Does your data protection impact assessment take account of real people?
The GDPR has suddenly and not before time drawn attention to the changes individuals are experiencing in personal privacy. We can no longer rely on old assumptions. Even the information we choose not to share may be guessed or estimated from the amount of information now in circulation between the public record, our financial transactions and our interactions with our own or our friends’ social media.
Data about us is retained or collected passively, actively solicited or bartered, or derived by combining datasets.
As an example, Yo! Sushi is offering a 25% student discount these days. But you can’t access it by showing an NUS student card. You must share email addresses and college information and a lot else. Access depends on a unique personal code and an app. There is no indication before you enter this process that it is anything other than a discount scheme. Compare that to last century, when student discounts were offered to encourage the potentially well-off to sample products, in the hope of benefiting from an increase customer brand loyalty later. An obvious and balanced exchange. Indeed, the individuals were unknown to the suppliers as individuals.
How an individual responds to these changes depends a lot on their expectations. To mention two current examples, in Germany privacy is defended by longstanding laws, data cannot be automatically shared between the medical profession and the police for example. Compare that to China where within a family there is no expectation of privacy, and the state has increasingly used big data to record the activities of citizens and even to award benefits and access depending on behavior. Both these are considered normal and acceptable to most citizens in those countries but would be incomprehensible if they were reversed.
The challenge for those of us who implement the GDPR in business systems and procedures is to understand the principles of privacy well enough to deliver a fair balance between the individual expectation of privacy and the commercial needs. We also need to take the spectrum of attitudes to privacy into account, and not assume all people are the same (or the same as us).
There are many suggestions for ways to use personal data. Many of them have commercial merit. But that is not enough to justify implementing them. GDPR gives us the Data Protection Impact Assessment (DPIA). This must be used intelligently to assess proposals. If you decide to implement a proposal, then the right information must be shared with the individual subjects. It also allows a company to document why a proposal is rejected. Don’t see this as a setback, but an opportunity for a review, a redesign and a better, safer more effective approach. Less risk of expensive issues down the line. Bring a realistic view of the privacy expectations of your subjects into this process. And remember they have a range of attitudes, don’t just pick the young extroverts as examples. Finally, if you implement it as a tick box exercise, with no real analysis or option to reject proposals, it’s is as good as useless.
In the near future, I don’t expect that sign outside Yo! Sushi is going to be changed to read:
“Students, we will give you a 25% discount if you give us your email and phone number, your course, and university so we can calculate your earnings potential, and allow us to profile you by trading this information for other data about you, so we can send tailored advertising to you that we think will increase your spend with us”.
But they and all companies are dealing with a range of customers, some of whom do expect that level of honesty in your dealings with them and ignoring that could be very expensive if the ICO agree with them.
So take the opportunity given by a DPIA process to bring the data subject’s perspective into the decision-making process. If it helps, make a list of characters who might vary in their view, rather than using an average/typical subject. Understand the difference between reluctant and enthusiastic agreement to terms and conditions. Then you can implement the best ideas and get the best value from them at minimum risk.
Authored by: Patricia Evans