What happened to those lovely consent emails?
Now that the age of consent has come to an end (I.e. 25th of May), it’s time reflect and contemplate, “What in the world was all that about”? I have checked with a number of fellow colleagues and we
have all received Spam email from organisations we had not provided consent for. Obviously the “love to stay in touch” emails meant they were going to stay in touch anyway. No matter what we would have done, the result would have been the same.
The GDPR elephant in the room.
The implication from this is that business’s responded out of fear and panic to “appear” to be doing something about GDPR, but the backend systems weren’t even touched. Was there even an attempt at reforming the way they process information? Where are the data-maps tracing the flow of information and Privacy impact assessments to measure the impact of a breach and prioritise efforts. Most organisations haven’t even begun on that task as evidenced by our names still being on their mailing lists. The whole thing seems a pointless exercise of herd behaviour while no-one actually read the legislation which specifies that “legitimate interest” I.e. business communications was exempt. Meanwhile the elephant in the room of getting organisations systems in order of protecting individuals private data has been all but ignored as the whole thing seems just a bit “too hard”.
Subject access requests, using GDPR as a weapon.
If that has been the attitude of business owners to this point, then something much nastier is coming down the line. That is the use of “subject access requests”. This simple tool could be used to trip up business’s by tying them up with extra admin. This is where GDPR can be used as a weapon. See the latest FT article on how firms are coping with the changes.
Requests could come from a disgruntled customer, an ex employee with a grudge or a malicious competitor. Simply by swamping a business with requests in the hope that this will force an error of not responding within the one month limit. This could opens the door to ICO penalties. We have already seen consultancies sign people up in bulk to make group claims, Think PPI on steroids. The ICO won’t need to audit companies. They are relying on an army of private individuals to act as their own secret agents waiting dob business’s in. If organisations aren’t prepared for that onslaught, then your admin time will be sucked up in servicing these requests and fighting claims. This is where having an organised CRM/document management system i to it’s own. Having an organised system in place to deal with these request quickly accurately avoids getting caught up in red tape.
Next in the series, “setting up a system to deal with Subject Access Requests”.
If you need our assistance in getting your organisation GDPR compliant, please see our introductory offer and Services page. Further information is available in our FAQ section. and useful tools in downloads.