Despite several months until the GDPR implementation articles are already appearing in the press, focussing on the data rights individuals will have. Many of these are inaccurate (I saw one last week suggesting that subject access requests have to be complied with in 72 hours!) and will mislead consumers about their rights.
To counter the balance is good to see that the ICO is working with industry to try to ensure that the GDPR mis-information is kept to a minimum, but what does the general public want from the new regime and are they even aware of what it means for them?
Even before the GDPR is implemented we have seen an increase of activity from individuals exercising their existing rights and this has been exacerbated by intermediaries (dare I call them ambulance chasers) offering to help individuals receive compensation for data misuse and loss. Their tactics are not subtle, demanding significant compensation for minor transgressions such as a single promotional email sent in error. As that article suggested, “Privacy is the new PPI”.
Individuals are also banding together to seek compensation. The recent Morrisons’ case – which found the supermarket vicariously liable for the actions of a rogue employee who published payroll data relating to employees online – was brought by a group of 5,500 affected individuals.
Another example is the brilliantly named “Google you owe us” campaign which is taking Google to court because it believes they illegally used search information to target ads. Head of the campaign and former “Which?” Director Richard Lloyd is clear about its aim, “Google’s actions have affected millions, and we’ll be asking the courts to remedy this major breach of trust…. I’ve taken on one of the biggest fights of my life in representing this legal action which is the first case of its kind in the UK against a major tech company for misusing our valuable personal data.”
So, is there any evidence that individuals are champing at the bit to exercise new (and old) rights over their data? A recent survey by SAS showed that 62% of those questioned were keen to be erased and 38% thought that portability was a good idea. Subject access requests may also increase significantly with 32% of respondents claiming they would ask their bank for access to data.
We are still waiting for the European Commission’s “massive” consumer campaign about the GDPR to be launched and for the ICO’s initiative to bear fruit. In the vacuum, the mis-information continues to circulate and could cause an extra headache for data controllers as they struggle to prepare for the May deadline.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.