With less than 3 months to go before May 25th 2018 – also known as the “GDPR deadline”, there’s certainly now a flurry of companies taking the responsibility of GDPR compliance more seriously. It’s quite interesting to see flurries of emails from companies trying to “do the right thing” who have my data. Companies I’ve never even heard of.
Earlier in the week I received quite an interesting email – in the interests of anonymity (ha!) I’ve removed identifying references… but you’ll get the idea:
Subject: Please update your profile for GDPR compliance
Having recently acquired the business of Company, the CV data management company, and we are working hard to meet with the requirements of the new GDPR data protection legislation coming in May this year.
Our records show you previously submitted your CV to Company, either through a recruitment agency, job board or via a job application and therefore kindly ask you to check your details make sure they’re up to date.
To update your details, please click on the link below:
Whether you’re actively looking for a new job or simply open to new opportunities, you can take advantage of our smart matching technology that will notify you of any suitable job vacancies, as they arise.
We look forward to staying in touch.
On the surface, “Company” can be forgiven for getting themselves ready for GDPR day. However, all is not as it seems, and can only prove that they don’t “get” it. And that’s worse… not only does a company I’ve never heard of hold my data, but their “compliance” action actually makes their situation worse, with the majority of people who don’t need to understand GDPR completely missing the epic fail that is their email. So I sent them a reply (sarcasm not withheld due to the above facts):
Several problems with your email:
- Your link is broken – it doesn’t take me to “my” details – and if that was the actual intention as implied by the fact you’re “mail merging” details into the link, it’s actually a large security risk as I could impersonate anyone.
- It’s also a breach of your Google Analytics terms and conditions, since you’re not allowed personally identifiable information in URLs collected into GA. Since the website uses GTM and GA, this affects you.
- Which is also, ironically, a DPA breach which would definitely cause a GDPR breach (wait a minute…)
- Since your email is designed to validate and update details for GDPR, you must also provide a method of opting out/unsubscribing. Which you have not done.
- On the note of a link to unsubscribe me… could you?
On the whole I’m actually seeing many companies (okay I’ve never heard of them…) contacting me and doing a pretty good job of getting ready for
doomsday deadline day. But it’s interesting to see where companies just aren’t thinking. In this case they’ve set out to collect data to verify those who want to be on their database – great, but they’ve dressed it as “please verify your data” when I suspect it’s probably more likely “re-register your details with a company you’ve never heard of”.
Then there’s still the issue of query string parameters going into Google Analytics, and so on.
While I’m sure I know what they’re doing in the background, unfortunately for Company the perception of a security vulnerability in their validation process just cost my trust in them.
Privacy law compliance is important, but so is data security. I mean, isn’t that part of the point of GDPR in the first place?