No one in the world can function without using, or, being subject to the processing of their personal data. Positive treatment of this data improves society. Ensuring improvement isn’t derailed requires trust. Customers, clients and citizens will turn against those who abuse their personal data.
Any organisation that controls the use of personal data is in a privileged position. Big or small, data controllers MUST demonstrate due care.
Here are nine things your organisation needs to go beyond compliance and kindle trust:
1: Ethics
No board can ignore data privacy. Customers and stakeholders expect to see clear corporate commitments to it. A powerful step is to include a privacy commitment in your Corporate Social Responsibility (CSR) report. According to Forrester, 28 of the Fortune 100 did so in 2018, with a dramatic increase expected in 2019. If you’re not required to produce a CSR, your website and social media can include and clear commitments to privacy. We’re talking here about more than a privacy or cookie policy, something that goes beyond and demonstrates privacy is fundamental to your organisation’s future.
2: Data subjects’ rights
In many Countries citizens have rights over their personal data. As a data controller you need to ensure you can grant or provide:
- Access: To data personal data. Subjects - you need to provide sufficient information for a controller to validate and accurately respond to your request.
- Right to be informed: On how data subjects’ data will be held and purposes used for.
- Right to be forgotten: Data Subjects have the right to obtain from a controller the erasure of their personal data without undue delay.
- Restriction of processing: Only processing personal data for the legitimate purposes mutually agreed to.
- Ability to withdraw consent: Any data subject has the right to withdraw their consent at any time. The withdrawal of consent can’t affect the lawfulness of processing based on consent before its withdrawal.
3: Justifications for processing
If you process personal data make sure it’s backed by one of these:
- Contract: covering any processing that’s necessary for an existing contract to which the data subject is a party. Remember: In English Law this justification will cover the less formal agreements between a data subject and a data controller.
- Legal obligation: for processing that’s essential for fulfilling a legal obligation to which the data controller is subjected to.
- Vital interests: encompasses processing that’s essential to protect something essential to the life of the data subject.
- Public interest: covers processing by any organisation that’s essential for public interest. Said interest must be part of EU or national law, any processing must be proportionate to it.
- Consent: consent is appropriate when an individual, not the organisation, is in control of processing.
- Legitimate interest: processing that’s essential for a legitimate interest of the data controller, provided said interest is not overridden by the interests and rights of the individual.
4: Components
There’s many, this list is not exhaustive and a sample of the key issues I’ve experienced in a private sector firm that delivers services to clients across a range of industries:
- Technical and Organisational Measures (TOMs): All data controllers must adopt internal policies and implement measures which meet the principles of data protection by design and data protection by default.
- Change management: Once your TOMs are in place any changes to your Information Technology, Security or Privacy technology or processes must be approved by senior managers.
- Privacy Policy: No longer the de rigueur website accessory. Now, a pledge for your customers and stakeholders to believe in. Review, update and publish annually. Even if you haven’t made any changes ensure you demonstrate a review has taken place.
- Hard copies: In our digital age it’s easy to overlook the risks posed by hard copy data. Printers and the dear old fax can digitise paper records quickly.
5: Future developments
GDPR has been unleashed and has encouraged other democracies to improve legislation regarding data privacy. In tandem, the UK is divorcing its relationship with the EU. In tandem, Technological advancements pose new upside / downside risks.
A summary:
Personal Data Protection Bill (PDPB): After a landmark judgement by the Supreme Court of India which declared privacy as a fundamental right, the ‘Justice BN Srikrishna Committee’ released its first draft of the PDPB on 27 July 2018. Similar to the GDPR the PDPB has teeth, fines are substantial for serious breaches. It’s due to be enforced July 2019.
Brexit: The marriage is over: the European Commission needs to decide if the UK can afford adequate protection to European Union Citizens’ data. The signs so far are not good for the UK:
"Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR (General Data Protection Regulation)? Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR? How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?"
Michel Barnier (31/05/18)
Artificial Intelligence (AI): Decisions made without human intervention require care. Organisations exist for their shareholders or stakeholders. They’ll naturally strive for efficiency and accordingly automation is tempting. Especially if the highest business cost: wages can be cut by technology. You still need consent from data subjects, until robots process each other’s data, people need to know where AI is in play.
6: Core legislation
A three or four letter acronym will usually cover the regulations you need to comply with (in Canada you get six). Make sure you know all the regulations that affect the data you process. There’s a wealth of information available from Data Protection Authorities. The quality is varied but you can’t ignore it. Find it, analyse it and translate what it means for your organisation.
7: Independent Bodies
Are here assist and enforce data protection legislation and regulations.
In my view the Information Commissioner’s Office (ICO) has, throughout the age of austerity, provided a suite of practical and applicable data protection guidance. Anyone has access to it and UK firms will find it hard to justify they didn’t know about it. The ICO has embraced a multi-media communication campaign using social and traditional media.
8: Competent Privacy Professionals
Privacy teams need a range of knowledge and competencies. Qualifications are important but how someone performs is even more important. Develop competency models for privacy personnel and support their development. Broadly: you’ll need legal eagles, technologists, leaders and managers.
The British Computer Society, ISC(2) and the International Association of Privacy Professionals are renowned sources of support in this area.
9: Conflicts
National security can be used by Governments to trump Privacy. History demonstrates that governing parties in democracies that cannot demonstrate ability to keep their citizens safe fail. In some countries the governing parties have responded by executing laws which permit access to personal data on the grounds of national security. Capitalism operates on the basis of competition. If your client sees an opportunity for a foreign government to gain advantage over healthy competition, they’ll ask you to store their data in a suitable geography. The good news: Cloud providers are increasing global companies’ ability to host data across regions. The trick is to (a) have the budget to cover such flexibility or (b) be clear in procurement negotiations on where data can be processed.
Information Technology professionals are essential for facilitating effective data privacy programs. Being aware of these nine points will ensure they can positively influence any organisations’ trustworthy approach to reaching mission critical goals