Will privacy ever be what it says on the tin?

Published on Monday, September 2, 2019 - 13:32 by Cameron Troake

Imagine it’s lunchtime and you’ve decided that today is a sandwich day. You could be a Meal Deal mastermind or a DIY kind of guy. Usually, either when you’re buying the ingredients to make your own or picking up a pre-made sandwich, one of the key indicators you’ll search for is the nutritional information on the packaging.

You know what numbers and ingredients you’re looking for, which ones are better or worse for you. Sometimes just glancing at the red, amber and green colour chart tells you in an instant what you need to know without reading the details too closely.

Food standards have become so ingrained into our mindsets, and are such a normal part of everyday life, that if we don’t find them on a product we question whether it’s legit.

What’s in it? When is the sell-by-date? Is it organic? Where does it come from? How can I trust it?

These are the questions we want quick, easy-to-find answers to, because we have a fundamental right to know what we’re putting into our body - and we don’t want to spend 10 minutes in a supermarket searching for this information.

These easily identifiable numbers and colours help us to make a choice.

When the legislators behind the GDPR started putting the regulation together, this is the kind of transparency they envisioned.

The level of privacy management practices an organisation had would be immediately clear to a consumer going to use their services. You would be able to see straight away how the organisation was planning to use and protect your data.

It’s an interesting world to contemplate.

Imagine clicking onto a web page and having a standardised bar at the bottom of the site which tells you everything you need to know in an instant.

Not certified by any regulatory bodies (AMBER). No third-party data selling (GREEN). Data deleted after 730 days (RED).

Just like in food regulation, any organisations that really missed the mark (RED, RED, RED) would be treated more harshly by consumers and regulators - and shut down if they didn’t change their practices.

The organisations that demonstrated best-in-class compliance would gain a reputation for being trustworthy and could use this golden status as a competitive advantage.

Of course, there would be some companies out there that would fall in-between these two extremes.

But if they’re offering something that consumers really want, and aren’t doing anything too bad, you’ll have those consumers that are happy to turn a blind eye every now and again.

I imagine it would be like when I’ve decided it’s time for a cheeseburger and I’d rather not look too closely at what’s going into my body. Yes, I know it’s not great for me for a tonne of reasons, but today - I feel like the pros absolutely outweigh the cons. It’s not that bad.

And fundamentally - it’s my choice.

Of course, we are a long way off privacy management having the same scrutiny as food standards.

When the GDPR hit last year, a lot of companies saw it as a one-off compliance exercise.

Cookie notices were refreshed. A whole swarm of organisations jumped on the do-gooder’s bandwagon with a proud whip-round email to announce that privacy policies had been updated. And sure, they had.

But it’s one thing writing a policy and another actually embedding what you’re saying you’re going to do into your organisation from the ground-up. That’s the hardest part.

And so the regulator’s focus on GDPR has now shifted; organisations shouldn’t think they’ve “done” GDPR, you need to be able to consistently demonstrate you’re compliant. This is where Article 25: Privacy by Design (ingraining data protection into everything you do) comes in. And this is not an extra or a “nice-to-have” – it’s a mandatory obligation.

But whilst over 60% of organisations think they’re compliant with the GDPR, only 1.8% have actually completed a Data Protection Impact Assessment (DataIQ 2019 Research Report - Privacy, Value and Ethics: Coping with the Cautious Consumer).

This is a bit of a contradiction to the whole point of Article 25 and suggests that, realistically, there is still a way to go – particularly given the ever-evolving ways organisations use and manage data over time. It’s likely that now, over a year from implementing the GDPR changes, many organisations will have become unintentionally non-compliant.

However, the everyday consumer doesn’t know this.

Nor do they know what to look for when they click on a website. It’s nowhere near as simple as “does exactly what it says on the tin.”

Clicking “Accept” to all Cookies is pretty much standard, but what are you agreeing to? Do you know, care, or understand?

And just like we don’t want to spend 10 minutes hunting for nutritional information in a supermarket, we don’t want to spend 10 minutes reading a privacy policy. No matter how “easy to understand” and “transparent” they are, no matter how simple the language is that’s used – it’s still considered lengthy legal jargon.

It would be like walking into a shop and every product had a dedicated folder attached to it detailing its nutritional value. Wouldn’t most of us eventually reach a mindset of, well, I can’t see anything wrong with it, it looks alright, I haven’t got time to read all this - and just chuck it in the basket thinking it can’t be that bad, can it?

So, if consumers don’t know what indicators to look for, how can they make an educated choice?

How are you going to protect my data? How are you going to use it? Who will you share it with? How can I trust you?

These are the questions we should have quick, easy-to-find answers to, because we have a fundamental right to know what organisations are going to do with our data.

Sure, it’s not the same as knowing what’s going into our bodies – but it’s as equally personal.

However, we are getting there - slowly but surely.

The new ISO 27701 is certainly a significant step in the right direction.

This new certification will act as a partner to ISO 27001, the “gold standard” for information security. It’s set to become the international “gold standard” for privacy management.

It will enable organisations of every shape and size to demonstrate compliance with all applicable privacy regulations - including the GDPR and the 2018 Data Protection Act. It shows that a business has put the appropriate measures in place to protect and manage personal data in way that is fundamentally aligned with what the GDPR mandates.

Essentially, it’s that shiny gold sticker and the GREEN, GREEN, GREEN labelling that an organisation needs to demonstrate best-in-class compliance.

Whilst it’s nevertheless fair to say that ISO 27701 has certainly been long-awaited and warmly welcomed into the industry, we’re still far off having a globally recognised, standardised labelling system for privacy management that is instantly recognised by consumers.

We’re not quite there with the “what it says on the tin” mentality, but it will be interesting to see how this certification shapes and advances the global attitudes to privacy. 

If you want a head start getting ready for an ISO 27701 certification, or help with embedding Privacy by Design into your organisation, please do get in touch. You can give our team of expert consultants a call on 01494 442900 or fill out the enquiry form below and we'll be in touch shortly:

ISO 27701

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com