Having read and re-read the EU Data Protection Proposals (EUDPP) I believe they will give much needed strength to the current Act and will also make the data that is held, more robust. There are a couple of downsides but let us look at the whole thing and throw a new perspective on it.
Basically, the EUDPP is giving the data subject more power over what their personal information is used for and by whom. It is also giving them the right to have their personal information removed from a company database and the 3rd party users of that data also notified that it is to be removed. From a citizen’s (data subject’s) perspective, this is a good control to have as it allows them to pick and choose who they wish to process their data and also prevent an unwanted barrage of marketing, sales and ‘information’ letter, texts and emails. It further prevents the secondary use of their information by other organisations who the citizen knows nothing about. The citizen will also have the right to know who has been and is processing their data and lets them know they do not have to have their data further processed when they sign up for something.
Surely this is a good thing? It gives us all the right to say ‘yes’ I am happy for you to process my personal information. You then have a definitive customer rather than one who is constantly trying to get away from your unwanted contact and is unhappy with you. It also puts the onus on companies that sell names on to take responsibility for what they do. If a customer says they want no more contact and to erase their information then the company will need to ensure it notifies the other companies it has sold the data to and made a profit out of it.
Current legislation makes harvesting of personal data so easy and lucrative. As long as you have a set of T&Cs and an opt-out somewhere on the form/website then it is all ok. The ones that really get me are the companies that say ‘by placing this order you give us permission to pass your details on to other third parties we believe you may be interested in hearing from’. The chances of me being interested? Zero, I always cancel the order at that point!! We are legally required to collect personal data for a specified reason, not just so we can make a small fortune by selling it on. The current harvesting methods are more akin to the Russian factory trawler system than any good direct marketing principal! Companies are hoovering up vast amounts of information that they are processing and using for profiling then selling this enriched data on to other companies who do more of the same to the detriment of the citizen. This new directive will torpedo the factory trawlers and the citizens will once again have a modicum of control over their lives. At the end of the day, would you rather have 100 happy customers who keep buying from you or 1000 unhappy ones who blog and moan about how bad your company is??
There will also be a new set of rules on what defines personal data, such as online identifiers (IP addresses and even pseudonyms used in social networking), locational data where an online placement shows exactly where you are, some search engines have this running in background all the time which is why you see everything local to you advertised first. The EUDPP is looking at restricting these and it could impact on both sides of the fence as more people are now used to their location being used online and there is greater awareness of how IP addresses are being used to assist in fraud and the prevention of SPAM so, with these suggestions, I am not so sure it will be a good move.
Another area I do agree with though is the obligation to notify any data breaches to the regulatory body with ‘no undue delay’ and at least within 24 hours of the breach being discovered. The number of breaches is increasing exponentially but still not all breaches are notified. This is usually from fear of the repercussions but at the end of the day, why should the company or individual losing the data get away with it? If it was my data I would certainly be up in arms about it and looking for something to be done and quickly yet more and more companies and government agencies are getting away with it.
The one area I must disagree with though is the removal of the £10 fee for a Subject Access Request. The amount of time and effort usually taken to fulfil these is ridiculous in some cases and the fee does not even cover the cost of the photocopying let alone the cost of getting someone to do the work! This and the fact that they want companies to employ a Data Protection Officer to manage their DP requirements may make even more companies decide that enough is enough and drop off the ICO’s radar thus creating a lot of hidden data that is being illegally processed. Before you do that though, remember the EUDPP is also suggesting an increase in fines to €1m or 2% of the company’s annual turnover.
If anyone wants to discuss this then feel free, I am always open to debate.