Posts

,

GDPR ready … or not?

GDPR ready … or not?

Almost half a year ago, European history was written. OK, it was not as exciting as the big bang, the first man on the moon, the millennium bug or Trump’s election, but on May 25th 2018 a brand-new regulation saw the light of life: the GDPR  – or for people who don’t like acronyms the General Data Protection Regulation.

In this blog post, I will tell you about some of my experiences with the state of GDPR compliance in Belgium.

The rush and the fails

A couple of days before and just after the ‘go-live date’, people got overwhelmed with e-mails from companies begging for consent to maintain your personal data. Some mails were original, correct and professional but most of them were so hilariously wrong that I instantly moved them to my “Funny Stuff” folder in my mailbox. Besides that, I even kept all emails asking for consent and did not respond to any of them! Why? Well, I was very curious if these companies were about to contact me again later, even if I didn’t provide consent. And what do you think? Exactly! Most of them are still contacting me …

Any better in the real world?

Is it different in the non-digital world? Unfortunately not. A couple of weeks ago I got in touch with a life insurance agent who will optimize my pension plan. I had to fill in some paperwork and she had a special paper with her. She said “This paper has something to do with the new privacy law … you know … and you just have to sign it. It is a privacy notice and by the way, if you do not want to receive direct marketing from us, you have to check this little box over here. Yes sir, as you can see we are very well aware of the new privacy requirements. Let me just take a picture of your identity card so I can finalize all paperwork in my office…”

At that point I made a deep sigh and gently informed the lady I work for Toreon as a Security and Privacy consultant. She said “Oh … is there something wrong with our privacy notice?” I said “Yes, there is … for example your retention period states that you keep my data “as long as necessary”. This is not very clear to me and the checkbox for direct marketing should be the other way around and you really want to take a picture of my identity card with your smartphone?”. She was a bit disappointed as she stated they already put a lot of effort to get compliant with the privacy regulation. I only said that we would love to help her out to get fully compliant …

A happy life…

Anyway, last weekend I went shopping with my wife. Not my favorite activity … but a happy wife is a happy life. We went to a store, bought some stuff and the shop assistant asked if we already had a loyalty card. We didn’t have one so we just had to give our identity card. With a big lovely smile she said “It is much easier now that we can electronically read the identity card. It’s a new system. A while ago we still had to enter your name, address, e-mail etc. manually. Now we just have to plug it into the reader and all data we need appears on our screen. So it’s very easy now isn’t it?”

*silence* Again, a deep sigh was the only thing I could produce at that moment. Privacy? GDPR? Retention? My rights? Where do you store my data? “I don’t know, sir. Our system works faster than before and is much easier to use. Thank you. Goodbye!” …

Goal!… NOT!

And another one to finish. Yesterday I received a mail from the football club where my youngest son is playing. Every year we go abroad to play an international football tournament. Always lots of fun and for the players their ‘time of the year’. So yesterday we received a mail with an Excel sheet of all participants, including their date of birth …

I’m running out of sighs now and I’m going to play postman for the rest of the day. I will deposit the Toreon GDPR flyer in the mailbox of companies. Not sure yet where to begin, but I will surely include an insurance agent, a store and a football club …

(Find out more about getting GDPR compliant as a small business here)