen as carte blanche to do whatever with our data. That initial sign up was not specific permission to do anything other than keep our data. When did you ever sign up to the “sell my data to the highest bidder regardless of due diligence”? Exactly.

So, for those who might still be thinking that GDPR will die a death we say, think again.

In India, for example, they have been reviewing GDPR and their Justice Srikrishna Committee has recently reported back with a proposal for a draft data protection law. They see some of the main aspects of GDPR as being highly relevant to users in the country. For example, having the ability to access and correct misinformation is one and having the right to be forgotten is another. The right to portability is also on the agenda but they don’t seem to be developing such a comprehensive approach as the EU’s GDPR. Interestingly, the committee has not given a specific definition of ‘critical personal data’. Central government will be in charge of defining what that might be.

However things are not as straightforward in India.

If you think the EU’s GDPR was a nightmare then consider this: Indian names are often indicative of a person’s caste. This has been defined as being sensitive personal data should this new law come into force. What this will mean is that any company that collects data will have to ask for specific permission from the user.

Not only this but other information such as: biometric, genetic or health data will be considered sensitive.

Also financial data and tribe comes under this category. Knowing how complex companies have found GDPR this additional consideration will be a challenge. It is not surprising therefore that many interested parties are actually drafting suggestions to amend this bill. It appears that without total clarity there will be many areas that will cause confusion and lack of cohesion.

GDPR has unearthed some extraordinary issues

As names are often an indication of caste it means that companies may well have to ask permission to even handle the name as data? Imagine that. This issue cannot be ignored as in the past some have omitted their name from official records. The reason for this is a fear of prejudice and unfairness when finding employment and also in social profiling.

Right now the recommendation is that any user should expect their privacy to be protected online.

Also everyone should expect notice and adequate reasoning when a company plans to process their data. The ramifications are going to be immense and it will be interesting to see just how India manages their own version of GDPR.

Meanwhile in France, the French regulator CNIL was flexing its muscle.

In the past few days Fidzup and Teemo data companies based in the country, have been issued with a non-compliance warning. These are first tests and it will be very interesting to see the companies’ response and how the CNIL deals with continued non-compliance.

With GDPR in full swing it is clear that a number of violations have been routinely in operation.

These two companies are involved with location intelligence. They are vendors of such data and work to align online and offline advertising with pinpoint accuracy. These two companies are constantly collecting location data from their partner apps through the use of SDKs. How this works is that these two tech companies pay app publishers for location data.

In future we will be more aware

This is another example of how consumers are simply unaware of what is happening to their data. It is through the publication of CNIL notices that the reality is made clear. In this case what has happened is that a consumer might download an app that is in partnerships with Teemo or Fidzup. Obviously permission was sought for using location data. However, that was then taken as implicit permission to transfer data to another party.

Is the CNIL being too kind?

CNIL affirmed that this is not the same as specific consent for third parties to collect data for the purpose of using it for their own marketing and advertising purposes. Therefore these companies have three months, or 90 days to comply. If the situation is rectified there will be no penalty. However, failure to do this will demonstrate just how sharp CNIL’s teeth might be. Both of the said companies are mandated to come back into compliance with GDPR within 90 days. If the companies implement GDPR and make amends, CNIL said there would be no penalty. However, failure to comply with GDPR norms will lead to sanctions.

What this demonstrates is that GDPR is not going to roll over and die.

Anyone in business who has chosen to ignore the GDPR furore, in the hope that people will forget it exists, is in danger of being delusional. GDPR is here to protect individuals’ rights. It is a development that comes after abuses were allowed to go on unchecked for decades. Even exam results are now available to be pored over. Younger generations’ expectations re data will be very different we suspect. If you need help or advice regarding how to make your online business compliant there is plenty around. Why not check out the GDPR tracker useful resources page to start?

The dust may have settled with GDPR, but now the real polishing will begin. You have been warned!

Could your business demonstrate GDPR compliance if someone asked you today?

You’ve done the hard work to become GDPR compliant but what if:

– You had a complaint?

– You had a request from a Data Subject to hand over their Personal Data?

– Or the ICO (Or your local Data Protection Authority) came knocking?

How quickly could you show someone everything you’ve put in place?

Click the learn more button to get your Free GDPR assessment – It could be the best 30 minutes you spend today.

Sharing is caring!