We’re all data subjects — so what can we expect under GDPR?
Written by Maeve Walsh, Director of Policy and Advocacy at Corsham Institute
GDPR is a complex framework of requirements. But, having been available two years ahead of its introduction, many businesses are only now coming to terms with it. What’s taken them so long? At its heart is the principle of “data privacy by design and default”, which requires that considerations for the safe and secure processing of personal data are understood before those activities can take place. It introduces a greater set of rights for data subjects, allowing each citizen more visibility and control over why, how and where their personal data is processed. With potential fines as high as £17m/€20m if companies don’t comply or there is a breach, there is a huge incentive to take GDPR seriously.
Let’s take a look at one specific sector. Over the last 20 years, online retail has boomed. Supply businesses are now regularly processing the personal data of millions of customers. That personal data is probably being processed by many different parts of their business: the back-office IT function, the staff who prepare and dispatch the order, those who take payment information, delivery staff and, in some situations, returns handling teams. It’s essential that data processing activities are properly mapped out and adjusted to ensure “data minimisation” — but do all staff need to see every component of the customer’s transaction data? How can this be reduced to lower the risks? Is automated processing of personal data any more secure than manual intervention by staff?
Under GDPR, customers will rightly expect to have a clear and unambiguous understanding of why they are submitting their personal data, who will have access to it (both people and IT systems), and how it will be kept securely. This requires a review of Privacy Notices, and the clauses within the standard terms and conditions that communicate information about the need to process personal data. GDPR specifies six possible reasons why personal data may need to be processed, and at least one of these needs to be valid for the processing to be lawful. In our earlier example, the supply of goods or services to a customer is likely to be based upon “a contract with the data subject” or alternatively “the explicit consent of the data subject”.
For other data-processing activities, such as direct marketing to an existing customer base, the basis of “legitimate interests of the business” will probably be most appropriate, but care needs to be exercised to ensure that the interests of the business do not exceed the rights of the data subjects. Continuing the retail theme, with a growing number of businesses providing customer loyalty schemes that collect data whenever a customer makes a purchase, there is a clear need to understand:
- Whether customers understand how their personal data will be used within such schemes, for example to understand their retail habits and interests
- How to deliver customers’ rights, if they request that they do not want to receive direct marketing communications, or if they object to any automated decision-making activities
- How any third parties engaged to deliver “big data” analysis services are selected, and that they can also safeguard the personal data shared with them
- How the details of any selected third parties are shared with customers (e.g. within Privacy Notices).
So, it’s an understatement to say that GDPR is requiring significant focus and effort from all businesses. But it is entirely appropriate for the level of routine, daily personal data processing in today’s world. Each one of us is a data subject, and we should all have a reasonable expectation that our personal data is being kept securely, processed only for purposes we understand, and promptly deleted when no longer needed.
That’s not too much to ask, is it?
Originally published at digileaders.com on May 23, 2018.
