The need for data regulation transcends GDPR fatigue

Under the current regime large data breaches go unreported for long periods and once inside an organisation data practices were largely hidden from view. Society is waking up to the need for greater data security and for organisations in breach of data laws to be held to account.

Facebook waited more than two years before revealing what has been termed unprecedented data harvesting. It appears that the Cambridge Analytica researcher collected data not only on the 270,000 participants in the survey but also on their friends, who knew nothing about it.

The most recent example of data misuse highlighted in the press is the unauthorised and, in some cases, unencrypted sharing of the HIV status of those using the Grindr app.

Grindr

Grindr has allegedly been sharing data on the HIV status of their users with two third party organisations and a Norwegian not for profit organisation. Needless to say this sharing was without the knowledge or consent of the data subjects involved.

This highly sensitive data, which would be termed special category data under the forthcoming GDPR, was shared with two organisations whose role was reportedly to optimise use of the app. The data was sent to these companies, and the Norwegian not for profit, in some cases unencrypted and combined with other data identifying the data subject’s GPS location and telephone number.

Grindr has commented that the sharing of data in this way was “standard practice” with apps and subject to strict contractual terms providing for the highest level of data security. Since becoming public the practice has been discontinued. It does however highlight the need for transparency when organisations are handling personal data.

Informed consent

GDPR will enable informed consent and will emphasise risks for data controllers as well as those faced by data subjects.

Under the GDPR the Privacy Notice provided at the point when a user signs up to an app would specify any data sharing with third parties. It would also require the data controller to ensure that appropriate technical measures were in place to safeguard the data both during transmission to a third party and when being processed or controlled by that third party. A user of the app giving consent to the processing of their data would be doing so from an informed position where they could assess the risk involved.

For the data controller or processor the risk in not following the new data laws is not only the much trumpeted fines and enforcement action by the ICO. The forthcoming Data Protection Act, which will allow the GDPR standards to remain in place post-Brexit and which provides some further detail on its implementation, also gives individuals causes of action against those holding their data in the event of a breach of their obligations. Individuals are therefore better able to ensure that their data is adequately safeguarded. Control is shifting.

Conclusion

Whilst there is no doubt that GDPR fatigue is a reality in organisations coming up to the 25 May 2018 deadline, they ignore the law at their peril in light of the growing awareness and concern amongst data subjects.