Back in April, I was keeping an eye on the news. As a football fan and a human being, I was watching Theresa May make her statement in Parliament about Hillsborough and as a Data Protection Officer, I was searching for news about the European Parliament adopting the General Data Protection Regulations (GDPR) which replaces the 1995 directive that most of you will recognise as the Data Protection Act 1998.
Change is coming
Why replace it? Four years ago, the EU realised that a single harmonised framework for data protection was the way forward rather than the patchwork quilt of legislation that largely met the minimums of the 1995 directive, but also reflected the very specific attitudes of each member state.
It will be in force from May 2018 and it should really be a ‘wake-up call’ for every organisation in Europe. What does it all mean? Well, if you do data protection badly, the GDPR can be a huge threat to your business with huge penalties. However, I would say that if done well, it can take your business further, can improve customer satisfaction and even improve your bottom line. You know, for too long data protection has been seen by business as a nuisance, an unnecessary and therefore an unwelcome layer of bureaucracy. I want to show you how the GDPR makes complete sense to anyone who wants their organisation to benefit from holding personal data.
It is simple really. There are three general reasons for holding personal data - 1) To service the contract you have with customers, 2) To invite them or others to buy more from you or 3) To make better decisions about where you take your business.
Similar to the existing Data Protection Act, the GDPR has some basic principles. They simply state that you should only collect what you need and make sure it is for a legitimate purpose. You should also be open and transparent. Holding personal data is a bit like ‘A Dog Isn’t Just For Christmas’ in that you have an ongoing commitment to that data for as long as you keep it. If you need to keep it, you must keep it up to date regularly. If you do not need it any longer, then you must delete it. You need accurate data to service your contracts, get more business and make those better decisions. So the GDPR is only really making you think more about the personal data you hold, but the outcome is actually in your favour.
Your customers provide their personal data to you and some it you can demand, the stuff that is necessary to service the contract you have with them, the rest is discretionary. All of it must be offered freely and this means that they must trust you with it. If you stop and think about it, you are the curator of a museum. If you were given lots of Ming vases for your collection but kept breaking them, do you honestly think you would be given many more? Nope. Those Ming vases are clearly valuable items, but the personal data that you care for on behalf of your customers also has a value and they wouldn’t keep giving you their personal data because the trust would not be there if you abused it or did not look after it. All you have to do is to keep that personal data safe and treat it with respect. So, the idea of value of personal data intrigues me.
Time for a valuation
Hopefully, we all have finance departments. Teams of people who specialise in understanding where money enters the business in the form of income, what it does while it’s there, and where it leaves in the form of expenditure. Transactional data is recorded and reconciliations are carried out to ensure that we can all comply with accounting practices. Why? Money has a value. There are accounting rules that we must follow but there is an entire ‘culture’ that exists that is based on the value of money. For years, personal data has been treated as a freebie by organisations and not truly appreciated by the data subjects whose data it is.
Many of you will engage with consultancies and auditors to prepare for GDPR, and indeed I would recommend that you do, fairly quickly. These new regulations are not going anywhere and you should not put your head in the sand. That will make sure you follow ‘the rules’ and you will almost certainly end up with a gap analysis and an action plan. But, what you need is to promote the ‘culture’ that goes with it. You need to change the way your teams think about personal data and understand the value of it. When you train people in data protection legislation, ask them what they medical history is worth. Ask them what would happen if that was leaked. How would they feel? Could they put a price on it? Ask them what assurance they would expect from an organisation.
Back to the GDPR, I have been concerned by the number of people, some of whom are Data Protection practitioners, who have told me that as the UK is leaving the European Union, there is no point preparing for GDPR because we would no longer be subject to it. Well, timing is an issue for a start as the UK would still be a member of the EU in May 2018, even if we had signed Article 50 already so we would need to be compliant, although this is all in the air subject to the negotiations.
With a wider view, there is the Digital Economy Bill that is going to Committee Stage in October on its way to Royal Assent as early as February 2017. The bill is designed to create the right environment for the increased use of digital technologies in the UK. But, a healthy market comes from two things - supply through availability of broadband, etc. and that assurance again. If people feel that the law is not able or willing to appreciate the value of their personal data, then we will fail to build a digital society no matter how quick your broadband connection is. We would therefore need some legislative assistance in giving everyone that level of assurance which would be akin to GDPR because the existing DPA is from a time before social media and cloud technologies that are oblivious to borders.
In Europe, they are building a Digital Single Market. The GDPR is designed to give the assurance needed. Regardless of our relationship with Europe post-2019, we want the UK IT sector to take advantage of opportunities in Europe and therefore we will need to follow GDPR.
Something to think about
For your own organisation as well the wider community, digitalisation is advanced through the application of technology but also the assurance for your customers and potential customers. It should not require GDPR to enable this, but it is a jolly useful imperative to get buy-in from your Boards.
Those fines are there to penalise the naughty but also to bring about some real change in the way everyone thinks about personal data. Your organisation can really benefit from re-thinking how it manages personal data and how it could be innovative. When your customers give you their personal data and they have assurance, they want you to use it in ways to help them, to make their relationship with you special.