The GDPR (General Data Protection Regulations) are part of the evolving legal landscape as digital transformation changes society’s interaction with organisations which come into force in the UK on 25 May 2018. Regardless of Brexit if an UK organisation wishes to process data about individuals from Europe the regulations need to be followed.
The regulation forms the policy around privacy-by-design to complement the security-by-design which feeds into an organisations technology strategy.
In summary the GDPR adds:
- The right to be informed (of the use of data)
- The right of access
- The right to rectification (of errors)
- The right to erasure (to be forgotten)
- The right to restrict processing
- The right to data portability (to move to a different supplier)
- The right to object (to processing)
- Rights in relation to automated decision making and profiling.
Like the original UK Data Protection Act, the GDPR aims to make sure that information is used appropriately, accurately and not excessively by any organisation. The change is not only the provision of new rights but an new enforcement regime with much stiffer penalties so the trade-off of investment vs. penalty is skewed towards more investment. For some organisations the penalty is an existential threat to the company and definitely something board will care about and the shareholders will take notice in the annual report.
My experience of non-compliant organisations under the Data Protection Act as a customer remind me of the need for such protections. A financial institution tried to derive my financial profile from my banking records not recognising the fact that I have multiple bank accounts for different purposes and the individual accounts gave a poor perception of my overall financial needs. Similarly a credit card company assumed I was a bad risk due to an error in my employment status and so raised by interest rate only to plead me to stay when I corrected the error, cleared the balance and cancelled the card.
As a former data protection controller I understand the pressure of balancing the needs of the business against the regulatory framework and so I offer some technology strategy solutions to meet these needs.
From a technology strategy perspective there are a number of technologies and design patterns than provide solutions to each provision under the GDPR. Organisations with legacy infrastructure will be challenged to comply with each unless they take remedial action through tactical fixes followed by strategic change.
In this series I will cover the eight rights and offer tactics and strategies to comply with each in the form of technologies and design patterns.
For more please see the UK Information Commissioner’s Office guidance: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/