There’s no shortage of advice for businesses on preparing for GDPR – from the detailed guidance and resources produced by the Information Commissioner’s Office through to a rapidly growing industry of GDPR seminars, conferences and blogs.
If we look at it from the perspective of “data subjects” – that’s all of us as individuals – the GDPR will enshrine a host of new rights that we can action in relation to the data that companies and organisations hold on us. The recent Digital Leaders blog by Catherine Knivett, Corsham Institute’s Head of Partnerships, sets these out in more detail. These new rights will undoubtedly change the relationship between the public and any organisation that holds their data. And, under the headline-grabbing shadow of a fine of up to £17m, or 4% of global turnover, the focus in the run-up to 25 May is on how organisations can demonstrate compliance with GDPR.
Thanks to a number of surveys in recent months, we are gaining a deeper understanding of people’s attitudes to data: its protection and people’s rights to privacy and control, their levels of trust in organisations that hold their data, and what they want those companies to do to improve their understanding and trust. For example, Doteveryone found that:
In an Open Data Institute (ODI) survey, 94% of respondents said trust was important in deciding to share personal data. It also found that 33% of respondents would feel more comfortable sharing data if organisations explained how it is used and shared, and 18% would welcome step-by-step instructions from organisations about how to share data safely.
But, on the subject of what the new GDPR rights mean for individuals, how they might use them and what the trade-offs might be, there has been little testing of attitudes and a notable gap in public engagement by the Information Commissioner’s Office (ICO). This is starting to change, with the announcement earlier this month of the launch of “Your Data Matters”, with related communications materials for organisations to use with their customers. Yet this period of radio silence has been at a time when public awareness of data protection, privacy and ownership has been heightened by recent events involving Facebook and Cambridge Analytica.
So that’s where Ci’s Your Data, Your Rights project comes in. The project is founded on the principle that an understanding of how data is used and shared online is a key component of a digitally literate, inclusive and confident community. By understanding local needs in relation to this and identifying how outcomes can be improved for a group of people in a particular setting using a specific approach, Ci is building the foundations for further community-based activity. We will also find approaches that work and can be scaled or used elsewhere.
You can read more about our project and the findings from our Corsham community survey on the Ci website, here.
As the clock ticks down to GDPR, there are a few notable observations from our survey that it is worth reflecting on. We carried out our Your Data, Your Rights survey shortly after the news about Cambridge Analytica and Facebook broke and asked our respondents a few questions about its impact on their attitudes: 80% said that these events had made them think more about their data and what they share online; and 40% said it had changed the way they feel about organisations having access to their data ‘a lot’.
Interestingly, there was a higher level of concern among the over-65s (60% answering a lot) than the 16-25s (only 10%). In response to other questions, there was also a clear demand from our respondents for more information on how to use their new digital rights.
Yet, when asked questions about what counts as personal data and how it is used, there was a striking lack of certainty: less than half of our respondents picked the accepted ICO definition of personal data, and only 18% said they knew a lot about the collection of their data. This aligns with the 20% of people in a comprehensive Eurobarometer survey who felt they are “always informed about data collection and the way data are used”. Seventeen percent of our Corsham respondents said they knew nothing at all about what their data might be used for.
But, crucially, the collection of this data is important to Corsham residents: 60% of respondents said they care a lot about what organisations might use their data for (rising to a staggering 87% among over-65s), while only 3% said they didn’t care at all and 4% said they hadn’t thought about it before.
GDPR gives people a means by which to act on these concerns: to find out what data is held on them, to rectify changes if it is wrong and to move it elsewhere if they wish. And it is also a huge opportunity for businesses to demonstrate that they understand the importance of this to individuals and to build a proactive relationship with their customers, that is built on trust and transparency about data and all its uses.
So, in the next stage of our project, we will be working directly with groups in the Corsham community to delve more deeply into the survey findings and to co-produce the information they need to help them better understand what their data is used for, their new rights, and how and when they can use them. Ci will also use the insight and evidence gathered via our work with the Corsham community to feed into our Digital Trust project, where we are working with partners to influence a regional and national debate, involving policymakers, businesses and other influencers.
This article originally appeared on the Observatory for a Connected Society, powered by Corsham Institute and RAND Europe