The privacy ‘phony war’ is over; 15 months on, a wave of GDPR-size fines for data breaches and privacy violations has hit the national media and business radar in the UK and beyond.
From BA through Marriot, ICO (the UK privacy regulator) issued its intention to fine companies almost £300 million in the space of a few weeks this July. Less obvious, but greater is the damage in trust for the brands affected, plus the cost of remedial work and disruption from audits in future years.
ICO publishes the details of all fines and actions taken on its website, which is my regular port of call for insight on ‘what went wrong?’ beyond the headlines. But as most of these actions relate to breaches or misdemeanours which took place in the past, how do they help prepare you for the ongoing challenges of GDPR?
Clues as to how the ICO (and other regulators) will meet their mission to get companies demonstrating accountability, not just compliance, with data privacy regimes can be found by analysing the less eye-catching notices on their site.
If we take the most recent enforcement notice posted 12 August 2019, the ICO is starting proceedings against a firm, Hudson Bay Finance who failed to uphold the rights of the Data Subject (aka citizen, consumer, you and me).
Arguably the most basic of these rights is that of Access, to know and be informed as to whether and what personal data is held on you by an organisation.
As is often the case, the language used is not particularly accessible, but here are my key takeaways from the ICO’s action:
- An access request was made in writing via signed-for post
- Issue of the complainant was in the lack of response
- The response needs to be made in “an intelligible form”
- They failed to inform the complainant that their personal data is being processed and to communicate this in an intelligible form
- This is in violation of the 6th data protection principle of DPA – “personal data shall be processed in accordance with the rights of data subjects under this act”
- Failure to comply with this notice is a criminal offence!
When dealing with the right to access, it’s key for you to respond as an organisation in a prompt, consistent manner. This may be to refuse the requestor to request more information or verification of identity, but doing nothing is not an option.
Although the most common method by which organisations like to receive access requests is via a web form or email, a subject can exercise their rights via any accessible channel (in this case, post).
This means you need to think about how consumers exercising their rights across this spectrum can be balanced with your operational capability to deliver, your disclosure and customer service charter.
As people grow more familiar with their rights, how you respond to them when they have questions about their data forms a major part of their view of you as a business in general. They will increasingly tell you what and how they receive personal data – it’s theirs after all – and the regulator supports this in letter and spirit.
At Tapmydata we’re helping businesses enter a data dialogue with their customers, prospects and stakeholders, part of which is to blend immediate, automated responses in a channel the consumer has chosen and trust, plus workflow to triage out and deal with more complex cases upstream before the regulator needs to get involved.
Please, let me know what you think of our mobile data rights app, and we’ll soon share some of our insights from organisations already using the channel here and via our partners.