Why You Need to Pay Attention

September 11, 2019

By Bob Johnson

Over the past decades, NAID members have come to know me for trumpeting the latest data protection regulations and for expounding on their various threats and opportunities.

As a result, I understand some might simply think, “Here he goes again. It’s the end of the world as we know it.”

I hope not but I understand.

A lot has been made (mostly by me) of the new i-SIGMA service contract. It’s called the “Universal” service contract since it includes new language to address new risks globally. It addresses risks globally, because we now live in a data protection regime where a law on the other side of the planet affects customers and service providers everywhere.

The underlying theory of the changes is reflected in the E.U.’s General Data Protection Regulation (GDPR) and its coming legion of regulations across the U.S. (think California’s Consumer Privacy Act (CCPA), is that the data subject (the individual) is being given full control over their personal information.

Consider a world where the individual:

  • Must be informed and agree to what information is being collected about them.
  • Must be informed and agree to how long their information will be kept.
  • Has a right to see at any time what information about them is stored, and to correct that information if necessary.
  • Can say at any time they want their information to be erased, destroyed, forgotten.
  • Must be informed and agree with whom their personal information will be shared – even service providers
  • Has a right to examine the contracts, policies, and procedures of any service provider given access to their personal information.
  • Has a right to file a class action suit or a small claims suit if a data controller or data processor retained their information longer than it was agreed.
  • Has a right to file a class action suit or a small claims suit if a data controller or data processor does not comply with such requests (listed above).
  • Has a right to file a class action suit or small claims suit if a data controller or data processor permits, intentionally, by accident, or through negligence, unauthorized access to their information. (Even an unscreened employee could constitute unauthorized access.)

The Sky is Not Falling

On paper, this litany of rights and risks are real. That said, I am not predicting mobs of activist data subjects suddenly knocking down the doors of every data controller asking to see their data (or correct it), or asking to see the policies and procedures of the bank’s data destruction service provider. While they theoretically could, I just don’t think thousands of individuals are going to do it. It has not happened in Europe, where the GDPR has been in effect for over a year.

But, while the masses may not exercise their new rights, some will.

If your competitor has an account with the bank that is using your electronic recycling service, they might make such a request just to see what they get. So might some privacy vigilante who wants to test the system. So might a person poking around for any way to sue somebody.

The point is, service providers who could be caught up in one of these isolated ploys need to protect themselves, and can, by including contractual language that clearly defines the customer’s (data controller’s) role in dealing with and paying for such requests.

That way, the service provider has both proactively limited their exposures as well as created the opportunity to be compensated for compliance-related services into which they are inadvertently drawn.

Oh, yeah… and if some vigilante flash mob of privacy activists and opportunists does try some coordinated attempt to overwhelm a data controller or service provider by exercising their new rights in mass, that same contract language may just save your business.