We blogged last year about what Data Protection Day is, where it came from and why it’s still relevant. This year we want to focus on the future, specifically GDPR and the opportunities and benefits it presents.
GDPR comes into force on 25 May, in case you didn’t already know.
Data protection is often seen as a box-ticking compliance exercise, and in terms of principles and obligations, GDPR is not too different from current law.
The step-change with GDPR is that the box-ticking days are over. Organisations need to step back, take a holistic view and embed data protection throughout their business. This means having a vision and strategy, policies and procedures, culture and training, and building data protection considerations into every stage of design and development. It has to become business as usual.
The best approach is to see this as an opportunity to really be consumer-centric. Putting people first will help you spot issues, streamline processes, consolidate databases, clean up your data, spot new business opportunities and reduce risk.
One GDPR principle that helps to reduce risk is data minimisation. This is about only collecting and using the minimum information necessary for what you’re trying to do. This means not asking people for more than you really need, or for ‘nice-to-have’ data that you’re not sure what you might use it for, or that you think might be useful later on.
The main way this reduces risk is that if you don’t have the data it can’t be hacked, misused or unlawfully disclosed. Companies need to change the mindset that more is better and that to serve their customers they need to know as much about them as possible. You don’t need to know everything about them to have productive and meaningful engagement and an ongoing successful relationship.
It’s not all about organisations though, GDPR strengthens rights and protections for individuals.
There is though a lot of misleading information out there about the rights. There is a risk that individuals think they have more far-reaching rights than they really do. Responsible organisations have an interest in explaining rights and managing the expectations of their customers so that individuals know what choices they really have, and are not angry or disappointed because they can’t get what they are asking for.
The rights in GDPR are a bit more complicated than now and so can be hard for people to understand. The key right is access, and that doesn’t change much under GDPR. You have the right to a copy of the personal information an organisation holds about you. There are some circumstances when you won’t get certain information, such as if it’s part of legal proceedings, or where it’s personal information about someone else.
You also have the right to have inaccurate personal information corrected. Again, this is not new, but you obviously have to provide evidence of the inaccuracy.
The rights that are getting the most attention are the rights to object, to deletion and to port your data. You can only object to an organisation collecting and using your personal information in certain circumstances; you can’t just decide you want an organisation to stop doing anything with your data.
The right to request deletion of information is sometimes referred to as ‘the right to be forgotten’. This is misleading as there is no such right. Again, in certain circumstances, you can ask an organisation to delete your personal information, but you can’t just delete your past.
The right to data portability is a new right and its aim is to allow individuals to get back personal information they have provided to an organisation, to use for their own purposes, including to provide to another organisation. The right also includes, where technically feasible, having the organisation port that information to another provider. It’s similar to when you port your mobile number when you change networks. Again, it’s only for certain data in certain circumstances but it’s supposed to make life easier for you if, for example, you wanted to set up a new account with a social media company and import all the information you had previously uploaded to another social media account.
It might not seem very consumer friendly to only have some rights available in certain circumstances, but organisations do have legitimate business reasons for collecting, using, keeping and sharing your information. So the rights have to strike the balance between giving individuals control over their own information and allowing organisations to continue doing legitimate business.
Watch this space for more blog posts on GDPR rights.