For those of you who don’t know, Article 14 of the GDPR says that if you obtain data about someone, and you didn’t get it directly from them, you have to tell them that you have it, and what you’re doing with it.
In the lead up to the May 25th GDPR launch date, this Article caused more heartache for and longer meetings with clients than any other. We work with a lot of charities, and one of the things charities do is research prospective patrons. This helps them craft their approach, as well as weeding out those whose likely donation doesn’t merit personal attention. In doing this research, they gather a fair bit of information from public sources – including Google searches and basic wealth profiling, like looking to see what people’s houses are worth.
We also work with some organisations that do political advocacy. Like most think-tanks, they keep databases of people involved in their topics of interest. These databases include a fair bit of personal detail as well as the person’s public utterances. There are some other issues with this data processing – to do with the legality, or not, of handling “Special Category” data like religious or political beliefs – but once again the key point here is that Article 14 requires the processor to notify the data subject that they have collected and are processing the data.
Some kinds of processor lobbied very successfully for exemption from this clause: notably journalists, which is probably a good thing, and corporate financiers, which is…less so? But neither charities nor advocacy groups are exempted, and nor is the general data acquisition industry – otherwise known as adtech and social media. Interestingly, there is also no exemption for retail financial services, so if your bank or insurer have data about you that they didn’t get from you – apart from anything they’re required to do by law, such as anti-money-laundering regulations – then they have to tell you about it.
So why haven’t I received a single Article 14 notice in the last two months?
Really? No charity, lobbying group, marketing agency, insurer or bank has information about me that they didn’t get directly from me. Really really?
Or is everyone just ignoring this part of the legislation?
I can feel some subject access requests coming on. Watch this space.