The Growth of Privacy; Day 3 – The Shifting Sands of Power

I run; or at least I try to, badly…

And as with most middle-aged men, my running efforts seem to be punctuated by various, how shall I put this diplomatically, “complications”. Lately, injury has been bothering me, or a general issue with my ankles/feet/legs/lower body (it’s kind of non-specific) that leaves me hobbling about like an old wreck.

After much venting and wallowing in self-pity about all of this, I ultimately decided I better do something about it, and I decided to go to a physio.

This was a company I had used some years before, and to be honest apart from anything else I’d been really impressed with their marketing at the time. Most small businesses don’t do any marketing at all and of those that do, most of those do it pretty badly. But I remember these guys impressing the heck out of me because they did the simple things really well.

They followed up with me with really useful information, they checked-in to see how I was doing, they thanked and rewarded me when I provided them with a referral. It was simple old-school stuff; that’s the stuff most people and businesses don’t bother about, scrambling about instead in search of the newest brightest shiny object that they hope will turn out to be a silver bullet.

In any case, I went back to them again recently with a very real need which they were perfectly placed to meet. On my first return visit, I was given a detailed medical form to fill out, as part of which I had to provide quite a bit of personal and, from a data protection point of view, sensitive information.

I then had a consultation with my physio which was very thorough and intensive, and included video being taken of me in motion; without wanting to leave you mentally scarred with imagery you can’t get rid of, this involved me walking around in my underwear while it was captured on camera.

The session ended with a diagnostic report and a proposed plan. It was a good example of prescriptive selling and again everything about their marketing and sales process struck me as impressive. They had a good system, it served my needs well and provided me with a clear path to where I wanted to get to: back to regular running.

But on the next session, the first of my proposed plan, things did not go well. Nothing bad happened, but I just had a very negative customer service experience and I decided I wasn’t going to go ahead as they were suggesting; if this was how I was treated on day 1, I wasn’t going to come back for 9 more similar sessions.

This really disappointed and frustrated me. I walked out of there with my problem unresolved, which involved the persistence of mild but nevertheless actual and fairly continuous pain. My pain was not just metaphorical, it was real. And it was exacerbated by the fact that I had been sold on the prospect of its resolution and then frustrated in its delivery. So I was annoyed.

And then it struck me: at no stage had I ever received anything so much as a privacy notice from these people, not when I first used their services years ago, nor since when I provided them with an extensive raft of additional personal information on my recent visit for my original examination and subsequent consultation.

I was never told why they were holding my data, their lawful purpose for doing so, how long they would retain it for, nothing. I received regular emails and texts from them for which I had never opted in.

One of the things that we have seen happen in a consumer law context in recent years is what you might describe as a weaponisation of data protection law. It has become a very useful, in fact now essential, tool in litigation, particularly the pre-litigation process.

Say for instance a former patient was considering investigating sub-standard treatment provided by a former medical attendant, the first thing that one would do is raise a subject access request for access to all personal data held under the GDPR.

But this is by no means all that the data subject is entitled to, for instance, the data subject is entitled to request to have their data deleted and to be provided with the details that they should have been provided with when the data was collected. And of course, the failure to do all of these things give rise to grounds for complaint to the supervisory authority under the GDPR.

Now, nothing had happened in my dealings with this physio that would give me any reason to consider legal proceedings against them. Sure, I’d had a negative customer experience, and I was pissed off with them, but there was nothing more serious than that.

However, as soon as I started to think about it, I also became annoyed that they had not shown any respect for my data protection and privacy rights and I happened to be in a position where I knew exactly what they should have done and didn’t.

If I had wanted to make life difficult for them and present them with a problem that would have been potentially quite costly for them to resolve, I could easily have done so. And part of me was bloody-minded and annoyed enough at one point to consider it, but then I just thought, what the hell, life’s too short.

Had I been otherwise inclined the business was a sitting duck, I could have taken any number of steps against them to obtain the information from them that I should have first been provided with under the GDPR and then going about step by step in enforcing my rights under the GDPR individually, following which I could have complained to the Data Protection Commission in respect of each of the individual breaches. All of this would have involved the business having to take costly legal advice, rectify what they should have done and then be exposed to the possibility of fines and civil liability on top for failing to do it in the first place.

And the point here is that there has been a fundamental shift in the sands of power.

It was once the case that the business in control of this data had power and value in the data, particularly the data that they hold on their customers. But now that power has shifted to the prospects, customers and clients, the subjects of that data. Businesses who now hold this data have to respect it and deal with it in a compliant way, to fail to do so leaves them exposed in all kinds of ways that they may not even be able to see.

The issues underlying my recent experience were completely trivial and, at the end of the day, I chose not to be a former customer from hell, though I could easily have become one as all of the ingredients and opportunities were there, simply because the business had failed to have any regard for my basic rights and their basic duties when it came to my personal data.

It is sometimes said glibly that data is the new oil.

Data is not the new oil…

Or at least, if it is, it is in the sense that is it a potentially very hazardous raw material. It may be a necessary element for use in your business, but if you don’t collect, store and care for it properly, it can end up exposing you to a disproportionate level of very unpleasant harm.