The EU’s draconian data protection legislation which came into force on 25 May this year, has far-reaching powers.
The General Data Protection Regulation (GDPR) was designed by the Eurocrats to help protect the privacy of all its citizens, which must be a good thing, right?
But, like so many of the directives that have emerged from Europe, the people of the 28 member countries had no say on whether or not they choose to implement such measures. In the case of the UK, parliament had no right to challenge this new law (and that is contrary to the notion of democracy and particularly relevant to the Brexit debate).
Even if you’re outside the EU, but you trade with companies in any member state, you must comply with the new legislation.
At the heart of GDPR is the right to be forgotten (by those companies who hold your data), which was a step in the right direction, but there was no mention of the credit scoring companies (like Experian, for example) who manipulate and sell your data without any permission. I certainly never gave permission to have my credit history stored, let alone analysed and sold.
The one thing the new legislation has not stopped are the spammers sending countless emails selling SEO services or medicines and it’s not stopping the cold calls from people trying to trick people into giving away their money, because it is virtually impossble to locate or shut down such operators.
Companies operating legitimate businesses, who hold and process data, are now having to jump through all the hoops in order to be compliant with GDPR, which means they are spending time and money on ensuring that their clients, contacts and customers have all opted-in to continue to be on a database or otherwise be contacted.
Under GDPR it is no longer enough for customers and contacts to opt-out (as was the situation) from future correspondence. They have to opt in and their decision to agree to opt in has to be recorded.
Whilst larger ocmpanies can more easily afford to implement procedures to remain compliant with GDPR, it will be the SMEs, the backbone of UK Plc, who will be bearing the cost of these changes.
The irony is that most of companies were already doing the right thing with their data under the Data Protection Act and GDPR has become a huge hamme to crack a relatively small nut.
Data privacy is important to everyone, but there is a huge difference between a local plumbing business having your mobile phone details and companies like Amazon, who process your data, profile your behaviour and otherwise use their algorithms to ensure that you receive automated suggestions for things you might like to buy.
In this respect, GDPR should only have been applicable to companies that employ over 250 people (or whatever would be an appropriate threshold), leaving the rest to comply with existing data protection laws.