For many business data has become a significant management issue, many of the companies I have worked with have undergone some form of data acquisition, cleansing and profiling exercise in order to help grow the business. The detail of data management is for another blog at some time in the future, the issue I wish to discuss now is that of the new data regulations that are coming into force early next year (2018).
Although the new legislation is part of a wider EU directive it is likely that the UK will continue with this legislation even after it leaves the EU so it’s important that we understand the legislation and proactively plan for the implementation and specifically how this may effect our business operations.
Central to the new legislation is the right of the individual to protect their data profile, this includes the right to be forgotten and the right for access and auditability of how information has been acquired, for what purpose and what has been done with the data (appended with third party data) or profiled. In the future companies will be required to provide documented evidence around all these functions.
Whilst it’s not confirmed what the exact details are of how the new legislation will be enforced it will have a significant impact especially for regulated business services. Whilst the scope of the new legislation runs to many pages and covers many areas I have highlighted the extract below in order to provide an example of how this will change our marketing operations in the future:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. "
Official Journal of the European Union
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
So data that has been collected in the past with a simple pre-ticked box, will no longer be deemed to have been acquired with explicit permission – how many company databases have been built on this basis?
In addition data that is held on individuals or companies has often been processed in some way in order to provide better insight.
This may be so an assumption can be made about a potential customers readiness to buy, risk or some other factor which may be important to the marketing process. However this may lead to an unfair assumption being made (credit ratings or insurance products spring to mind) will now be forced to explain why this process has been carried out and discuss the implications for individuals who wish to question or challenge data profiling that has been applied to their own data – again the auditability of this process will be new for most businesses.
The legislation also recommends some best practice around anonymised individual data in order to protect the individuals data rights, this may involve splitting data for storage and security whilst having decryption at the point of usage.
Whilst this short blog is not in anyway a comprehensive review of the new data legislation I felt it should first highlight that this is happening, secondly provide businesses with the opportunity to review and think about how it will effect their own business operations and existing data and thirdly start a process to proactively manage the change and therefore protect their assets for the future. For more help or advice on asset management – managing your business data through the new legislation drop me a line.