The European Union's attempt to increase consumer control of personal data has already had some useful effects. This puts it well ahead of earlier EU interventions, such as the annoying notifications of website cookies and the utterly pointless N versions of Microsoft Windows. The GDPR (General Data Protection Regulation) has prompted me to clean up my mailbox, it has greatly improved email marketing lists, and some companies have used it to improve their business processes, according to an IBM survey.
You may well have ignored or just deleted the deluge of emails about the GDPR, and I can't blame you. I actually read most of them, to get an idea of the range of approaches and which ones worked best. I also searched my mailbox for the suppliers' domain names to see if I'd received any marketing emails, how often they came, and whether I'd read any of them.
In several cases there were more than a hundred unread emails, so I was able to select and delete them all at once.
I don't read most emails because if I did, I'd never get any work done. I just delete the obviously useless 40 percent unread, and reply to the half-dozen or so that matter. That usually leaves a dozen or more unreads that are not obviously useless but don't obviously need my attention. "News announcements" (ie PR) quite often fall into that category.
If my search turned up a bunch of useless emails, I unsubscribed. As a result, my mailbox is slimmer and should be cleaner in the future.
While many companies will no doubt be alarmed that their mailing lists have shrunk dramatically - actual numbers welcome - they should be grateful. The people who have opted in must feel their messages have some value, so they're better prospects.
Mailing lists will further improve in quality now people have to opt in actively, not passively, and sign-ups should always be confirmed.
I've received dozens of emails intended for other people, usually because customers have given companies my email address by mistake, and companies haven't checked or confirmed it.
I've received airline tickets, confirmations of my new car insurance policy and my Apple Genius Bar appointment, thanks from the G4S recruitment team, and payment receipts from an exercise class in Prattville, Alabama, amng others.
Nope, nope. nope....
Other erroneous emails have arrived from Barclaycard Business, Paddy Power, Pokerstars, Vodafone and others who must already have improved their systems. They're all companies that have to take the GDPR seriously, and I'm sure they do.
The UK's ICO (Information Commissioner's Office) has warned that "data sent by email to incorrect recipient" is one of the most common security breaches. The cost of reporting these incidents, and possibly paying fines, means it isn't wise to use unchecked or unconfirmed email addresses.
Happily, nearly 60 percent of the companies in an IBM survey claim they are "embracing GDPR as an opportunity to improve privacy, security, data management or as catalyst for new business models, rather than simply a compliance issue or impediment".
IBM's Institute for Business Value (IBV) and Oxford Economics surveyed 1,500 "GDPR leaders" in 34 countries and found that "organizations are using GDPR as an opportunity to streamline their approach to data and reduce the overall amount of data they are managing". Specifically:
* 80 percent say they are cutting down on the amount of personal data they keep;
* 78 percent are reducing the number of people who have access to personal data;
* 70 percent are disposing of data that is no longer needed.
Go thou and do likewise.
Companies also see GDPR as an opportunity to build trust and drive innovation. Specifically:
* 84 percent believe that proof of GDPR compliance will be seen as a positive differentiator to the public;
* 76 percent said that GDPR will enable more trusted relationships with data subjects that will create new business opportunities.
A few leading companies - less than 20 percent - said they were "fully implementing security and privacy by design for new products and services". That's a scarily low number because "privacy by design" is actually one of the GDPR's demands.
The full IBM report, The end of the beginning: Unleashing the Transformational Power of GDPR, is available on application at http://ibm.biz/powerofGDPR
It may turn out that the real key to GDPR is not so much getting consent for mailing lists as devising systems that (1) help prevent mistakes, and (2) that enable companies to collect and report data breaches within 72 hours, as the law requires.
In my experience, some large companies make it almost impossible to report mistakes without hounding them on Twitter. For example, they have webforms that demand your account number when you don't have an account, and they just send you utterly pointless boilerplate back. I have never seen an option that says: "I am not a customer. You've emailed me somenone else's data by mistake."
In one rather old case, it took roughly a year to stop a company sending me someone else's monthly bills - someone I could identify and locate - and I had to escalate it to the Director's Office to get a result.
Next time, I'll take the opportunity to test the system for reporting security breaches. It could be a juicy story as well.