Doing the right thing by data
Paul Cook asks whether we really need to be reaching for the big stick when it comes to personal data?
A vast number of tweets, blogs, videos, tip sheets, podcasts and infographics in recent months have put GDPR (General Data Protection Regulation) as their focus. Quite rightly, as awareness has to be raised. After all, it is about the rights of individuals when it comes to their personal information.
However, the rights of people and their data protection is nothing new. It has been gradually stepped up since the 1940s when the Universal Declaration of Human Rights came into force. Now the issue has stepped firmly centre stage.
GDPR has been kicked around extensively, and we see some organisations acknowledging they need to do something about it, while others argue it doesn’t apply to them (and for a very tiny few that could well be the case).
How welcome is GDPR?
A number of organisations are unhappy with having to make changes to how they look after personal information. Some are in denial, some angry and some have accepted the need to take action.
What it actually stands for, however, is the rights of the individual, which surely can only be a good thing?
The question I have is: why would an organisation be unhappy to do all it could to protect the personal data in its custody?
Honesty, truth and reputation
Many organisations take pride in having honesty and truth as their values. They fear damage to their reputation. Moreover, people (of all ages) are digging deeper into understanding the values of the organisations they want to work for, be certain that a squeaky clean image is both desirable and needed.
Also, consider the mis-match between behaviours within organisations. We can explore this with personal data as our lens.
An individual decides they want to attend a conference. They provide their personal information to the organiser to gain admittance. All is well. The individual receives their conference ticket and the organiser has the information they need to be able to facilitate it. Later, the organiser decides to make the most of the data of the 500 delegates. They want to analyse, sell or share it. They do so, year after year. The data grows and they work it some more.
However, the personal information was only ever provided (unless stipulated otherwise) for the purpose of gaining entry to the conference. And that is where the challenge lands for many organisations.
The key point for the delegate is: I own my information and I have loaned it to you. It doesn’t belong to your organisation.
Clearly some organisations have forgotten the data is not theirs.
And, so we hear of fines and penalties that apply under GDPR in many blog posts. Many consultants start their presentations highlighting the threat of fines.
Clearly organisations need to avoid this, not just because they could go out of business, but because they could be told to stop processing information.
Penalties do not help an individual that has been the subject of identity theft because of lack of care on the part of an organisation, but they may make organisations more; but shouldn’t they be doing that anyway?
When you distil it, everything that GDPR sets out to do is simple. It is just asking organisations to be accountable for personal information that has been entrusted to them.
I, for one, hope we don’t need to be reaching for the stick.
And don't forget PECR
GDPR is not the only regulation of course that affects organisations of all shapes and sizes. Sitting alongside GDPR is PECR (The Privacy and Electronic Communications Regulations).
Why do organisations wait to see what the regulation requires before taking action?
Is a big stick (fines, penalties, etc.) really the answer when it comes to personal data? I think it goes some of the way to getting some organisations to become more accountable.