There are about 1.4 million companies in the UK. 98% with 2 or 3 employees. The remaining 2% organisations make up 98% of the workforce! And yet circa 400,000 have done something about GDPR. After all, it’s the law. Why didn’t the other 1 million? For the same reason 2/3rd of us drive over the speed limit – we assume we won’t get caught.
But the point that 400,000 organisations get, which the other 1 million don’t, is that complying with data protection obligations is not about the law. It’s about trust. It’s about individuals that you deal with on daily basis, like employees and customers, trusting you. To be a trustworthy organisation, you need to show these ‘data subjects’ that they have genuine choice and control over their own personal data. What is at the centre of ‘trust’? Er, ‘u’! No-one else except you is accountable. You are the organisation that you represent. It’s down to you to show data subjects you care.
Put yourselves in their shoes. How would you like if you didn’t know how your personal data was being processed? Who it was shared with. Why. For how long. What for. On what legal grounds. How to complain. You would get stressed.
That’s no way for an organisation to succeed. Organisations that build a reputation based on trust are the ones that succeed. Nobody likes a ‘bad actor’ – those nefarious folk that, for profit or just for fun, hack your systems and gain unauthorised access to personal data. That’s the very definition of a personal data breach – such unauthorised access is in particular a breach of confidentiality. Here’s the thing. If you don’t give people choice and control – if you don’t tell them what you do with their data – you violate their rights, and you violate your data protection obligations. You are no better than a bad actor. You too have breached the confidentiality of those that wanted to put their trust in you.
Data subjects have a right to know. Not adequately telling them what’s going on violates GDPR. Any subsequent processing that you then undertake is a unlawful processing. It is a personal data breach. You are exactly the same as a bad actor, a hacker with no right to process personal data.
Trust starts with being transparent. Clear and concise information is required by the data subject. Any processing has to be fair, necessary and legitimate. Don’t process personal data for purposes other than those explained to the data subject. Don’t process personal data that you isn’t needed for those purposes. Don’t retain personal data for any longer than the purposes require.
Do allow data subjects access to their personal data. Do allow them to rectify it if it’s wrong. Do give them details of where they can complain if they need to. That is the basis of trust.
The fuss is that trust is still the number one issue for each and every single one of us. We are all beginning to understand what our rights are. You cannot afford to ignore it any longer if you are one of the 1 million organisations mentioned above. It is literally a matter of time before your competitors in the other 400,000 start to reap the rewards of trust.
So, what has GDPR told us 1 year on? It has told us that many of us do actually care. Sure, nearly every organisation still follows the crowd when it comes to ‘privacy notices’, because it’s just easier – it complies with expectations. But it doesn’t comply with the law unfortunately. Next to every single cookie banner, cookie notice and privacy notice we read is unlawful. In the not-to-distant future there will be exemplars that we can all follow. The problem is that compliance is not a cut-and-paste. Compliance is at a process level. The way you process personal data is different to the closest of your competitors, set up no doubt by someone that used to work for you. We all do things differently, and rely on different systems and processes.
The fuss is that it actually takes time and effort to comply with GDPR, to provide adequate notices to people that tell them the truth about how their personal data is being processed. It is not some tick-box exercise. In truth, very few organisations can say it has been a fuss – the reality of the situation is that the fuss is still to come.
But here’s the thing. It’s not difficult. Well it is if you don’t know what you’re doing. Our customers are so surprised when we quite literally get them through all the fuss in a matter of days. They love the fact that we listened when they told us they had other priorities for spending their budgets. They engaged with us to get their contracts right – who knew from a data protection point of view that most legally-binding contracts are unlawful – how would you know?? But most importantly the spirit which our customers undertook their compliance effort was all about the building of trust.
GDPR.. what was all the fuss? Trust.
The priviness blog is a forum for the discussion and dissemination of ideas relating to privacy. The posts are written by a number of different authors and do not necessarily represent the views of priviness.