Data protection affects us all, but how far would you go to make sure your data was secure and at what point do you appear to be another paranoid practitioner worthy of a tin foil hat – it’s a fine balance and one I would like to address for you in this blog – in the hope of imparting some of my wisdom.
Having decided to move opticians for reasons beyond this blog, I happily went along to my first appointment, extremely pleased with the service and the treatments offered and the whole bedside manner of the optician – you know when a service is just right! Waiting patiently in line at the surgery reception desk, the very lovely receptionist says “I will just check we have the correct information for you on our records”. I was elated and naively thought ‘great, all in line with the General Data Protection regulations ensuring accuracy of data. Then within ten seconds the receptionist had read out my full name (including middle name), address, telephone number, date of birth and e-mail address to which I complied and satisfied her that the information was indeed correct. Right there in a crowded waiting room! I was furious, but almost in slow motion my risk assessment head came out and like a female terminator a preliminary risk assessment was formed in my head.
In the midst of this whole ten second scenario, I looked round the waiting area, that was quite busy with nine people in the waiting area. In essence I was conducting a very quick risk assessment, this is what I deduced in those ten seconds:
– The median age of those waiting was approximately 60-70.
– They all had vision problems (otherwise why be in an opticians?)
– Hearing issues amongst the group, a few hearing aids were visible.
– Last but not least – why would any of them have any motive to be interested in my personal data?
As quick as a flash the data assessment was complete and my next appointment was booked.
The after thought
I left the opticians with a sense of confusion… should I have stopped the unconcerned receptionist and stated that I didn’t want to openly disclose my personal information, but I will verify it on screen? The screen was behind a high reception and would involve intruding on her personal space. Maybe the answer is yes, I guess like most people did not want to cause a fuss about a relatively minor point and nobody likes a know it all – should I care what people think? Maybe not, but I do and that’s unlikely to change anytime soon. My risk assessment could have been wrong and the actual facts could have been more like this:
– The average age was 45, just looked older….am I any good at guessing people’s age? I guess the thieves, criminals and vagabonds of yesteryear all become old at one point but we have this assumed naivety with elderly people.
– They may not all have vision problems, they could have been accompanying a friend or family member.
– Hearing aids could provide better/clearer hearing that those not wearing one.
– Motives could be endless dependent upon their circumstances and contacts.
It certainly all made me think!
Small business v corporate giants
The opticians are a small business competing with the larger commercial ophthalmic giants, offering vision correction treatment that their larger competitors are not. Personally, I respect this small business for standing out and offering a unique service not available elsewhere, securing the future of their business and keeping people in jobs. I know as a strong advocate for data security I would be on the phone demanding to speak to head office and complain if this was a high street brand.
So, what is the problem?
As a society are we too polite at times to challenge others in order to safeguard our personal data? Are we equipped with enough information to understand our rights? Or is the fact that the majority, not even give it a second thought, and think why would it happen to me?
If you find yourself in this situation, please learn from my experience:
– Please be bold enough to speak up! You don’t need to be rude or condescending – I think the tone to aim for is caring.
– Never debate the impact a particular crowd could have on your security. Don’t be fearful that one ‘kind’ of person is less technically able or less nefarious than another.
– If something doesn’t feel quite right, make your excuses to cause a diversion until you get your thoughts together.
– Understand that your personal data could be another persons next pay day, therefore treat your data with care and concern.
Bio: Caroline Kaye is a leading GDPR and ISO Standards Consultant who works with corporations to secure them from the common pitfalls. When not fighting a righteous battle for compliance she is a driving force behind the Yorkshire Security Cluster.