It’s that time of year when lots of smart alec marketing managers in data protection training and consulting companies pull the “Santa -pun” lever and crank out a post that usually has the following elements:
- A reference to the compilation of lists by S.Claus
- The execution of behavioural profiling, which may or may not have a significant impact on the data subject, and the question of consent or lawful basis for processing
- The potential for mass surveillance (he knows when you are sleeping etc.)
- The significance of the rotund elf’s base of operations in the North Pole, possibly outside the EU and (potentially) also outside the EEA, and the implications that might raise for cross-border transfer.
This year, we have the implications of Weltimmo (raising issues of identifying establishment and the competence of DPAs), Schrems (Cross-border transfers, Safe Harbor, Model Clauses, and the independence of DPAs), and the finalised GDPR text (extra territoriality, processing of data for under 16s, increased penalties, new rights, new duties, increased focus on risk management versus ‘tickbox’ approaches). All of that adds up to a much more complex environment that, frankly, a cheesy Christmas pun won’t do justice to.
A Time for Renewal
Of course, the Christmas Season isn’t just a time for religious observance, non-denominational swag-gathering/gift giving, or overdosing on mincepies. Since pagan times the Yuletide season has been one of celebrating the passing of one year and welcoming the dawn of another, fresh with opportunity and the promise of great things. So, as we look back over 2015 we must celebrate the massive evolution in the importance of Data Privacy at a fundamental level.
The General Data Protection Regulation, for better or worse, creates a new floor for organsiations operating in the EU (or selling into the EU) to start from, with potentially significant fines of up to 4% of global turnover if breached. A parallel Directive sets out new rules for Law Enforcement agencies in the EU around data processing and sharing. The increasingly active EU Data Protection Supervisor has issued a number of significant Opinions on topics as traditionally esoteric as Ethics in Information Management and the role of transparency and Privacy by Design in Big Data. Technology companies such as Apple, Microsoft, and others are becoming more visibly active in their pushback against the encroachment on data privacy and security by governments (we will see if this is a meaningful culture shift or if it is just “privacy-washing” to protect their own data mining practices). And the European Court of Justice has continued to mark out its territory as the judicial arm of the European Union that will make determinations on how well EU laws support and protect the fundamental data privacy rights of EU residents. We have also seen the on-line advertising industry start to wake up to the fact that people use adblockers because they don’t want their bandwith and user experience marred by overly intrusive and overly persistent advertising.
But, pretty soon that will be last year’s news. Looking forward to 2016 we are presented with opportunities in the world of information management, particularly in the worlds of Data Privacy and Information Governance. It would be tempting to seed next year with FUD about the impacts and penalties in that the GDPR will bring. But the real opportunity for organisations of all sizes is the benefits that arise from better Information Management. For example:
- Reduce costs by between 10% and 25% through improved information quality and improved understanding of data lineage and governance
- (In 2015 one of our clients was burning almost 12% of payroll costs in crosschecking, correcting, and reworking reports due to poor data governance). This was wasted spend.
- Improve your ability to respond to Subject Access Requests (and FOI requests) by improving your understanding of where information is in your organisation and how to access it, and save costs by killing processes that are wasteful and create data without adding value.
- (One of our clients in 2015 found that 80% of the paper in the 40 bankers boxes of printouts they had to prepare for a Subject Access Request contained nothing more than details of the staff internal lottery syndicate results. This was in breach of the acceptable email use policy for the organisation)
- (Our Subject Access Request Whitepaper shows how organisations are significantly failing in the area of Subject Access Requests)
- Improve your ability to avoid data privacy and unlock the value of the data you have in your organisation by understanding your information architecture and, at the very least, having an inventory of where things are and what you obtained them for. This is related to #2, but goes beyond SAR compliance and includes the ability to maximse revenue from your data, without breaching data privacy or other Regulatory obligations
- (One delegate on a training course shared an example of how, due to poor information inventory practices, their organisation was unaware of records relating to a large number of their service users. This meant that service users were excluded from a key update that was issued (brand impact) and it also meant there was a risk that the service users had not been included in head count returns to a funding agency. Imagine not having data available on customers to ship orders or collect payments!)
When making your New Year’s Resolution, perhaps you should think about the things you will do in your organisation to find the new floor in the GDPR and then use that to derive other benefits in your organisation from the improved understanding of how data in your organisation is managed through its life cycle. Getting ready for the GDPR will, for most organisations, be like hitting the gym to get in shape (the most common New Year’s resolution). You might like to try some strategic resolutions like:
- “In 2016 we will empower our those about whom we process personal data to understand and exercise their Data Protection Rights, making incremental changes to our processes to improve compliance and improve trust”
- “In 2016 we will apply ethical principles to how we manage information, and will embed this in our company culture and how we assess the cost/benefit analysis for Information Management”
- “In 2016, we will start doing Privacy Impact Assessments to help us learn about our data, mitigate risks, and improve our ability to meet obligations”.
Of course, the way most people get in shape after their New Year’s Resolution is to join a gym. But the data isn’t good on that, with over 80% of good intentions being cast aside within 5 months. If you are looking to get your Information Governance in shape and get ready for the GDPR marathon, why not get in touch with us about our ClouDPO Virtual Data Protection Officer service. We can help asses your current level of “data fitness”, identify areas for improvement, and put together an action plan and on-going coaching, mentoring, and support to help get you in shape.
Think of us as your Personal Information Coach to get #infofit in 2016.