What exactly is the problem? Why are so many organisations getting caught out by processes that are simple to fix; senior executives able to ignore the potential harms to their business; and knowledge about what compliance actually looks like so poor?

For small charities and other membership organisations, where administration is often done by volunteers, the legislation was viewed as just one more rope to be bound with. Many of those who step up and give willingly of their time have little or no interest in the semantics of data collection and usage and have a wide variety of opinions on just how much it actually matters. Knowledge inevitably varies and there are loud calls from the side-lines by individuals who think that the whole process is nonsense.

Hellen Beveridge CIPM CIPP/E FIDM Hellen Beveridge CIPM CIPP/E FIDM Privacy Lead, Data Oversight Ltd

This year, after a period of car ownership dictated by the need to get multiple children, two large dogs and many, many bicycles into a single vehicle, we finally got rid of the monster, polluting diesel. Off to the scrap heap courtesy of one careless owner.

New cars come with lots of frills these days. Even before you have the key in your hand it is possible to check the progress of your purchase through whichever digital tool the manufacturer shares with you. Though how valuable this user experience is when your vehicle goes from ‘awaiting build slot’ to ‘on the ship’ in less than 30 minutes is debatable.

Today is World Privacy Day, when those of us with a professional interest in data privacy and protection will be postulating ad nauseum about the progress made, bad actors, what needs to change etc. etc. In among this rhetoric though, we really need to ask ourselves two fundamental questions:

  • What are we trying to protect; and
  • Who are we doing it for.

In some quarters, institutional compliance with data protection legislation is cited at 60-70%. But in reality there are probably 5% of organisations that are anywhere near and a significant proportion that have simply maintained business as usual.
That's all very well - but is the likelihood of being found out getting ever greater as the statutory authorities increase their staff and set themselves up as effective regulators by issuing more enforcement notices.

Nearly 4 months on from GDPR-Day, where exactly are organisations with their data compliance efforts. And what does compliance look like exactly?

There are still companies that think they are fine - risk tolerant directors who think that a tolerably good privacy notice on their website will be enough to keep them on the right side of the law.

But as recent evidence shows, all the paperwork in the world isn't going to paper over the cracks if the ICO disagrees with your methods and methodology. Time already to give your business' data practices a proper MOT.

Hellen Beveridge CIPM CIPP/E FIDM Hellen Beveridge CIPM CIPP/E FIDM Privacy Lead, Data Oversight Ltd

When companies sent out their zombie emails in the run up to 25th May 2018, the data broking industry probably had no idea of what would come to pass. Emails dropping into empty mailboxes have been more closely scrutinised than ever, with individuals asking the mailer to identify where they obtained the data. Little did the questioner imagine how far into this labyrinthine industry such a simple enquiry would take them.

It could be argued that GDPR is already doing exactly what it said it was going to do - put data privacy front and centre in organisations reliant on data for their business.

But it has also brought about a proliferation of vendors offering solutions for compliance, and with this white papers that offer advice which isn't always as sound as it should be. How can you be sure that you create marketing campaigns that fit the legislation when you are bombarded by so much conflicting information.

The news that Ticketmaster has lost significant amounts of high-risk customer data didn't take long to hit the mainstream:

The company itself appears, from the Guardian's report, to be downplaying the incident with their statement that the breach affected 'less than 5% of its global customer base' - but the latter is 230 million individuals - so that is, in actual fact, an awful lot of people.

There are some key points to be pulled out from The Guardian report, particularly in the new data protection framework which event companies would be well placed to pay attention to.

Among the many different causes of angst over the effects of the GDPR in the event industry* one of the biggest exists over the scanning of visitor badges for all manner of reasons including lead capture.

Despite what anyone thinks, whether they be lawyers or event organisers, this isn’t a linear issue. Debates over what constitutes compliant behaviour can quickly descend into frustrating ‘no compromise’ stand-offs as each party sticks to their selected position, a situation which adds nothing to the teams on the ground trying to do business.