GDPR: if you don’t prepare, the joke’s on you
A joke has been doing the rounds on email recently, one I think will resonate with anybody feeling aggrieved about the amount of personal data stored and used by large companies.
In summary: a man calls his usual pizza place, which has recently been taken over by Google. A conversation ensues, during which Google Pizza reveal more and more personal information about their caller, including his pizza ordering preferences, his cholesterol levels and the exact state of his finances.
When the frustrated caller explains that he’s going to cast himself away on a remote island to get away from Google, Facebook and others, he is told, “I understand sir, but you need to renew your passport first. It expired six months ago.”
As the saying goes, jokes are funny because they often contain a hint of truth. Therefore, you wouldn’t be blamed for believing that this fictional telephone call represents a nod to future reality. Influential companies such as Google, Facebook and Twitter seem to know everything about us, while advertising, particularly on social media, is increasingly geared to reflect our personal tastes and preferences.
It is for this reason that the forthcoming General Data Protection Regulation (GDPR), intended to replace the existing Data Protection Act, should be welcomed.
The scope of GDPR
GDPR expands the current definition of “personal data” to include computer IP addresses and genetic make-up, meaning just about anything that could be used to identify an individual can be defined as personal data. The result is that we will have a lot more say in how our data is stored and used, hopefully beginning with a reduction in those annoying cold calls!
GDPR takes effect on 25th May 2018, though businesses will need to ensure they are compliant before this date.
Considering how close we are to the full implementation of GDPR, and how far-reaching its effects will be, it is perhaps surprising how little I have heard the subject discussed amongst business people.
Many seem to have adopted a ‘head in the sand’ approach, yet with penalties for non-compliance potentially costing 4% of global turnover, or up to €20m (whichever is the greater), this is a potentially expensive position to take.
Planning for success
As with any new regulations, planning is vital. If you haven’t done so already, you will need to establish methods to ensure you gain visible consent for any data you collect.
You will also need to ensure that you explain how and where information will be stored, which means you won’t be able to sign somebody up to your mailing list just because they once gave you their business card. Any information you collect then needs to be stored securely.
If your head is only just emerging from the sand, you could possibly begin by implementing a data audit in the run-up to May, checking your company’s current systems and processes, and highlighting any areas of non-compliance.
The Information Commissioner’s Office website contains further information about GDPR, and includes a helpful checklist. For advice about general business planning, and on how to incorporate new regulations into your company’s future strategy, please contact one of our specialist advisors at Rickard Luckin.
CALLER: Is this Gordon’s Pizza?
GOOGLE: No sir, it’s Google Pizza.
CALLER: I must have dialled a wrong number. Sorry.
GOOGLE: No sir, Google bought Gordon’s Pizza last month.
CALLER: OK. I would like to order a pizza.
GOOGLE: Do you want your usual, sir?
CALLER: My usual? You know me?
GOOGLE: According to our caller ID data sheet, the last 12 times you called you ordered an extra-large pizza with three cheeses, sausage, pepperoni, mushrooms and meatballs on a thick crust.
CALLER: OK! That’s what I want …
GOOGLE: May I suggest that this time you order a pizza with ricotta, arugula, sun-dried tomatoes and olives on a whole wheat gluten-free thin crust?
CALLER: What? I detest vegetable!.
GOOGLE: Your cholesterol is not good, sir.
CALLER: How the hell do you know!
GOOGLE: Well, we cross-referenced your home phone number with your medical records. We have the result of your blood tests for the last 7 years.
CALLER: Okay, but I do not want your rotten vegetable pizza! I already take medication for my cholesterol.
GOOGLE: Excuse me sir, but you have not taken your medication regularly.
According to our database, you only purchased a box of 30 cholesterol tablets once, at Drug RX Network, 4 months ago.
CALLER: I bought more from another drugstore.
GOOGLE: That doesn’t show on your credit card statement.
CALLER: I paid in cash.
GOOGLE: But you did not withdraw enough cash according to your bank statement.
CALLER: I have other sources of cash.
GOOGLE: That doesn’t show on your last tax return unless you bought them using an undeclared income source, which is against the law.
CALLER: WHAT THE HELL!!!
GOOGLE: I’m sorry, sir, we use such information only with the sole intention of helping you.
CALLER: Enough already! I’m sick to death of Google, Facebook, Twitter, WhatsApp and all the others. I’m going to an island without internet, cable TV, where there is no cell phone service and no one to watch me or spy on me.
GOOGLE: I understand sir, but you need to renew your passport first. It expired 6 weeks ago…