Monday, 2 September 2019

GDPR: commerce, politics and your local society

The huge fines levied by the Information Commissioner's Office (ICO) on an airline and a hotel chain hit the headlines last month. The data breaches were serious and no doubt the officials felt that they at long last had punishment at their disposal which would fit the crime. The culprits are large, though, and even if the fines can not be met wholly by contingency funds, one wonders how swiftly they will be recouped through a pound extra here or there on customer prices. For that reason, are they a real punishment and deterrent? It was noticeable that when the US Federal Trade Commission levied a multi-billion dollar fine on Facebook in July for its part in the Cambridge Analytica data misuse scandal, Facebook's share price actually rose, showing that the markets had reckoned how the multi-national giant could take the fine in its stride.

One path to rectitude was suggested by a contributor to last week's Unreliable Evidence, in respect of corporations below the behemoth level at least. In view of the increased size of fines, companies would clearly need to take out insurance against data breaches. The specialist insurers would be able to tailor their premiums - or refuse the risk - depending on the security measures in force, much as general insurers do with household insurance. Reducing one of the overheads would he a great incentive to companies to take a less cavalier attitude to their customers' personal details.

That radio programme was a valuable overview of the law on data protection, featuring as it did not only practitioners in the field but also a specialist journalist. The impact of the EU's General Data Protection Regulation on companies and its benefits for the ordinary citizen were discussed. What, sadly, the contributors did not have time for was an examination of the effects of this mighty legislation on smaller organisations, clubs and societies which need to maintain a membership list and probably some personal information on each member. GDPR bears particularly hard on political parties. The general public probably does not realise how much even the major parties depend on their local branches and affiliates and the information about voting habits they have built up over the years. GDPR dictates that people must give explicit permission for that information to be retained, in whatever form. Hence local secretaries and treasurers scurrying around with surveys followed by mass shredding of paper records as well as wiping disks on personal computers. The suspicion must be that many local parties are unwittingly committing an offence through forgetting about bundles of paper records or abandoned computers. Conversely, the big boys, Conservative Central Office and the like, have probably found ways of warehousing data and shielding it from the ICO.

Finally, there is a Brexit angle. Once out, the UK becomes a third country under EU law. Although GDPR legislation  will be maintained, it will be up to the institutions of the EU to decide whether the UK remains a safe country for data to be transferred to. The UK government's advice may be unduly optimistic.


No comments: