And we do worry about personal data. We worry about our phone numbers, and our dates of birth, our bank accounts and our passport numbers. We worry while giving them to all sorts of people for all sorts of purposes.
And now some of us suddenly worry about a new set of capital letters: GDPR. The General Data Protection Regulation.
Health Warning: the rest of this blog is quite dry. You could just skip to the poem at the end if you're not feeling strong. Or go for a nice walk.
The GDPR is a piece of European legislation (please don't mention Brexit) designed to protect consumers Europe-wide. It gives more rights to the individual and more obligations to organisations holding personal data.
The GDPR is, to be precise, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing or personal data and on the free movement of such data, and repealing Directive 95/46/EC.
In the UK, matters of data protection, including this one safe-guarding 'natural persons', are looked after by the ICO, the Information Commissioner's Office. This is the government-appointed body that recently carried out a much publicised investigation into Cambridge Analytica.
Innumerable worthy, smaller, not-for-profit organisations (like HappenStance Press) have also had to think hard about GDPR, because they too are subject to the new regulation, and need to ensure they're doing things properly.
Which is why everyone who uses email will have had multiple emails recently asking them to re-subscribe to X, Y or Z.
The idea is that we shouldn't be receiving marketing or sales emails unless we have expressly asked for them. (The word 'consent'is now the lynch pin.)
After May 25 (next week), every organisation that holds your contact details, and uses them, should have asked your permission explicitly first. They should observe the key principles of article 5 of the GDPR.
Some organisations who hold your contact details have little idea whether they originally asked your consent or not (contact addresses were sometimes shared or purchased in the past) and in any case they want to make double sure.
So they are all asking us to confirm that we want to stay on list A, B or C. (And they are nervous, because the ICO can fine people for not doing things properly.)
The advised consent procedure for mail-shots is called 'positive opt-in' and it works as follows. You go to a website (like this one) and enter your details into a box to be added to a contact list. But you're not actually on that list until you reply to an email which invites you to confirm. When you confirm, this is proof of 'consent', i.e. proof you really really mean it. At least, you really meant it at that moment. Ease of unsubscribing is also important.
So on this very blog page, you will see, in red, instructions on how to subscribe to receive future blog notifications. If you enter your name and email address in the relevant box and click, you will be advised to look out for an email to confirm.
You look out for the email. You open it. You click again (life is all clicking these days). Now you have consented. Hurray!
Oh but I haven't mentioned the bit about confirming that you're not a robot, which is straightforward so long as you can see. Issues such as these are raised by Giles Turnbull, on his blog. Accessibility is a key issue here, and one that is not always top of the agenda when it comes to legislation.
I understand why people may be uneasy about registering their names, addresses and emails on this website when they purchase books. Why should they trust a little press with a happy-go-lucky name like 'HappenStance'? The information seems to be disappearing into a medium that nobody quite understands, at the same time as we read alarming stories about hackers and alien intelligence. Well, hackers anyway.
There is a good alternative to buying things online. It's called a shop. People can still order books from bookshops without revealing their full personal details. Bookshops are good places, especially indies like The Lighthousein Edinburgh. A bookshop doesn't need personal data. Oh, wait – they probably will require at least a name and phone number, unless the book is held in store. But customers can theoretically use a false name, enter the shop disguised as a gorilla, and pay in cash – while cash still exists.
Sigh. Yes, basically, it's all risky.
But the GDPR is designed to protect us. Or at least make organisations state precisely what personal information they collect from us, why they collect it, and what they use it for, before we sign up. It could be worse.
This poem will not collect your data
to contact you a few weeks later
and call you back.
The lyric stands alone, defiant,
entirely GPDR compliant,
in white and black.
Impervious, then, to consternation
or European legislation
or Union Jack,
it here extends its own address,
which may be shared in times of stress—
no fear of flak.