Is GDPR a farce?
Posted on 13th November 2018
Earlier in this year, countless databases were purged and thousands of pounds spent by many companies to ensure they remain on the right side of the General Data Protection Regulation. As a result, virtually all the companies I know saw their databases reduced massively, often by over 90+%. Previously, many of these databases were used extensively for marketing and a lot of people were fed up of the associated cold calls, unsolicited mail, etc.
The idea behind GDPR, of course, was to prevent this happening and give us more privacy. People were, rightly, fed up of those cold calls, unsolicited mail and marketing and communications that they had no recollection of requesting.
Understanding GDPR is not easy. The full text of GDPR has 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. On top of this, there are eight rights for individuals.
Today, people are still, rightly, fed up of cold calls, unsolicited mail, etc. but it does seem the majority of companies have made serious attempts to curtail their previous activities.
That said, I know I’m not alone in thinking that all those emails I got in May this year, in the run-up to GDPR becoming law on 25thMay, asking me to opt in to all the things I didn’t know I’d opted into in the first place, were a waste of time. I eventually got so fed up I couldn’t be bothered to check the various options for “do you want to receive this/this/or this?” Instead, I just deleted most of them and, surprise, surprise, I seem still to get marketing information from quite a few. I am pretty sure that a lot of companies are just hoping that no-one will bother to complain.
In fact, there are 500 or so calls per week to the ICO (see below) but that’s an infinitesimal fraction of the number of web visits made and marketing emails sent in the same time period. In other words, playing the percentage game is, statistically speaking, pretty safe for most companies.
Obviously, one of the ways that companies previously sucked people into their ambit was via the cookies on their website. Now, almost every time you go onto a new website you get a message of some kind, offering you’re the chance to either accept the cookies or to adjust the settings. I suspect that quite a few people, like me, have tried to adjust the settings, only to find that it’s really hard to do so. In fact, I have come to the conclusion that some companies deliberately make it very difficult indeed even to find the settings let alone “adjust them.” To illustrate this, I Googled “GDPR explained” and the first four websites I went to – all purporting to be able to explain the subject to me - didn’t even offer a privacy warning or the opportunity to manage the cookies.
When you do find the privacy settings, you discover that actually it’s common for some of them to involve “associated companies,” which basically means companies to which you will give permission to send you stuff unless you tick the box to prevent them. Even more cleverly/annoyingly, some companies set up their cookie management dialog boxes to make it virtually impossible to use them. Also, if/when you do get to the “ad selection, delivery, reporting” tab, you find you have the option to click through to see the “vendor list,” and when you scroll down this list there are, literally, hundreds of “partners,” all of which might “deliver relevant advertising.”
As noted above, the ICO has had 500 calls per week to the telephone line set up for reporting breaches of GDPR, but, to September 2018 at least, no-one has been fined. About 20% of reported breaches involve cyber incidents, of which nearly half are the result of phishing. The rest involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others.
Many firms were simply not ready for GDPR. I know some that still are not remotely on top of their databases. For them, the good news is that the UK information commissioner has made it clear she doesn’t intend to make examples of companies by issuing large fines when they're not deserved. I suspect that small firms who have just made a mess of things will be pretty safe. The ICO has said it will try to engage with companies rather than issue them with punishments straight away. Companies who have shown awareness and tried to comply with GDPR are likely to be treated better than those who have done nothing, whether deliberately or not. In other words, the new system is evolving, but based on what I'm seeing at the moment, unscrupulous companies are finding it relatively easy to sidestep the regulation and continue to serve us with marketing we don't want or need.
Alastair Blair, thePotentMix
This is an abridged version of a longer blog post, available on thePotentMix website.
Posted in Guest blog, Opinion
.. Back to Blog