As a privacy enthusiast, I cannot describe how happy I am with the current data security and GDPR buzz. It sometimes feels like brands and organisations no longer care about what is happening with our data. To me it feels like they don’t care about possible flaws in their products or the impact a breach could have on their users or brands. They always want to know as much as possible, the more the better.
However, it’s not like we, the individuals, are without fault. People like to share information about themselves – most are not even aware of the possible consequences. A quick scan through Facebook can tell me more about my friends than they may possibly like me to know: information about their children, travel arrangements, political views, car details, copies of IDs and other personal information. Now, let’s think for a minute about what a stranger could do with this kind of information. But, you only share it with the people you know so it must be safe, correct? Well, not really.
Data is Everywhere
The use of personal information has always been a sensitive topic. Companies now use data to serve us with personalised content (remember the multiple “House of Cards” trailers?) – but only the smart ones make sure we don’t feel like our privacy has been abused. With GDPR, citizens will enjoy benefits such as clarity of how their personal details are used, for how long are they kept and who else gets to see them. It will also give everyone greater control over their own data and easy access to it. They will be able to contact organisations for copies of the data they may hold on them, or request for their data to be corrected or even removed.
The Implications of GDPR
GDPR stands for the General Data Privacy Regulation and, despite Brexit, is due to take full effect in the UK next year on the 25th of May. What does this mean? Well, for starters, no more pre-ticked boxes on the “Tick here if you do not, do, but not, do accept” sort of messages. Brands will now need to be transparent with their data collection and usage. People will be able to make a fully informed decision when giving consent or objecting to the use of their personal data, whether for online behaviour tracking or marketing purposes. It basically means that we will finally know what is happening with our data.
As a digital agency, we’re always interested in exploring what’s possible for our users and clients. It’s not a secret that knowing more about user behaviour and preferences helps businesses provide them with the best possible personalised experiences and services. The easier the access to the data, the more opportunities, creative ideas, and uses of it. As a data driven business, we’re interested in all sorts of information: what content our blog visitors find interesting, how our clients’ sites are doing out there in the wild, whether our marketing campaigns are successful or not, etc. We are happy that with the introduction of GDPR, organisations like us will be able to demonstrate good data governance, appropriate protections, and enjoy the benefits of confident and secure data sharing practices. GDPR will help businesses better understand what data they have and where it is coming from.
Ensuring GDPR Compliance
Auditing is a great way to start ensuring you’re GDPR compliant. Don’t let it be boring though – information security is now becoming everyone’s business (not only the IT team’s) so make it an interesting and engaging experience for everyone. Your research can take the form of chats and workshops. At Storm we chatted with everyone who is an application or systems owner, or is handling data, or might come across sensitive details in the future. We wanted to discover what new individuals’ rights might mean for us, our clients, or suppliers. Remember, GDPR can affect different people in different ways – there will be a variety of information that you might want to know from your Developers, Marketing or HR teams. HR won’t know much about the security of your fancy Elasticsearch, just as your developer won’t necessarily be aware of what’s happening to his or her data if they leave the organisation.
The same goes for our development projects. At the start of all projects we need to recognise what type of personal data we’ll be dealing with, what is to be collected, what it’s for, and whether we actually need it. Are there any other ways that meaningful insights could be gathered? How will we prove the consent to use the data given was “freely given, specific, informed and unambiguous”? Where will we store the data? Is this option secure? What mechanisms will we use to protect it? What types of processing activities will the client need? Are they after any automatically analysed information? Are users happy with their data to be used that way? Is there anyone else who needs access to this data?
Mapping the flow of our data gave us a better visibility over what is being collected and processed by either us, or, where appropriate, our clients. Getting to know where your data resides will be a key element of your GDPR preparation. We’ve learned what sort of information brings no value to us but might pose a serious compliance risk in the future. Make sure you identify those and document all the activities you undertake in order to protect and secure the data that you hold. It will come in handy in case of an Information Commissioner’s Office audit. You may also need to provide details on the steps you took in order to prepare your business for the Regulation.
Convert your findings into a neat action plan. Here are some of the points you might like to include:
- Decide who will be responsible for dealing with data protection within your business and check whether your business needs to appoint a Data Protection Officer.
- Investigate what personal data you hold and process either as a Data Controller or Data Processor (as mentioned earlier, recognise the differences and needs between your teams). Remember, as a responsible business you should always use the minimum data that’s necessary to achieve your business objectives and encourage your clients to do the same.
- Review your existing processes to obtain consent and see if they are valid under GDPR – where needed, ensure you have an ability to record it and act on its withdrawal.
- Work out whether your system for processing sensitive personal information is in line with the regulation – ensure your business advocates, favours, and promotes the best and most secure methods and practices to protect sensitive data.
- Consider what changes you could make to your business processes to include a privacy impact assessment.
- Work out how will you deal with and notify relevant authorities and individuals about a data breach.
- Having a risk log will help you identify the issues early and possibly avoid or minimise any inconveniences.
- Decide how you will deal with data requests coming from either your users or the client. How will you identify the individual? How will clients confirm users’ identities when asking you for copies or erasure of their users’ data? Ensure you have appropriate agreements in place.
Trust is Key
Remember, openness builds trust. Users don’t generally trust companies with their data – according to the ICO’s research, seventy five percent of UK adults don’t trust businesses with their personal data. Surprised? You shouldn’t be. If your users don’t know what you do with their data, they’re more likely to go to someone who is open and transparent. We all need to improve. Let’s strengthen the transparency and provide our users, visitors, employees, and clients with as much clarity as we can. We at Storm ID know it’s a challenging task, but we know it’s worth it. The more we do to increase trust and confidence in how everyone’s data is being used, the more we will be able to accomplish. At the end of the day, you wouldn’t go and give your personal data to someone suspicious.
So, how about this social media ‘friend’ you’ve never really met?