Admit it, you have done this at least once: you were lured by the special offer / freebie / like into signing up for a newsletter… then you forgot about it. Or you installed an IOS/Android/Windows app which asked you for permissions to share with the Martians your accurate location, food prefferences or place of birth.
The personal data requests have become so ubiquitous, that now it is very hard to trace where it lands. It is then perfectly understandable why EU is seeking to make the various companies responsible for minimal safeguards of such personal data.
If you read the law (or the highlights), you would realize most of the requestgs are quite reasonable – and still theoretical. Fortunately for the consumer (and burdening for the companies), the burden of safeguarding and cleaning up the unnecessary data falls on the collectors.
Which is fine, since the companies (especially the tech savvy multinationals) should have more resources and be better prepared for the arrival of the General Data Protection Regulation (GDPR) on May 25th. But are the se big actors ready?
Well, it seems not. Unlike the US companies, used to be data regulated much earlier, the European counterparts seem to be mostly left somehow behind. I can throw in my personal experiences here – I was on over 15 newsletters / databases from various European companies, who notified me about several things:
– I am in there databases with some data,
– the new GDPR regulation is coming place,
– they will do their best to secure my data and
– I can ask at any time for it to be deleted.
All good so far. But words are cheap and nowadays anybody can throw at consumers a nice reassuring email. So I decided to put these data actors at test – after all, they have experts, systems, lawyers and money to make it good to their promisses, correct?
Well, I was surprised. Out of these 15+ newsletters, fewer than half had a link or a way to allow me remove my personal data. So even if I wanted to act, I could not – their promise was hard to keep. What am I supposed to do – contact the call center of these luxury auto makers or famous FMCGs and ask for my personal data to be removed? They were clearly not 100% ready even to consider that most of their data customers would like to act immedaitly and have their data removed.
Of all of the remaining newletters, more than 2/3rds of the links included did NOT work. The notifications were sent shortly before or on May 25th (2018) so they should have been ready – yet, when putting these to a practical test, majority failed. Tested 1 week later (today June 1st), they
So where does this leave us consumers? A few friently reccomendations from my side:
– do not delete or throw away these newsletters – your data might fall on the wrong hands, or could be sold or re-used by the companies. I know corporations have codes of conduct, codes of ethics, customers focus… yet they are there to achieve shareholders goals and embrace digitalization – why not use your precious bits of data to second guess your future consumer wishes?
– report the data breaches to the company and (if they do not act within 72 hours) – to the relevant authorities.
The art. 33 of the GDPR requires that
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
If you have a concern, you should report them to the National Data Protection Authority (http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm) and escalate if necessary.
It is so simple! Please let us have your comments here and your feedback on how the data protection works for you.