GDPR Muppets

GDPR: Now We Know Who the Muppets Are

Well, here we are, close of business May 25th, and oh look!, the sun is still shining, the world is still spinning, and no one [decent] went out of business.

What we do have however is an indication of who the world’s biggest muppets are. For example:

…and:

…and the list goes on and on.

As if the barrage of ridiculous and utterly meaningless emails over the last few months wasn’t enough, the spectacular ignorance shown by these and many other organisations defies belief. The only good thing I can say about these weapons grade plums is that they are actually taking GDPR seriously. They DID something. The fact that they are needlessly damaging their reputations is apparently beside the point.

Continue reading

Enough

GDPR May 25th – Slow Down and Get it RIGHT!

If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.

I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.

Therefore both of the following are true:

  • The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
  • The providers of the guidance had no clue what they were doing

I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.

Here are some of my favourite vendor emails [paraphrased]:

  • “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
  • “Unless you read and sign our new terms and conditions we will cease all communication.”;
  • “Our database of customers’ email addresses, including yours, will be deleted.”
  • “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
  • “Our website is not available to any European member state…”

Continue reading

Have You Forgotten About the ‘Cookie Law’?

You’ve all heard of the Cookie Law, right?

If the answer is no, and your business has a website that uses cookies (or other ‘online identifiers’), I would suggest you do a little homework. The upcoming EU ePrivacy Regulation not only expands significantly on that law (which is actually a Directive), it includes a fine structure on par with the GDPR.

The Cookie Law is actually the EU ePrivacy Directive  and was responsible for the incredibly irritating banners that pop-up on almost every website in the EU. About the only good news for some organisations is that the banners will likely go away under the new Regulation.

Even for those who are aware of the ePrivacy Regulation (perhaps have even read it), there is still a great deal of confusion. Not just related to the contents of it, but as to whether or not it’s even relevant with the GDPR already covering ‘privacy issues’.

Just 15 minutes of research reveals the following:

  1. The ePrivacy Regulation “particularises and complements” the GDPR – In other words, ePrivacy is an expansion on a single aspect of the GDPR. In this case ‘electronic communications’ (e.g. the ‘online identifiers’ referred to in Recital 30);
    o
  2. ePrivacy covers Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”), the GDPR covers Article 8;
    o
  3. It’s not just about cookies, it covers EVERY aspect of electronic communication. Including; “…calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.“, and all ‘metadata’ relevant to the communication channels themselves;
    o
  4. Unlike the GDPR, it does not just apply to ‘natural persons’, but to ‘legal persons’ as well. i.e. business-to-business; and
    o
  5. It has the most significant impacts in the area of marketing.

So, if your business has a website, performs marketing, or communicates with clients over ‘electronic channels’, you are in scope.

So why isn’t there anywhere near the kind of panic and hype over this Regulation as there is GDPR? If anything, I’d say this one has greater impact on most business, with a far greater degree of negative impact on how you are currently conducting your business. Just ask an online publisher what they think of it and brace yourself for the answer.

Imagine, for example, you provide online content free of charge. Your revenue is driven by online advertising which is in turn personalised to the viewer by cookies. Under ePrivacy you could no longer rely on pop-up banners to force acceptance of cookies, instead you have to rely on the viewer accepting cookies by default in THEIR web browser. Not only that, the Regulation is basically suggesting that all browsers should be ‘blocking all cookies by default’, then, in plain language, walk every citizen through changing the defaults to more ‘merchant-friendly’ settings.

However, here are a few bloody BRILLIANT outcomes:

  1. Unsolicited marketing phone calls should use a prefix on their numbers so you know what it is before answering! And no, they cannot get around this by blocking the caller ID;
    o
  2. Inclusion of your personal data in ‘publicly available directories‘ (a.k.a. marketing lists) must be done with consent; and
    o
  3. Any kind of “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing” of your personal data is strictly forbidden (the usual deprecations apply, e.g. ‘pubic interest’)

Not surprising that during the ‘Stakeholder Consultation’ conducted from 12 April to 5 July 2016 that 83.4% of citizens were for it, but 63.4% of businesses were against it. The lobbying that has taken place to soften the wording, while fruitless so far, has had the likely impact of delaying the enforcement of the regulation beyond the proposed data of 25 May, 2018 (yep, same date as GDPR, that’s how closely they are linked).

So I frankly have no idea why GDPR is such a big deal and ePrivacy is so obscure, but you just know it’s because only one of these is easily monetised by snake-oil merchants. GDPR attracted cybersecurity “professionals” because it’s about ‘data protection’, and lawyers because of the ‘lawful bases for processing’ and the requirement for DPO.

ePrivacy on the other hand provides no easy remedies, but you know they’re coming.

The bottom line here is that if you’re not familiar with it, get familiar, it WILL impact you. Once again, for those in the UK the ICO has lots of material on its website, but look for Privacy and Electronic Communications Regulations (PECR)¹ instead. Like how the DPA is the UK’s implementation of GDPR, PECR is ePrivacy.

Happy reading.

[If you liked this article, please share! Want more like it, subscribe!]

¹ (Hopefully the acronym will be pronounced/known as the ‘Pecker Law’ which should give our American friends a good laugh).