13 November 2018

GDPR 6 Months On – Lessons Learnt?

Senior Consultant at Naomi Korn Associates, Carol Tullo, gives her views

I should paraphrase this as what I have learnt, working in and advising organisations in the UK and internationally about data privacy and protection.  I offer a few thoughts – one for every month so far, on some of the basics that have struck me.

1. Understanding remains poor about what is personally identifiable data. The number of times I have been told “But we only collect names and addresses” or “Contact details don’t include personal information” or “ We only store business email not personal contacts”!  At a time where leaked or hacked data is headline news, the realisation that this is relevant information about ordinary people like you and me has taken time to catch up in the public consciousness.
2. The number of people who use joint email addresses or collective addresses, e.g JohnandSarah@xyz.com or FamilyRobinson@xyz.com  This is a potential risk area for consent or validating parental responsibility where relevant. Consent from one is not consent from all and could open up challenge especially for example if relationships change. I have also come across fictional avatars and gaming  identities where although not real names, the information was personally identifiable and protected!
3. Good practice shines through. I was recently at a public event and the photographer explained, very professionally, that she had taken a shot and I was in it.  She asked me, if it was used would I give my permission and she ensured she had a signature.   Many do not realise that taking a photograph is capturing personal data.
4. People cannot see behind the acronym, GDPR. Referring to data housekeeping or safeguarding your personal information does resonate, especially when talking to parents and families concerned with over sharing of information through social media.  It is important to know where the law comes from but explaining its impact in plain English is so much more compelling rather than quoting numbered Articles.
5. The core privacy statement takes organisations a long way towards compliance. I am probably in a small minority of people who always read a Privacy Notice or Policy when accessing a new site! It tells a user so much about how an organisation values its users and the data.  For me, it is a core part of 21^stcentury governance and transparency in a data enabled world.
6. Keeping a record of how information is handled is a basic part of day to day business – for organisations, the self-employed, small charities, clubs and many more. It does not have to be onerous or a chore but a key element in managing other’s information with respect and showing that it matters to you.  Reputations for good service are built on this.

Above all, it is about recognising that if you are entrusted with personal data then it must be treated in the same way as if someone entrust you with their wallet or keys or other items of value.  The one thing we can all sign up to [ freely and unambiguously!] is that this year not only changed the way we thought about our personal data, but for many it kick started the realisation of its importance as an asset over which we can exert control.  Roll on the next 6 months which encompasses another countdown to Brexit – I feel another blog coming on!

(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Attribution Sharealike licence.