With COVID-19, it might be easy to miss the second anniversary of the GDPR on Monday 25 May. But GDPR is still highly relevant, especially here in the UK, as it relates to the use of mobile apps to support our COVID-19 test, track, and trace strategy.
Concerns over the invasion of privacy and whether there’s the potential for the collection of PII from these apps has been much discussed in the press in recent weeks. While the pilot version for the UK’s contact-tracing app has been offered out to residents on the Isle of Wight, Matt Hancock, the UK Health Secretary, has announced his confidence in a UK-wide rollout by 1 June. We therefore watch the level of app use with interest, as citizens will need to balance their GDPR concerns (founded or unfounded) against the clear value to themselves and society in helping to support such an obvious life-saving initiative.
Also, while in lockdown there has also been a huge expansion of social media use, and here again GDPR has entered the discussion. For example the Belgian Data Protection Authority published a decision just this month against a social network provider whose “invite a friend” function was found to breach GDPR. The social network failed to persuade the authorities that it was exempt, as each of us, as individuals, is able to process personal data (e.g. on our friends and family) in the context of our private lives, for our own personal reasons, without the need to comply with the GDPR. This didn’t wash with the authorities as holding the data was ruled as making “the user” a Data Controller.
Other much higher profile cases have included fines for Marriott, Dixons Carphone, British Airways, and Equifax, in some cases being fined £500,000 alongside the (perhaps even greater) cost to their brands. So the GDPR remains uppermost in the considerations of CIOs and their data management strategies. At Denodo, we’ve seen our data virtualization platform widely used to support data governance and effective, centralized data security, key elements to remaining on the right side of the GDPR. We are living in unusual times, but the pressures of GDPR compliance continue to be felt.