This post will not provide you with any solutions, instead it will raise some questions which might keep you up at night. By now if you’ve been following my posts you’ve heard about GDPR and know more or less what it is. We’ve discussed the rights of the citizen and some of the main topics. However here is the one thing which could turn GDPR into a proverbial sh** storm.
Imagine this scenario, we have company A that provides an online service and company B a direct competitor of company A. Both companies are reputable and have a good client base. Let’s also assume for a second that both companies have done their best to comply with GDPR. Now let’s also assume that both companies are both working on similar products or services, but company A looks like it’s going to be faster to market and we all know what that means for business nowadays.
Someone from Company B decides to put in a complaint with the local data authority about company A to delay or derail company A. What happens then?
Submitting a complaint is almost completely anonymous. In the online form of the IDPC for Malta the name, surname and contact number are not even mandatory fields! Will the IDPC investigate every complaint? Will company A waste weeks if not months supplying the authority with information, proofs and audit records to prove they are indeed compliant?
What if instead of a competitor it’s a disgruntled customer. Is there a possibility that companies could be held hostage by a customer threatening to file a complaint if his request is not fulfilled?
For those that think this is a far fetched scenario, let me assure you that these things actually do happen. I work in the igaming sectors and have seen scenarios in which high value affiliates threaten operators to place bad feedback on affiliate forums to get what they want. Although the behavior is unethical this is not the issue at hand.
There is plenty of competition for any business nowadays and complaints and bad reviews could result in loss of customers and revenue. In the case of the GDPR, the complaints are not public but could trigger an investigation. Even if you have taken all the steps and are 100% compliant, an investigation would mean wasting time, providing information and getting audited.
So what is the EU doing to prevent such scenarios? I really hope someone can provide an answer to this. All the guidelines issued by the EU yesterday say is the below:
The General Data Protection Regulation (GDPR) provides the Data Protection Authorities with different options in case of non-compliance with the data protection rules
likely infringement – a warning may be issued;
infringement: the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.
What does that even mean? What is a likely infringement? A plausible sounding complaint from an anonymous source?
My suggestion would be to make the name, surname and contact details mandatory as a start. Secondly perhaps put in place some fines if the complaint is found to have been done with malicious intent as a deterrent.
What do you dear readers think?
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.