On the 25th May the General Data Protection Regulation, GDPR, will enter law. At that point we will see the biggest, and arguably most important, change to the way in which personal information is handled.
We will see more power given to the individual (the data subject in GDPR parlance) to control who has their information, what those third parties can use it for, remove consent for third parties to use their data and most importantly tell them (not ask!) to delete the data they hold – the ‘right to be forgotten’.
Failure to comply with these new rules may result in companies inappropriately holding or processing personally identifiable information to be fined.
In the UK the ICO (Information Commissioner’s Office) has long had the power to fine business that don’t comply with the Data Protection Act (DPA) – up to a maximum of £500,000 (see recent ICO notice where they fined TalkTalk £400,000).
Under GDPR this maximum increases significantly – up to €20M or 4% global turnover. Think about that for a second. That’s enough to wipe out companies.
What’s important to remember is that GDPR isn’t about fines. It’s about empowering the individual to have control over their data. For too long we’ve all suffered with nuisance cold calls about PPI, car crashes we haven’t been in, been on the receiving end of spurious mobile offers to name a few.
How did these people get your information? Through organisations who bought and sold personal data, phone lists, mailing lists etc. all procured because you may have ticked a box on a website allowing them to share your data with third parties. Yes, that’s right, you consented to this.
Consent is one of the significant changes when comparing GDPR to the DPA.
Specifically consent is something that must be given, not assumed – so no preticking opt-in boxes etc. – and must state clearly what the data subject is agreeing to. Specific details of what will be done with the personal information collected must be presented, the ambiguous statements like ‘we may share your details with 3rd parties or other affiliates’ are no longer allowed. You must be clear and accurate.
However for many of our customers, that are local government organisations, the need for consent and whether it is the right mechanism is something that has to be considered – especially when legislative and other requirements demand that personal information e.g. name, address, contact details have to be supplied and there is no option to say no. It is impossible, after all, to approve a planning application for something like an extension to a home without knowing the details of the individual (notwithstanding the obvious legal requirements etc. that trump GDPR).
Looking at what the ICO have to say about consent there are a few key points that are relevant to public authorities:
The full page can be found here:
Looking at the above points would mean that for a vast majority of services that local government organisations provide, asking a person to consent is not appropriate.
Now – the thing to remember is that if a council would like to offer other services to the resident based on the data that they provide when applying for planning permission or bulky waste collection etc. then consent for that use MUST be given by the individual. With exact details of how and what the data will be used for.
For more commercially minded councils who are looking to add revenue streams by providing residents with additional, relevant services then consent will become something that they need to consider – at which point these are capabilities that we can build into our products.
There is a lot to the GDPR and sources like the ICO website are excellent resources for helping you understand what is required of you and your organisation to be compliant.
The ICO are also human, and you can speak to them and obtain advice directly. I did the in December last year to validate some thinking around some work we were trialling and was pleasantly surprised at helpfulness of the gentleman I spoke with.
It is clear that as an organisation you have to know what data you hold on an individual and what it is being used for, and you have to have good controls around how that data is managed etc. With good information security and governance in place, and documented rational decisions around how and where personal data is used you are heading in the right direction.
The GDPR should strike fear into those cold callers who buy and sell our personal data with no regard for privacy. Responsible organisations should continue to be responsible and ensure good and appropriate controls are in place.
This article was originally published here.