DATA PROTECTION DAY – Consumer Rights to Data Privacy

By January 26, 2017Blog

Consumer Rights to Data Privacy, not a moment too soon.

Close of play Friday. The weekend feeling had arrived. About to turn off her PC one of the staff at a Dublin accountancy firm read an odd notice. At first she thought it a joke, but once alerted the service provider yelled down the phone to unplug the server. It was a desperate move but it limited the wipe out to just one floor of PCs, half of the business capacity.

As a step in the process of retiring from a private clinic, a Hospital Consultant had taken his data home, stored in his server. His home network wasn’t adequately fire walled. He was served with a ransom demand. Luckily he was in a position to have the computer isolated and destroyed with the virus inside. Not so lucky in recent weeks was a British property buyer whose small local Solicitor firm was hacked and his transaction hijacked with a forged email from his solicitor shifting his transfer not to the vendor but to the criminal’s bank account. Over £400k has been lost and the Solicitor is denying responsibility! Cyber criminals are cunning and moving down chain due to higher firewalls at institutional level. There are easy pickings among small firms. Criminals are also now encoding malware into cheap Chinese charging units for vapor cigarettes, the kind you plug into your PC or Laptop without thinking, and others lie in the long grass ready to come alive once you back up your data, thinking you’re safe.

Data is the new currency and hijacking it, ransoming it or incorrectly transmitting or handling it is about the get a lot more serious. Dormant until January 2018, just 11 months away, is a huge game changer in data governance, the first major EU law on data since the mid-1990s. The General Data Protection Regulation (GDPR) is, in part an answer to cybercrime but mostly a long overdue charter in consumer privacy rights which is about the change the face of data protection globally, elevating it from what had been widely regarded as an ethical question, to a top line business risk. It’s easy to see why – the consequences for breaching the new laws, contained in a 200 page tome, is a fine of up to 4% of global turnover or Euro 20 million whichever is greater.

Under the General Data Protection Regulation (GDPR) consumers will establish the right to be forgotten known as erasure, the right to stop profiling, and the right to get a copy of their data, to object to its processing, to restrict its use or auto-processing and to demand its porting to competitors. There are special rules to protect children that includes parental consent and child friendly communications for under 16’s. Firms will be given a month to respond to consumers, watched over by national regulators mandated with a bristling array of new powers to crush non-compliance. At the centre of the sea change in the balance of power between complex pan-industry networks and consumer privacy rights, is consent, expect to hear a lot about it.  You can safely file away box ticking as consent. It will need to be freely given, specific, informed, and clear and derived from an affirmative action which doesn’t include silence or pre-ticked boxes sited at the base of acres of small print.

European legislators bypassed directives because they allow for national filtering and lobbying, in favour of direct regulation with the clear intent that the new EU laws will set the gold standard and will apply worldwide to any company that operates in the EU or monitors its citizens even if based outside the EU.

All public bodies, companies that systematically monitor citizens, that process special categories like biometrics or that have more than 250 staff will be expected to appoint a full time Data Protection Officer expert on the new rules of the game with mandatory reporting requirement to data regulators when breaches occur whether by accident, design or because of cybercrime.

So are businesses large and small gearing up? Dell, in a recent study found 97% of businesses and IT professionals are unprepared. There has been precious little promotion in Ireland of what is the single biggest pivot in consumer rights since the 1980 Sales of Goods & Supplies of Services Act. Muscular consumer rights in the digital age, comes not a moment too soon. None of us want a big brother society where powerful global firms analyse every move we make, shopping, driving or browsing, expecting us to trust them that our privacy is not being invaded or that we are not being set up to be bilked in vulnerable moments by a computer using the latest artificial intelligence –if that’s progress I’ll be exercising my new rights in 2018.