Is GDPR a farce?
Earlier in this year a lot of people got very exercised about the EU’s General Data Protection Regulation (GDPR). Countless databases were purged or severely reduced, with thousands of pounds spent by many companies to ensure they remain on the right side of the law. Ignorance of what was actually required was rife and an entire industry of advisers sprang up to sell their expertise (essentially that they knew more than you did). In recruitment, as much as anywhere, there was considerable concern that one or two disgruntled candidates would take umbrage and file a report with the ICO (Information Commissioners Office, the body responsible for GDPR in the UK), thus leading to a substantial fine.
The companies that make their living from selling us mailer software and other means of communicating with customers/candidates (e.g. MailChimp and the various ATS suppliers) spent a lot of money to ensure that their customers’ lists of subscribers would only consist of those who had opted in to receive marketing materials. As a result, virtually all the companies I know saw their databases reduced to a (pretty useless) rump. Admittedly, in the past quite a few recruiters had ruthlessly milked job-boards databases to add to their own CMS without bothering with such trivialities as asking the candidates if they actually wanted to be the recipients of endless job alerts and marketing bollocks.
The idea behind GDPR, of course, was to prevent this happening and give people privacy. People were, rightly, fed up of cold calls, unsolicited mail of any kind and marketing and communications that they have no recollection of requesting.
It’s not easy to understand what GDPR means for anyone. The full text of GDPR has 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. On top of this, there are eight rights for individuals. These include allowing people to have easier access to the data companies hold about them, a set of new fines for those who break the law and a clear responsibility for businesses/organisations to make sure they have obtained the consent of people about whom they collect information.
Today, people are still, rightly, fed up of cold calls, unsolicited mail, etc. but we are, in some respects, better off than we were because the majority of companies do seem to have made serious attempts to curtail their previous activities.
That said, I know I’m not alone in thinking that all those emails I got in May this year, in the run-up to GDPR becoming law on 25th May, asking me to opt in to all the things I didn’t know I’d opted into in the first place, were a waste of time. Like many, as the deluge of “please don’t go/opt-in” mails came in, I eventually got so fed up I couldn’t be bothered to check the various options for “do you want to receive this/this/or this?” Instead, I just deleted most of them and, surprise, surprise, I seem to still get marketing information from quite a few. I am pretty sure that a lot of companies are just hoping that no-one will bother to complain. While I know that there are a lot of sad gits out there, capable of complaining and taking offence at virtually anything, it’s unlikely that there will be enough making SARs (Subject Access Requests) to lead to a complaint to the ICO.
In fact, there are 500 or so calls per week to the ICO (see below) but that’s an infinitesimal fraction of the number of web visits made and marketing emails sent in the same time period. Some firms have been fined under the previous Data Protection laws and they would undoubtedly have received far bigger fines under the new regulations, but it does seem that those who do get into trouble tend to be the larger and most blatant abusers of the law. In other words, playing the percentage game is, statistically speaking, pretty safe for most companies.
Obviously, one of the ways that companies previously sucked people into their ambit was via the cookies on their website. Now, almost every time you go onto a new website you get a message of some kind, offering you’re the chance to either accept the cookies or to adjust the settings. I suspect that quite a few people, like me, have tried to adjust the settings, only to find that it’s really hard to do so. In fact, I have come to the conclusion that some companies deliberately make it very hard indeed even to find the settings let alone “adjust them.” To illustrate this, I Googled “GDPR explained” and the first four websites I went to – all purporting to be able to explain the subject to me - didn’t even offer a privacy warning or the opportunity to manage the cookies.
And when you do find the privacy settings, you discover that actually it’s common for some of them to involve “associated companies,” which basically means companies to which you will give permission to send you stuff unless you tick the box to prevent them. Even more cleverly/annoyingly, some companies set up their cookie management dialog boxes to make it virtually impossible to use them. Take, for example, this site, found at random while searching for a specific dog breed.
This pop-up could not be removed easily. I tried clicking off the box and in various other places on the page. At the foot of the sign-up box there is an opt-out message, but it’s not clickable. I attempted to type “no thanks” in the email box but got a message to say it wasn’t a recognised email address.
The only way out of this was to refresh the page, which then brought up the cookies option box again. I went back in again to try to manage the cookies and clicked on the “ad selection, delivery, reporting” tab. This is very common on many sites and on this site at least you have the option to click through to a “vendor list,” which you can see a screenshot of below.
When you scroll down this list there are, literally, hundreds of “partners,” all of which, as you can see, might “deliver relevant advertising.”
This site, at least, does allow you the option of switching off these “partners”: many others make it too hard to do so. I am sure they do this in the full expectation that most visitors to the site will give up, or more likely won’t bother to even try to adjust the settings.
This is particularly so when you discover that, as noted above, the ICO has had 500 calls per week to the telephone line set up for reporting breaches of GDPR, but, to September 2018 at least, no-one has been fined. About 20% of reported breaches involve cyber incidents, of which nearly half are the result of phishing. The others involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others.
Many firms were simply not ready for GDPR. I know some that still are not remotely on top of their databases. For them, the good news is that the UK information commissioner has made it clear she doesn’t intend to make examples of companies by issuing large fines when they're not deserved. I suspect that small firms who have just cocked things up will be pretty safe. The ICO has said it will try to engage with companies rather than issue them with punishments straight away. Companies who have shown awareness and tried to comply with GDPR are likely to be treated better than those who have done nothing, whether deliberately or not. In other words, the new system is evolving, but, based on what I'm seeing at the moment, unscrupulous companies are finding it relatively easy to sidestep the regulation and continue to serve us with marketing we don't want or need.