Commentary

You Can't Win For Losing Under GDPR

When is a legitimate email illegitimate under GDPR? When someone doesn’t like it.

That seems to be the lesson learned by Sprint Education in the UK last week. 

The company sent an email asking people to update their mailing preferences. However, one person complained, saying “This is my first contact of any kind with this company, and it was totally unsolicited," the Register reports.

That seems unlikely, given that the person’s name wouldn’t be on the list if they hadn’t subscribed at some point. But people forget, and the list has email address going back a decade.  

Perhaps more alarmingly, this party noticed the URL for updating one's mailing list preferences contained a string of numbers.

“By tweaking one of the digits, the name, job title and work email address of everyone on that Sprint Education mailing list could be viewed by the world and their dog,” the Register wrote.

This appeared to be a one-time episode. Soon, the link was changed to bring people to an opt-out page. And the aggrieved consumer apparently has not filed a lawsuit. But it could have steamrolled into a bigger issue.

What happened?

Sprint Education explains that in “this single instance the team member here who broadcasted the email did not turn off [link click]tracking for our Preference Centre links.” 

Sprint continues: “As soon as the team member noticed (which was almost immediately) the send was halted, meaning fewer than 250 school staff will have received the email with the sequential links in."

It’s not yet clear whether any regulator will probe this incident. But the news comes as British Airways and Marriott British Airways have been fined large sums for data breaches, with more firms apparently on the way to being socked.

Mind you, these penalties are not for deliberate privacy violations — they’re for data spillage following hacks by outside attackers.

Sprint claims it takes privacy seriously.

Meanwhile, a new study by the international accounting firms RSM shows that 30% of EU firms are still not compliant with GDPR.

Of 300 brands polled 57% feel they comply, and 13% are unsure. 

Medium-size businesses are particularly flummoxed. Many ““simply gave up and reverted back to the old way of doing things,” says Steven Smith, technology risk assurance partner at RSM UK, according to City A.M.

The problem? That “GDPR fatigue” is setting in, Smith adds. 

Despite that, businesses are taking the risk of data breaches seriously — over 60% have increased their investments in cyber security.

 

Next story loading loading..