The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.
In my last piece on Data Management and the GDPR I stated that the next article would look at Encryption and Anonymisation. However in this article I am going to give a few quick thoughts and an introduction to the issue of Consent. I hope that you will forgive this little side-trek, or meander, it isn’t part of a deliberate ruse I will be continuing on track with data governance very soon.
A Cautionary Thought
As part of my research and interest in the GDPR I read a lot of blogs, articles and promotion. So naturally I see a lot of services being offered to help people transition their business or ready themselves for the legislative changes. I am not going to discuss the validity or non-validity of these in this article, but I want you to bear in mind that it is the advice of some of these services that makes me want to give a cautionary note.
The GDPR has some very specific statements about consent, and it has a bunch of parts that might seem very loosely written. The reasons for this are twofold, the existing legislation had too many holes that offered the opportunity for misuse and yet some concession for legal or legitimate interests needed to be made. So on the one hand we have explicit statements that are to be followed as closely as possible, and on the other more fungible language allowing organisations, and more importantly governing bodies, the ability to implement regulatory statutes and geographically relevant advice.
This has led to a raft of services that offer a form of protection from non-compliance with a consent service, essentially they promise a percentage of coverage of compliance. A lot of this is specifically aimed at marketing and direct marketing. I personally think that some of it skirts very close to the fully following letter of the law and does so in such a manner that it avoids following the spirit of the law. It might also misinterpret or misrepresent the reality of the situation.
So I think we have to be careful about allowing others to protect us, especially since I believe there will be no legal protection in the service they offer. That doesn’t mean that we shouldn’t have compliance services, or people offering service to help people be compliant. But, that we should be careful of what, or whom, we choose. Especially when they promise that you can carry on with potentially dubious activities without any reprisal due to the manner in which they are circumnavigating the law.
Advice
We have an opportunity here to follow both the letter and the spirit of the law. Both the European Union and the UK’s ICO are giving lots of advice on how to interpret the GDPR in a manner that best follows the legislation. If we stick to their advice we will have full compliance and we will be contributing to a system where we don’t need to keep tightening and re-wording to avoid loopholes and avoidance.
The GDPR is about individuals and their rights to how they are tracked, recorded and processed. There is a higher level than just a legal observance. It is a moral right that we are ensuring, the rules regarding consent place the owner of the data, the individual themselves, at the centre of importance. The very notion of circumnavigating such rights defines those who seek to do so.
If you do a lot of data processing, or marketing (especially direct marketing), you should familiarise yourself with the Articles on consent and the accompanying Recitals, and especially read carefully Article 4 and Recital 70.
Next time I will return to the regular topic flow and discuss how we can start to use encryption and anonymisation which will lead to discussing this in light of with good password and access management, this is an area where we move from data management to data governance.
Further reading
Visit either the ICO's Homepage to read the latest articles on the GDPR and the key facts about consent, or head to the European Union's GDPR Homepage where there are many resources to help you. For consent look at the GDPR itself. Start with:
Recitals: 32, 39, 42, 43, 47, 48, 49, 50 & 70
Articles: 4, 6 & 7
[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]