Correcting Privacy by Design errors with your software supplier

  • December 03, 2018

Data protection expert Lisa Wilson exposes the way in which some software companies are profiting from updating non-GDPR compliant systems.


During the past year of madness that has been the data protection revolution, I’ve discovered a very lucrative spin off for software companies. Now software developing is in our family blood, with both my husband and son working in this industry, so I’m well placed to know a little more about it than most. But before I put these software companies on the naughty step, let me take you back to 1361 and the introduction of the very first privacy law in the UK, The Justices of Peace Act. This allowed for the arrest of peeping toms and eavesdroppers. Today these would be you or I on a train reading the persons email on their laptop in the seat in front of us. Oh how things have changed!

As you can see from the evolution of the spoken word, moving forward to the written word and now the e-word, allowing someone to see the information we hold has been a concern to us for many hundreds of years and laws have been put in place to protect this. The introduction of the 1989 Data Protection Act was just a natural progression of these. However, it did give us many additional rights, one being, to have our data deleted if we so requested. After all these years of protecting our data and the introduction the 1988 DPA, how were software companies able to sell non-compliant systems that did not allow for this feature? Whilst I also take the point that companies that bought these systems did not undertake the due diligence required, the cost of putting this fatal error right can be extortionate!   

Now anyone who knows me will tell you that I am made of strong stuff, but even I had to sit down when one company, very well known too I might add, gave a quote of £20,000 to write the code to correct this and allow the company to delete its data. Around this time I was think of phoning my husband and son to inform them we were most obviously missing a gap in the marketplace and to get the Sunseeker 95 on order!  

The point to make is:-

•    Never underestimate the importance of Privacy by Design and DPIA’s.
•    Did these companies have a contractual obligation to be compliant with the DPA 1989?
•    If so, should the customer have to pay to put this right?
•    If you are unable to delete data in line with your retention policy, you are in breach of the GDPR.

And now the interesting question is:-

Do you pay to bring these legacy systems into compliance or accept the risk? What will you do?

Written by Lisa Wilson

Lisa is an experienced and passionate Privacy Consultant with a wealth of GDPR and compliance experience, gained from working with large corporates, local authorities and smaller enterprises. Lisa has recently undertaken a new role as Interim Data Protection Officer at Good Energy.

Find Lisa on LinkedIn.




£ k