As I See It
GDPR privacy rulebook is another Brussels muddle
I do hope the new GDPR rules on privacy prove to be a worthwhile and life-enhancing experience, not least because of the time and effort we’re all being forced to devote to this latest directive from the Brussels civil service that the UK is about to unfriend.
In my view, it’s all got a bit hysterical with organisations interpreting the rules only as they understand them, or should I say fear them. It’s the prospect of being hit with a whopping great fine that’s creating this rush to become all data-friendly.
It reminds me of the Y2K syndrome which won’t mean much to anyone much below the age of 35, but for the rest of us was another exercise in frightening us half half to death. On the big day (1 January 2000) computers would fail to recognise the year change to 00 and planes would fall out of the sky.
Of course, nothing happened, except a lot of IT consultants made a lot of money “advising” us on what to do although, as things turned out, we didn’t need to do them at all. The best thing that came out of it was that companies upgraded their ageing IT systems. Unfortunately, it also sent the IT sector into a slump for a few years as, having also been forced into buying stuff they didn’t need, no one wanted to spend more money on ‘upgrades’.
This time the IT guys have ganged up with the lawyers to scare us into believing we have to prepare for the worst, or suffer the consequences. They have effectively taken note of what the insurance industry has been doing for 200 years.
To be fair, there is a bit of a difference with GDPR in so far as there is a real risk that somebody will get clobbered by the new rules. Armies of privacy police will be champing at the bit for 25 May to arrive so they can pounce on their first victims. Even so, a tiny firm turning over £100,000 may be prepared to see the threat of being fined 4% of turnover (£4,000) as a chance worth taking just to avoid the rigmarole and cost of being GDPR compliant. The potential cost of losing clients from their database may well exceed this figure.
The penalty may be one thing, but just understanding the darned thing is another. Despite the constant stream of advice there are conflicting views on what amounts to compliance and there is no mandatory requirement to register your compliance.
It is certainly creating a lot of confusion and arguably some damaging over-reaction. I know of one firm which has destroyed all information it has held on anyone who has applied for a job. No more letters stating: “Thanks, you weren’t successful on this occasion but we will hold your records on file in the event of another opportunity arising….” Well, the firm in question may have lost some potential superstars who won’t be getting a call when those opportunities do come up.
Valued client? I’ve never heard from you
There has been a flurry of emails to in-boxes requesting consent to continue communication from companies that had never before made any contact. As I write this a law firm in Scotland has just emailed me as a “valued client” stating that it wants to continue sending me information. To be honest, I can’t recall ever receiving information from this firm. To call me a valued client is a bit rich (actually, it’s a lie), but maybe it’s a positive. Someone wants us to be friends.
As I type this next sentence I’m getting yet another request (which shows how much traffic this is generating), this time from an organisation called YouPic which is telling me “Your privacy is very important to us, so please consent by clicking the button below if you would like to continue receiving updates from YouPic on announcements, insights and potential opportunities”.
I have to say I have had no previous contact wth this outfit either and have no idea what it does. It claims to be based in Gothenburg, Sweden. I’ll add it to the folder marked “questionable contacts” which includes others from Texas and Namibia.
Thanks GDPR, you seem to be creating, rather than removing a new wave of irritant direct marketers and scammers who have found my email from somewhere and seem to be doing exactly what the new rules are supposed to be preventing. Inevitably, and worryingly, some of these ‘privacy’ requests will be from fake companies which will result in someone getting hacked simply by trying to do the right thing.
The cause of this privacy panic is rooted in activities such as identity theft which, in turn was made possible by IT experts developing technologies that made it easier to hack into people’s personal data. It has spurned an industry of data gobblers intent on raiding whatever information they can get their hands on, some to sell on to marketing people and others to use for their own fiendish practices.
The Cambridge Analytica / Facebook scandal was at least a timely reminder that GDPR was on its way. Of course, when we all had paper records that could be torn up and burned, none of this was a problem. Now the IT and social media industries are being told to clean up their mess.
So, here we are with yet another burden for businesses to grapple with, and it starts with trying to understand what you’re supposed to do.
Misunderstanding the rules
The generally held view is that everyone has to opt-in through some form of positive action, and this has led to a flood of requests from no end of people saying things like “I can’t send you news about my organisation / client / brother’s wedding plans unless I have your permission”.
This has to be the biggest misunderstanding of the rules. No one is saying you can no longer send out a press release to a journalist you’ve known for years, or even one you’ve never previously contacted (at least I hope that’s the case).
In that vein, the TSB wrote to me last week, accompanying its letter with a 24-page booklet which opened by saying “we want you to have trust and confidence in the way we deal with your information.” This is the same bank which has managed to allow customers to see each other’s bank statements because its IT system screwed up.
It goes on to say that “we’d like to tell you about things we genuinely believe will benefit you. But without your permission we can’t get in touch with you.”
What? A bank that no one could contact for hours, even days, is now asking customers to get in touch?
No other bank has told me that they can’t contact me without my permission. Nor any utility, the council, my dog’s vet, the dentist, the man who’s coming to tile the bathroom… It seems some of the people I deal with don’t see the need. So why should I contact TSB? If the bank wants my custom it knows where to find me.
Trouble is that many firms are worrying that many valued clients just won’t get round to responding and will drop off important marketing lists. What do you do then? Do you have to ignore them? If they say no, does that mean you face a lifetime bar from ever speaking to them again? If you do try to rekindle contact will you get charged with harassment (that’s another story) as well as contravening the GDPR rules?
The common view is that it will require a few test cases to flesh out the many inconsistencies, uncertainties and unintended consequences in the new rules. It will also be incumbent on the authorities to do the decent thing and provide a guiding hand rather than a penalty notice to ‘accidental offenders’ until we all fully understand what is allowed and not allowed.
I was rather taken by another email from Tony Langham, chief executive of the City PR firm Lansons which opened by saying..”I wanted to get in touch to let you know that, despite the changes to privacy laws that are coming into effect on 25 May, Lansons is carrying on with public relations, reputation management and the like.”
In other words, let’s just get on with doing what we’re supposed to be doing, and make sure GDPR does not stop us from doing business with each other.