GDPR: Things You Need to Know about Citizen Data

Looking at how the public sector can better prepare (with help from Nicky Stewart)

The European Union’s GDPR (General Data Protection Regulation), which is set to come into effect on May 25th 2018, is set to totally transform the way brands across the world handle customer data.

What is GDPR?

GDPR is an EU regulation that is set to be enforced across 28 countries. The legislation strengthens data protection rights for individuals throughout the EU and harmonises existing regulatory controls across individual countries.

Only a limited number of organisations will be exempted from GDPR compliance, mainly in cases falling under national security. Every other organisation handling EU citizen data on the other hand, will need to fall in line.

The legislation is broad, but we can segment the new rights of EU citizens under GDPR into 8 distinct parts:

  1. The right to be informed: Individuals will have the right to be informed whenever their data is being collected or used in any way, shape or form.

  2. The right of access: Individuals will have the right to review their stored data, no matter where it is being held.

  3. The right to rectification: individuals have the right to amend inaccurate or incomplete data.

  4. The right to erasure: Also known as “the right to be forgotten”, individuals have the right to have their data totally and irrevocably deleted where there is no compelling reason for its continued processing.

  5. The right to restrict processing: Individuals already have the right to ‘block’ or suppress the processing of their personal data, while allowing the organisation to store it. GDPR will reinforce that right.

  6. The right to data portability: This element of GDPR will give individuals the right to obtain and reuse their personal data for their own purposes across different services. So, they must be able to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

  7. The right to object: Individuals will have the right to object to: data processing based on legitimate interests or the performance of a task in the public interest; direct marketing (including profiling — and yes, marketeers, that impacts content personalisation); and processing for purposes of scientific or historical research.

  8. Rights related to automated decision making and profiling: With AI (Artificial Intelligence) rising, the GDPR will seek to safeguard individuals against the risk that a potentially damaging decision is taken without human intervention.  

Learn more about the details of GDPR.

What About Countries Outside The EU?

Wherever you may be in the world, if your organisation stores, processes or shares EU citizens’ personal data (say, if you’re a US-based retailer with EU-based customers), GDPR goes beyond the Data Protection Act and applies to you.  

The US used to rely on the “Safe Harbor agreement”, which allowed American companies to self-certify with their promise to protect EU citizens’ personal data when it was transferred to and stored in the US. But that agreement was revoked at the end of 2015, and GDPR is set to take its place as the core agreement between the US and EU in regards to the data of EU citizens.

And if you’re counting on Brexit to save you from GDPR, you’re in for a surprise. Nicky Stewart, Commercial Director at UKCloud — an experienced IT practitioner and Cabinet Office veteran who we will come to learn more from later — says that following Brexit, “it is highly likely that a closely-aligned UK equivalent of GDPR will be implemented to provide for legal certainty for citizens and protect trade between UK and EU businesses.”

What Happens If My Organisation Falls Short?

According to the EU GDPR website, “the GDPR imposes stiff fines on data controllers and processors for non-compliance.”

Because GDPR is so broad, there are a plenty of ways an organisation can infringe on it. The size of each fine will depend on multiple factors like intention or negligence, the nature of the mishandled data and so forth. The bottom line is that “Lower Level” infringements can carry fines as high as €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. “Higher Level” infringements can carry fines as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. Yikes.

Preparing for GDPR

With GDPR coming into effect in just a matter of months, the ICO’s 12-step GDPR preparation plan is good way to kickstart your preparations if you haven’t already.

But handle the incoming data handling cultural shift that’s required to comply with GDPR, you’ll need more than a step-by-step guide. That’s why Liferay spoke to UKCloud’s Nicky Stewart to dig deeper into GDPR and how it will impact the UK public sector in particular.

Purely Technical Preparations “A Mistake”

What initial steps should a public sector organisation take to prepare for GDPR? Should their preparation be a purely technical, or are there other elements to think about?

Stewart: It would be a mistake to tackle GDPR preparations as purely a technical exercise. People and processes are equally important.  

There are a whole range of considerations to take into account, from understanding what personal data an organisation is holding, and why, conducting data privacy impact assessments, ensuring staff are aware and trained,  putting new processes and procedures in place, through to ensuring contractual compliance, including through the organisation’s supply chains. Most organisations that process large quantities of personal data will also need to appoint a Data Protection Officer.

All Systems “Must Have Adequate Security Measures”

What features should public sector organisations look for in a CMS, CRM or any other data processing software to help them get ready for GDPR?

Stewart: Any system that processes personal data must have adequate security measures to meet GDPR requirements, and these measures will need to be reflected in the contract with the software provider. In addition, the provider should be transparent about where customer data is being stored and backed-up and, if held outside of the European Economic Area (EEA), the determination of legal adequacy.

For example, a CRM should enable simple but clear records of consent and enable records to be kept of any subsequent changes to, or deletion of, customer data. It’s also a good idea to ensure the CRM limits the data being held to the minimum required to meet the purpose of the data processing. The CRM user will also want to satisfy itself that the CRM vendor is committed to helping the user meet its obligations under the GDPR.

The contract with the CRM provider should clearly state the respective responsibilities of both parties relative to GDPR, and should not allow the CRM to dodge its liabilities in the event that it causes a breach of the regulation. No CRM can mitigate against poor quality data, however – the onus will always be on the CRM user to ensure the data is fit for purpose.

“AI Chatbots May Be Part Of The Solution…”

Public sector organisations must be prepared to respond when citizens question what data is being collected and how it is being used. Does this make it a good time for public sector organisations to begin investing in AI chatbots that can do that heavy, but relatively straightforward, lifting? What else should they be doing to deal with those requests?

Stewart: Citizens’ rights under GDPR extend well beyond understanding what personal data is being collected and why. They can ask for the data to be amended, deleted (the “right to be forgotten”), handed back to them, or even – if technically feasible – passed on to a third party provider.

AI chatbots may be part of the solution provided that adequate safeguards are in place: the chatbots must be secure and, as they will be creating records that will be subject to GDPR, GDPR compliant in themselves. In some scenarios chatbots could be performing a form of “automated decision making” in relation to the citizen, in which case the citizen may have additional rights under GDPR.

The public sector is already experimenting with, or using, this technology and its use will inevitably grow. Arguably, given the fiscal pressures the public sector is under, it will have no option other than to proceed down this road. The alternative would be to funnel these types of requests through an online portal, but this would still need a form of manual intervention.

GDPR: We’re All In This Together

While the implications of GDPR may seem a little scary, just remember that the public sector is not alone in facing it. Any organisation with EU customers or clientele will have to make their the very same preparations. The good news is, before you know it, the culture around data handling will shift, and GDPR compliance will become second nature. But until then, we all have until May 25th 2018 to prepare and continue to share knowledge and experiences on Knowledge Hub.

If you can spare a few hours on the 8th November 2017, you can find out more about GDPR with Nicky Stewart, cyber security expert Oz Alashe MBE, Bristol City Council and other local and central government organisations who share your challenges at Liferay Digital Solutions Forum in London. Those employed in the public sector can claim complimentary tickets by contacting me or Sylvia Assumpção, and suppliers can register online with a 50% GDPR discount.

Image credit: Pexels

Security level: Public