This Week in Data/Cyber/Tech: Why Privacy Notices Aren't a Waste of Money; and Avoiding BCC Data Breaches.

There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.

Story #1: Why privacy notices aren't a waste of money

You may be familiar with Dan Neidle. He's formerly the head of Clifford Chance’s tax department in London and now runs a think tank which, among other things, has done very important work in exposing tax avoidance. 

But his recent take on data protection doesn't quite hit the target, in my view.

*****

Last week he announced that, buried within his organisation’s website privacy notice, was language to the effect that the first person to contact Mr Neidle would win a bottle of wine. The punchline is that it took four months for somebody to claim the prize.

“[A]ll businesses have to have a privacy policy and no one reads it,” he said. “Every tiny coffee shop has to have a privacy policy on their website, it’s crazy. It’s money that’s being wasted.”

A small, but important, aside: a "privacy notice" is the (typically, external-facing) document used to provide information to data subjects about the organisation's processing of their personal data, whereas a "privacy policy" is a (typically, internal-facing) document that describes to the organisation's employees and third parties how they must handle other individuals' personal data. 

*****

Does the fact that some privacy notices go largely unread mean that they’re a waste of money? Would the answer be answer different if "some" became "most"?

It's "no" and "no".

We live in a world where every aspect of our online lives is tracked. It’s therefore not unreasonable for individuals to understand how organisations are using their personal data and the rights that they have in respect of those data. Indeed, I'd argue that it's important even if the data may not be considered sensitive or otherwise risky. 

So, does it make any difference if the organisation is a tiny coffee shop? 

Again, I think probably not.

*****

Besides the provision of this information being a legal requirement, it is the right thing to do. Most businesses consider it important to be transparent in their approach to and dealings with their customers — and data protection should be no different.

Looking at the issue through a financial lens risks resulting in tunnel vision.

None of this is to say that all privacy notices are always drafted well. They can be too long and too legalistic. Some of them don't include all of the disclosures required by the UK GDPR. Is it any wonder that they’re overlooked?

If people don’t want to spend their time reading privacy notices, that’s a reasonable (and, frankly, normal) response. However, that's not a reason not to take the process seriously — or to make the information available for those that want to read it. 

Story #2: Avoiding BCC data breaches

In a world of nation state hacks, supply chain disruption and sophisticated AI scams, it's still the simplest things that cause most data breaches.

The latest example of this phenomenon: on Monday, the UK Conservative Party sent an email to hundreds of supporters — but forgot to use the bcc function, meaning that the email addresses of all recipients were visible.

It’s a common — very common — mistake. Indeed, there can be very few of us to whom this hasn’t happened. (I am not among that number, thanks to my kids' school.)

The UK ICO — to which the Conservatives reported this breach — regularly reminds organisations that the failure to use the bcc function accounts for a significant percentage of the breaches notified to it each year. The vast majority of those breaches don't result in regulatory enforcement, it must be said, but that's not always going to be the case.

*****

The Labour — i.e., opposition — Party has inevitably seized on the incident as proof that if the Conservatives can’t send out emails correctly, they shouldn’t be trusted with national security.

Political point-scoring aside, that logic also applies more broadly. An organisation should be able get the simple things right — including around data protection.

And what may look benign on first blush (a list of email addresses) can, on further reflection, be more serious. 

A case in point: personal data revealing an individual's political opinions are "sensitive" for the purposes of the UK GDPR. That's not to say that an individual's political leanings can be assumed or inferred simply by virtue of being on the Conservatives' mailing list, but it's not a bad place to start. 

*****

The good news here is that avoiding bcc incidents is almost entirely within your control. 

To use a tennis analogy (we are approaching the season, after all), this type of breach is an unforced error. And those errors can always be reduced — if perhaps not entirely, then by a significant margin. 

So what’s the answer?

There are a range of tools that can help — email prompts, and the like. But given that bcc breaches are in most cases the result of human error, the starting point is ensuring that your employees understand the processes your require them to follow when sending mass emails. 

This can be done through training — both formal and informal, and on a periodic and as-needed basis. The folks in marketing, sales and other customer-facing roles should be a priority, but all employees need to know what processes you have in place (and why). 

And if you don't have those processes in place, or they aren’t documented, that should be the first thing to change.

Subscribe to Ropes & Gray Viewpoints by topic here.