Data Protection is changing. From 25 May 2018, organisations will need to be compliant with the General Data Protection Regulation (GDPR).
It has been a directive for some time in preparation for this date. It affects those handling customer data under the auspices of the UK Data Protection Act 1998 (DPA) across the UK and the EU.
If you are currently subject to the DPA you will most likely need to know about GDPR.
For this reason we talked to J Cromack, CEO MyLife Digital Practice and CEO Wood for Trees Ltd, about what this regulation means to UK organisations.
MyLife Digital is a leader in Personal Information Management Services (PIMS), one of the fastest growing sectors in the UK and global economy. MyLife Digital provides organisations and individuals with a trusted platform built on security, convenience and control for personal information and data management. Users can organise who can see and share their personal information and what can be done with it.
Q. The most significant change to GDPR from DPA is the accountability principle. The GDPR requires data handlers to show how they comply with the principles – for example by documenting the decisions they take about a processing activity. Why is this so important?
There are a number of core changes to how data is protected and regulated with GDPR. Accountability is certainly one of the main principles that underpins various different facets of the regulation, such as:
Having worked extensively in the data arena for many years, I’ve witnessed first hand the real decline in trust that individuals place in organisations and how their personal data is handled and managed – or not!
- the need for transparency
- the extended rights of the data subject, purpose limitation
- and applying the correct lawful reason for processing data etc.
We hope with GDPR that organisations become more accountable – to the regulators and to individuals themselves – that trust can be rebuilt or strengthened, on the basis that consent has been given for the use of personal information that benefits the individual, the organisation and hopefully society as a whole.
In terms of what organisations need to do, there’s no denying that this regulation will place more of a burden on both data controllers and data processors. With the GDPR, they must be able to demonstrate, and as importantly, prove compliance with data protection principles.
For example, a data controller is now required to implement ‘appropriate and effective measures’ (Recital 74), that demonstrates the compliance of processing activities. The controller will also need to be transparent about the purposes for which they are collecting and using the data.
Without getting too technical, we believe that the five main points of GDPR can be encapsulated in the 5W framework.
Q. Article 5 of the GDPR requires that information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. How would an accountable person start to plan for this?
If you assume that every bit of Personally Identifiable Information (PII) being processed needs to have an impact assessment, you would start to visualise the enormity of this task. We recommend that the first action is to map exactly what systems, departments and people have access to and process PII. We call this a Data Protection Impact Assessment. It helps you identify the risks before you start any data processing activity.
One of the key phrases you will hear these days is “Privacy by Design”, which demonstrates that your systems have privacy and protection of personal information at their core, rather than being an add-on feature or that these matters are considered from the beginning of the process, from the ground up. This will help you identify and implement appropriate security and data protection measures.
Q. For those whose personal information is being stored by a third party, they have the ‘right to be informed’, and this encompasses an obligation on the information holder to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how they use personal data. What are the first steps they can take to ensure they are compliant?
This is one of the major changes of the regulation. Previously, only data controllers were liable. With GDPR, anyone who processes data needs to be compliant.
For business leaders, this means making sure that all service providers and third parties have processing agreements in place.
Equally, organisations need to update their privacy notices and ensure that the required information is detailed. We recently ran a research project into Privacy Policies. The research highlighted nine key areas that need to be considered for inclusion under GDPR.
Q. Data portability may well become a hot topic. This as we understand it, is the need to provide the personal data in a structured, commonly used and machine readable format. Open formats include for example, CSV files. The information should be structured so that software can extract specific elements of the data to enable other organisations to use the data, and the information must be provided free of charge. How does MyLife Digital approach the challenge of data portability?
OK – quite a technical question. Yes, data portability is important. We all know and use .csv files. MyLife Digital uses a light-weight data-interchange format called JSON. It’s easy for individuals to read and write and easy for machines to generate. We also store PII in our StrongBoxes, which are secure data storage. These accept any document.
Ultimately the sharing of personal data can only take place once the individual has consented for their data to be shared anywhere. All organisations will be accountable to their end users, or individuals.
Q. So it appears that Accountability is the most important new consideration that we all need to be aware of. What features and services can MyLife Digital provide to facilitate this?
We are a new company. The benefit of this is that we have been designing our system with privacy at its core - Privacy by Design and will continue to evolve to meet the needs of the individual and organisations. What we can see is that no single department in an organisation is solely responsible for data protection and compliance. Every person in an organisation has to understand their role and responsibilities.
At MyLife Digital, our Consentric platform has the citizen at its heart .
Meaning each citizen’s personal information is protected in every transaction with an organisation, that the citizen can control their consent, and permissions, and see where there’s transparency about why information has been collected, the purpose it’s being used, and the details that are held.
Our Consentric Permissions solution highlights a detailed trail of data and consent history, which includes provenance of data and consent along with keeping a record of the specific statement they were shown and the privacy policy in place at the time.
Q. In conclusion, what Top Five Tips do you recommend that readers focus on?
- Before selecting any technology solutions, ensure you audit and understand the data you hold, where it is, where it came from, what purposes you are using the data for and which lawful reason you are applying to the processing of that data
- Don’t assume GDPR is just a compliance thing! This is a company-wide endeavour to understand and adhere to the regulation. Ensure your employees, data processors and any third parties are fully trained
- Understand the new and extended rights and how you can facilitate requests under these. The right to be forgotten is cited as the one that most people are concerned about, but understand it, know what data is impacted and identify an mechanic to facilitate this.
- Know whether you are a data controller or processor. Understand your obligations in each capacity and review vendor contracts to ensure they meet requirements
- Transparency is key. Ensure your privacy notices and statements reflect your practices around data processing. Do not hide behind the jargon.