25th May 2018 the day that all junk, spam, crud and crap was expunged from our inboxes never to return. The day that all commercial attempts at interaction with us became positive, life affirming and consensual. Perhaps not...
We are already seeing "false flag" emails inviting us to adjust our settings while capturing our data, others dropping phishing files under cover of a "GDPR compliant" consent request and slithery little attempts to capture consent where none was intended.
The lack of clarity and certainty over what may constitute a legitimate business interest has caused a range of responses from lawyers and corporates: ranging from deleting data stores that held a wealth of corporate memory to deciding (quite reasonably) that if the business is not illegal and the data is useful it is therefore legitimate to keep hold of it. Who is right? We don't really know: either position may or may not be right depending on the approach the ICO may take at some point in the future or upon an objection to the use of retained data from an individual. Frankly it is irresponsible to roll out this regulation threatening dire consequences without providing real world clarity on the interpretation and operation of the regulation on all classes of data. Too much work? Tough. Sort it out or lose the mandate to prosecute!
The drafting and implementation of the GDPR to date has been an exercise in bullying and opacity; the conversation to date has been:
ICO "Don't do that thing or I will ruin you!"
World "Ok! what thing?
ICO "Not telling"
World "Why not"
ICO "So that when we decide - it will look like that is what we meant all along"
Meanwhile for those with nefarious intent Christmas has come early - all of a sudden the populous is desensitised to unsolicited emails from organisations they have never heard of and are cheerfully opening emails that would ordinarily have been untouched because it says GDPR somewhere and offers them control of their data.
To summarise: Good companies lose data of value to them and bad companies find it easier to do bad things. Good companies are of course easier to track down than bad ones so what's the betting that it is an innocent victim of the ICO's vague guidance that gets hammered first?
Organisations are sending out zillions of emails, just because they think someone told them to. Millions are receiving these emails, many unnecessary. Some may even be illegal breaking the very rules they are meant to be enforcing. Ironically GDPR phishing scams are already hitting our mailboxes, which spread malware or steal personal data.