Finding your direction through GDPR…

…and why you may need to be compliant before 25th May 2018!

This article was originally published by Stuart Duthie on the Qualocity blog.

25th May 2018, and General Data Protection Regulation (GDPR) will be law. Irrespective of our relationship with Europe now, or in the future, companies will need to abide by it if they hold data relating to an EU citizen. This is one of the key differences between GDPR and the 1998 Data Protection Act, and is likely to be a theme with other global data regulation.

This article indicates some of the new elements of that GDPR contains to aid general direction finding. There will be processes to implement, same as any regulation, but also a few areas that may require closer consideration. We will look at 5 areas worthy of consideration and suggest 5 things for which implementing GDPR could be helpful.

Finding your direction : the GDPR Compass

5 Key considerations

1. Personalising your services

I am calling this out because there is such a strong trend in this area, particularly in the world of B2C commerce. However this may also apply for small businesses, where the identity of the person is almost interchangeable with the identity of the business.

Your approach to big data, personalisation and profiling (and pricing) based on people’s data and technical elements such as IP address or MAC address, may need to be reviewed. At the very least you will need to be clear with people what you are doing, requesting their specific permission to do it. This would apply to online interactions as well as offline, for example through any in-store interactions with people’s phones, mobile apps, etc. Need to be able to provide clear logic, mathematical evidence for the personalisation (maybe, particularly, if there are pricing implications or changes to the actual services provided) and fully secure the data involved in the personalisation alogorithms. This would include the way in which external data sets (e.g. Facebook) are used.

As above, explicit permission (i.e. I want this) will be required rather than implicit (i.e. you didn’t say you didn’t want it), or its implied because you came into our store.

2. Review how you use and create ‘anonymous data’

Anonymisation or ‘pseudonymisation’ (the process of replacing key information such as names) becomes insufficient if the owner (or small group) of owners can be reasonably inferred. This includes when the data is matched with other data you hold, or that is available publicly, or is “public knowledge”.

3. Consider your strategy and architecture for the hosting and processing of data

The law is based on where the individual lives, not the jurisdiction your company operated under or where your data resides, which is the assumption under the data protection act.

This is likely to be the trend with global data law. If you have customers globally you need to comply with GDPR, plus US state legislation, etc, etc.,. So you may have to consider different rules within your data set depending on whose data it is, and applying the segmentation that appropriate law defines (e.g. definitions and controls of children’s data/processing).

This has the potential to change your cloud hosting strategy, your database architecture and software architecture.

4. Some elements could be a challenge

GDPR follows legislation such as PCI v3 to essentially mandate a responsibility to audit your suppliers to ensure they are compliant.

Plus: immediately cease processing on request and ensure all data is up to date. This will require updates to supplier contracts and responsive systems to handle these processes, and as you know those types of interfaces (whether IT based or not) can take time to set up and test.

Some data sets may relate to more than one person, and there may be some complication in handling elements such as explicit permission or requests to cease in these circumstances.

In relation to point 3 above, the number of different systems you have, how you store the data within them and the degree to which they are linked (or not) may raise some challenges, particularly around keeping data up to date and requirements to cease processing.

5. ….and here is why you may need to be compliant before 25th May 2018

Think about how you are going to ‘cut-over’ from existing data protection law to GDPR. This will be particularly relevant for B2C organisations and their communication, marketing and personalisation activities, specifically the process of gaining explicit consent so you can continue, where previously you may have relied on implied consent.

It means that your date for implementing new compliant processes is sooner that 25th May 2018, to allow for those transition activities.

A bit about Stuart

Stuart is experienced in senior IT leadership within regulated environments to director-level with a long track record of building capability and practice to deliver transformational change, both within the business and the IT team. Technically astute, he draws on a wealth of experience and understanding across all areas of IT, engaging with senior business leaders and technical experts, to deliver a quality outcome.

ILM qualified, he uses coaching techniques to enrich and empower your IT team to leave a lasting improvement.

He is particularly familiar with front-end digital and contact-centre systems that facilitate the customer journey and relationship, and end-to-end process-driven systems such as case-management and ERP, to achieve digital fulfilment.

He has also held Data Protection Officer responsibilities, implemented Freedom Of Information, been accountable for IT system compliance with regulations such as FCA, PCI-DSS (Payment Card Industry Data Security Standard), etc.,. He has a track record in contract negotiations and engaging with audit activities.