Posted by Charlotte Ebbutt, Solicitor
The need for data regulation transcends GDPR fatigue
Whilst many in business are becoming fatigued with the amount of GDPR-related content in their inboxes this fatigue is not replicated amongst individual data subjects. In fact precisely the opposite, individuals are increasingly aware of the value of their personal data and more and more concerned by the growing reports of data misuse. Few people outside the data sharing business had understood the trade in their data or appreciated the personal risk involved.
Under the current regime large data breaches go unreported for long periods and once inside an organisation data practices were largely hidden from view. Society is waking up to the need for greater data security and for organisations in breach of data laws to be held to account.
Facebook waited more than two years before revealing what has been termed unprecedented data harvesting. It appears that the Cambridge Analytica researcher collected data not only on the 270,000 participants in the survey but also on their friends, who knew nothing about it.
The most recent example of data misuse highlighted in the press is the unauthorised and, in some cases, unencrypted sharing of the HIV status of those using the Grindr app.
Grindr has allegedly been sharing data on the HIV status of their users with two third party organisations and a Norwegian not for profit organisation. Needless to say this sharing was without the knowledge or consent of the data subjects involved.
This highly sensitive data, which would be termed special category data under the forthcoming GDPR, was shared with two organisations whose role was reportedly to optimise use of the app. The data was sent to these companies, and the Norwegian not for profit, in some cases unencrypted and combined with other data identifying the data subject’s GPS location and telephone number.
Grindr has commented that the sharing of data in this way was “standard practice” with apps and subject to strict contractual terms providing for the highest level of data security. Since becoming public the practice has been discontinued. It does however highlight the need for transparency when organisations are handling personal data.
GDPR will enable informed consent and will emphasise risks for data controllers as well as those faced by data subjects.
Under the GDPR the Privacy Notice provided at the point when a user signs up to an app would specify any data sharing with third parties. It would also require the data controller to ensure that appropriate technical measures were in place to safeguard the data both during transmission to a third party and when being processed or controlled by that third party. A user of the app giving consent to the processing of their data would be doing so from an informed position where they could assess the risk involved.
For the data controller or processor the risk in not following the new data laws is not only the much trumpeted fines and enforcement action by the ICO. The forthcoming Data Protection Act, which will allow the GDPR standards to remain in place post-Brexit and which provides some further detail on its implementation, also gives individuals causes of action against those holding their data in the event of a breach of their obligations. Individuals are therefore better able to ensure that their data is adequately safeguarded. Control is shifting.
Whilst there is no doubt that GDPR fatigue is a reality in organisations coming up to the 25 May 2018 deadline, they ignore the law at their peril in light of the growing awareness and concern amongst data subjects.
If you have not already prepared to be compliant with the new law in time for 25 May time is running out for you to manage this critical risk to your organisation. Contact our specialists on:
0800 923 2073 Email us