Much like the stages of grief, the General Data Protection Regulation (GDPR) has elicited shock, denial, anger, depression and reflection. We’ve all got until 25th May 2018 to make sure we get through to acceptance and hope.
Let’s be clear, the GDPR isn’t about vilifying charities, it isn’t ‘another costly regulation from the EU’, it isn’t the cookie law. GDPR is probably one of the most important regulations we’ll see for a while, it was co-created with the ICO so we won’t lose it after Brexit (much the same as we won’t lose most of the regulations currently in place) and most importantly, it’s about protecting the rights and freedoms of the people and communities we’re trying to help.
It’s also one of the most reasonable and well written regulatory documents I’ve come across (I’ve read more than I’d like to admit), giving balance to both the organisations required to comply and the people it’s trying to protect. Hopefully we’ve all got a grasp on what it covers now so I’ll not run through that again but let’s take a look at some of the more important, and in some cases interesting elements of the GDPR.
Regulations are not checklists.
If you want the ICO or a data protection blogger to give you a nice, easy to follow list of key steps to achieving compliance then you’re going to be disappointed. There are explicit elements such as ‘do you have consent from the user’ – CHECK. But concepts like, what you do with that data, how you process it, these are more ambiguous, and for good reason.
How could they list every way you might process data? And how about changes in technology?
Regulatory documents are not about ticking boxes, you need to understand the essence of compliance, in this case it is the protection of the rights and freedoms of the data subject. That person who has trusted you with their information, to use it a way that is appropriate. So if you want to use someone’s data and you have that niggling feeling in your mind that maybe it isn’t right, chances are it isn’t, so you shouldn’t.
And if you don’t know, ask! Like any regulatory body the ICO are not just there to punish you with fines when you mess up, they’re there to help and advise you on best practise. Furthermore, if you can demonstrate that you are trying to be compliant, in those hopefully rare moments when something might go wrong you’ll be represented in a much better light, to both your audience and the ICO.
To understand the GDPR, you need to understand its principles, so here they are…. and this is not a checklist:
- Lawful, fair and transparent
- Collected for specific, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept in a form which permits identification for no longer than is necessary
- Processed in a manner that ensures appropriate security
Lawful, fair & transparent
Lawful is predominantly covered by the nature of consent which we’ll look at below and while fair and transparent seem the most obvious principles, they present some of the biggest challenges. Organisation are going to have to wrestle with what constitutes fair whilst also trying to achieve their goals, and this is only right. You should constantly question if your use of personal data is fair and make sure you record the choices you make.
Recording these kinds of decisions is key part of regulatory compliance and helps you to be transparent. Get into the habit of logging as much as possible in relation to your data processes, chances are you’ll not need it, but when you do you’ll be thankful it’s there.
Legitimate and necessary
What are doing with the data and what data do you really need?
We love data just as much as the next analytics geeks but you can’t gather data just for the sake of it, or just in case you can find a use for it later. So know what you’re doing with the data and make it clear to the subject.
Accurate and up to date
The point on accuracy is interesting, you are expected to ensure that the data you hold is accurate or you are required to delete or rectify the error. Seems confusing until you start to think about the kind of situations that incorrect data can lead to, the kind of annoyance or even pain it could cause.
Obviously data needs to be up to date in order to be accurate, but this raises another key consideration for the data you are storing, for what period is consent valid? Simply put, how long should you hold data?
This isn’t an easy question and this largely relies on context, you need to consider questions like are you in regular contact with this person? Do you have an ongoing contract?
Clarifying how long you will hold a person’s data for should be included at the point they give you consent. The ICO offer an average guideline of 2 years for holding a person’s data outside of any specific requirements, so if you’re not sure I’d stick with this.
This month Gloucester city council were fined £100,000 by the ICO after a cyber attack using the ‘Heartbleed’ vulnerability in 2014 accessed council employees personal data. Please do remember that personal data covers any personal data you hold about anyone, including your employees.
‘Heartbleed’ went public on April 7th, Gloucester council’s IT team identified an issue with their own system by the 17th. A patch was available but nothing was done as at that point they were outsourcing updates of this type to a 3rd party and this was overlooked.
Appropriate attention and importance needs to be placed on your data security and maintaining your software, updates are essential. And if you’re dealing with 3rd parties have appropriate processes in place to ensure the right work is getting done when it most needs to be done. This is just helpful anyway for both parties to better manage their time working together.
Consent has always been an issue, from people not realising what it is they’re signing up for, to obscure backroom dealing of data. This is no way an issue for just charities either, there are plenty of commercial organisations that have been penalised. Recently Honda was fined for sending 289,790 emails asking how people would like to be contacted, they thought this was classed as ‘customer service’ but ICO classed this as marketing, because it is.
You don’t actually need consent.
Yes, that true.
Consent is only one of the principles, so if you think you can use that data without breaching the right of the data subject go right ahead. But let’s be honest, in most cases for charitable and non-profit organisations, contacting the data subject is going to require some form of consent and consent is the most recognisable principle to the wider public.
ICO has guidance on consent so if you’re not sure take a look.
Clear affirmative action is the key to consent; signing your name, ticking a box, clearly stating ‘yes’, these are examples of positive action.
Clear affirmative action is not ‘untick this box if you would not…’ or pre-ticked boxes, the person has to choose consent through action, not inaction.
Specific & granular
How are you going to contact this person?
What will you contact them about?
As part of GDPR you are now expected to give people these options, and in reality this is great because it’s helping with your segmentation. When users have more control over how and what they are contacted about, they are more likely to be engaged with that content
The aim is to make consent more organic, not a one shot deal where a user completes a form and you never discuss their preferences ever again. In addition to this you are expected to provide people with the ability to withdraw consent in the same method in which they gave it. So if someone signs up via an online form, they need another form to say ‘stop bothering me you’re boring me’, or something to that effect.
Subscription options via emails have been around for a while but this process is new and there are some question still remaining about how this would be technically possible.
If the ICO receives complaints that you have been acting in contradiction of GDPR and contacting people without their explicit consent how can you prove otherwise?
Just having a users data doesn’t demonstrate that you have it legally, and this is where documentation comes in, to prove that you should have that data and that you’re using it correctly. For that reason, not only should you be recording that consent, but you also need to record what they consented to and the information they were given.
I have my doubts that people will ever read the privacy statement, even with less jargon and clearer information, but I’m open to being proven wrong. A benefit to having a better privacy statement is demonstrating transparency and building trust. The point at which it might be read is when someone isn’t happy and if the information is easy to find then there’s a good chance that could help to repair the situation.
The privacy statement might not get read but giving someone brief details on how their data will be used could help conversions. Also known as tooltips, these are the little question marks that accompany many forms. It’s existing technology so if you don’t already have this get your IT team to find a solution that suits your setup.
Be honest with these and keep the notices brief, you do this by linking to the full privacy statement for more information.
An interesting addition to GDPR is the requirement that any changes do not affect the user experience. Any fears of painfully long forms with lots of long paragraphs full of information can be dispelled. The inclusion of this guidance is to demonstrate a clear link between an easy to use process and understanding how your data will be used. Complex processes, besides being terrible for conversion, obfuscate essential information like data protection.
Lets forget the slightly ridiculous allusions to creating a codified language for data protection using icons and symbols. The future of data protection is an interesting and potentially volatile one as there are some pretty major factors which affect its course, the biggest of these being technology and culture.
GDPR attempts to factor in this capacity for change by giving room for further development whilst also understanding that change of this scope is not necessarily viable for every organisation. What that means is you’re not expected to have fully fledged privacy dashboards available next year, but at some point as this technology becomes more commonplace this will be the prefered option.
A privacy dashboard would give a person that extra control to view and manage all the data you hold on them making the process more transparent and easier for you to manage. Versions of this are already being developed, one example is from the team behind the charity CRM ThankQ, who are working on a tool that they hope will connect with any CRM system.
This however feeds into the wider question of culture and how we view, not just our data, but how it is used. Data is a vast and wealthy commodity now and some of the biggest organisations in the world are making a lot of money from this, from us. As the conversation about this topic grows we’ll start to see a shift towards people managing their own data and projects like Nesta’s DECODE will become more common.
Personal Information Management Systems (PIMS) will be the next step in managing data and should tools like this take of much of the burden on the organisation will be lifted. But that would mean another huge shift for charities, if data is the big commodity of the future then campaigns encouraging users to allow access to their data could well be where we are heading.