It’s that simple. The GDPR is a rebalancing of power between us, the people who have to hand over data to do transactions on the internet, and the organisations that intend to blitz us into submission with emails. The ones that most annoyed me in this regard were hotels. More than once I’ve checked in and been requested airily to give my email, and to my suspicious “What is this for?” have been told that it’s just so they can contact me in case I leave something behind. On getting home, it turned out that what I left behind was the chance of booking a room next Christmas/Easter/week at a discount if I entered a code.
Even more important is the recognition that our personal data has real value. Researching my new book, Cyber Wars, which looks at various hacking incidents, I was stunned to discover that TalkTalk was fined more for bad customer service than it was for allowing the theft of the personal and bank details of thousands of people by a cyber attacker.
GDPR changes that. Maximum fines are up to €20m or 4% of the organisation’s global annual turnover, whichever is higher. For TalkTalk, with a turnover of £1.66bn in its latest year, that would have meant fines of up to £66m. That’s the sort of number that gains a board’s attention. And that’s why you’re getting all those emails. Companies are waking up to the fact that if they’re holding more data than they need, and then they get hacked (and as I found, everyone gets hacked eventually), it could be financially disastrous.
So, sure, those emails are a bit of a pain, and a laugh. But they’re also part of a long-overdue recognition that companies have been too lazy about their security with our data. It’s exactly the data detox that we all need.