Having worked extensively in the data arena for many years, I’ve witnessed first hand the real decline in trust that individuals place in organisations and how their personal data is handled and managed – or not!
We hope with GDPR that organisations become more accountable – to the regulators and to individuals themselves – that trust can be rebuilt or strengthened, on the basis that consent has been given for the use of personal information that benefits the individual, the organisation and hopefully society as a whole.
In terms of what organisations need to do, there’s no denying that this regulation will place more of a burden on both data controllers and data processors. With the GDPR, they must be able to demonstrate, and as importantly, prove compliance with data protection principles.
For example, a data controller is now required to implement ‘appropriate and effective measures’ (Recital 74), that demonstrates the compliance of processing activities. The controller will also need to be transparent about the purposes for which they are collecting and using the data.
Without getting too technical, we believe that the five main points of GDPR can be encapsulated in the 5W framework.
Q. Article 5 of the GDPR requires that information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. How would an accountable person start to plan for this?
If you assume that every bit of Personally Identifiable Information (PII) being processed needs to have an impact assessment, you would start to visualise the enormity of this task. We recommend that the first action is to map exactly what systems, departments and people have access to and process PII. We call this a Data Protection Impact Assessment. It helps you identify the risks before you start any data processing activity.
One of the key phrases you will hear these days is “Privacy by Design”, which demonstrates that your systems have privacy and protection of personal information at their core, rather than being an add-on feature or that these matters are considered from the beginning of the process, from the ground up. This will help you identify and implement appropriate security and data protection measures.
Q. For those whose personal information is being stored by a third party, they have the ‘right to be informed’, and this encompasses an obligation on the information holder to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how they use personal data. What are the first steps they can take to ensure they are compliant?
This is one of the major changes of the regulation. Previously, only data controllers were liable. With GDPR, anyone who processes data needs to be compliant.
For business leaders, this means making sure that all service providers and third parties have processing agreements in place.
Equally, organisations need to update their privacy notices and ensure that the required information is detailed. We recently ran a research project into Privacy Policies. The research highlighted nine key areas that need to be considered for inclusion under GDPR.
Q. Data portability may well become a hot topic. This as we understand it, is the need to provide the personal data in a structured, commonly used and machine readable format. Open formats include for example, CSV files. The information should be structured so that software can extract specific elements of the data to enable other organisations to use the data, and the information must be provided free of charge. How does MyLife Digital approach the challenge of data portability?
OK – quite a technical question. Yes, data portability is important. We all know and use .csv files. MyLife Digital uses a light-weight data-interchange format called JSON. It’s easy for individuals to read and write and easy for machines to generate. We also store PII in our StrongBoxes, which are secure data storage. These accept any document.
Ultimately the sharing of personal data can only take place once the individual has consented for their data to be shared anywhere. All organisations will be accountable to their end users, or individuals.
Q. So it appears that Accountability is the most important new consideration that we all need to be aware of. What features and services can MyLife Digital provide to facilitate this?
We are a new company. The benefit of this is that we have been designing our system with privacy at its core - Privacy by Design and will continue to evolve to meet the needs of the individual and organisations. What we can see is that no single department in an organisation is solely responsible for data protection and compliance. Every person in an organisation has to understand their role and responsibilities.
At MyLife Digital, our Consentric platform has the citizen at its heart .
Meaning each citizen’s personal information is protected in every transaction with an organisation, that the citizen can control their consent, and permissions, and see where there’s transparency about why information has been collected, the purpose it’s being used, and the details that are held.
Our Consentric Permissions solution highlights a detailed trail of data and consent history, which includes provenance of data and consent along with keeping a record of the specific statement they were shown and the privacy policy in place at the time.
Q. In conclusion, what Top Five Tips do you recommend that readers focus on?
- Before selecting any technology solutions, ensure you audit and understand the data you hold, where it is, where it came from, what purposes you are using the data for and which lawful reason you are applying to the processing of that data
- Don’t assume GDPR is just a compliance thing! This is a company-wide endeavour to understand and adhere to the regulation. Ensure your employees, data processors and any third parties are fully trained
- Understand the new and extended rights and how you can facilitate requests under these. The right to be forgotten is cited as the one that most people are concerned about, but understand it, know what data is impacted and identify an mechanic to facilitate this.
- Know whether you are a data controller or processor. Understand your obligations in each capacity and review vendor contracts to ensure they meet requirements
- Transparency is key. Ensure your privacy notices and statements reflect your practices around data processing. Do not hide behind the jargon.