The GDPR mind-set – A case study

Data /  4 February 19 / by Iain Schofield    
The GDPR mind-set – A case study

This is a brief [sic] look at some of the implications of the GDPR and is intended to illustrate the scope of the legislation and the changing perspectives on data security. For a more in-depth look at the new legislation read here.

The GDPR is an EU legislation that became law in May 2018. It aims to unify, update and simplify existing directives into a single set of guidelines. The over-arching goal of the GDPR is to return control of personal data to the data subject and better regulate it’s collection, use and export.

When you think of GDPR, what springs to mind? You could be forgiven for thinking the GDPR is aimed solely at the digital environment. But the GDPR actually has a much wider scope of influence. The legislation is a mind-set that, once adopted, influences everyday life in ways you may not have considered.

To explore this, let’s look at two examples. Both real, anonymised and fairly recent.

With a young son, I spend a lot of time at local soft play facilities. Fun for him, coffee for me and a nap for us both when we get home. We have two favourites that we attend every couple of months.

Case 1 - Soft play A

Soft play A asks you to sign in on a clipboard. At the next open space, I enter my name, my son’s name and my address. I can see each preceding visitors details, and subsequent visitors will see mine. On the face of it, no big deal right? But let’s think about this a little. Under the GDPR, soft play A are the data controller i.e. they own the data on that clipboard and are responsible for it.

As the data controller, they decide (among other things)–

  • -to collect the data
  • -what data to collect
  • -who to collect data from
  • -how to collect the data
  • -what to do with the data
  • -who has access to the data and how to secure it
  • -how to store the data
  • -how long to store the data
  • -how to dispose of the data

Under GDPR guidelines, a number of these decisions should be shared with the data subject. Even though this data is physical, recorded with pen and paper, the above still applies. Soft play A have not considered these implications. The medium of data input and the seeming innocuous nature of the data no doubt influenced this oversight.

But, once you adopt a GDPR mind-set, you can see the issues with this haphazard approach. My personal data is now in the hands of soft play A and I have no assurances they will treat it with the respect and care it deserves. What’s more, my son’s information, which should be considered extremely sensitive under the GDPR’s revised guidelines, is in the same legislative limbo.

Case 2 – Soft play B

The following month, we head over to soft play B. Last time we went, they had a sign-in system similar to soft play A, all details recorded in a single book. But this time, on arrival, I’m handed a slip of paper to fill it out. Again, I include my name, my address and my son’s name. Then, I’m instructed to pop the slip into a fancy new sealed box. Soft play B have considered the new regulation and made a simple adjustment.

What are the lessons?

Soft play A aren’t evil, they just haven’t fully considered the GDPR’s impact. Like many businesses, they have neglected to consider how the GDPR could apply to their specific practices.

Soft play B aren’t perfect. They still didn’t tell me why they were collecting my data, what they would use it for, how they would store it etc. Still not perfect, but a great start. By making positive changes, they have raised my opinion of them. I recognise that they respect my data, understand its importance to me and have taken steps to ensure its security.

This is GDPR’s unspoken power. With simple adjustments and a change of perspective, companies demonstrate an understanding and respect for their customers and in turn, they are rewarded with the loyalty of a grateful customer base.

The GDPR is often misinterpreted as over-zealous nit-picking. However, once you get into the mind-set, things become glaringly obvious. Of course companies should handle our personal data with the care and respect it deserves.

When they do, we value it and feel valued in return.

Read more about data

Rate this Article:

Comments are provided by Disqus, you can find out more in our Privacy Policy.

Chat