As the year of GDPR compliance has arrived, organisations are frantically trying to implement these changes that can seem burdensome.
General Data Protection Regulation, or GDPR, is undergoing a change which is being implemented in May 2018. While there are thousands of GDPR experts that have emerged from the woodworks, the basic tenets of GDPR set out to change the way that businesses and organisations can hold data about their customers and supporters. All 99 articles of the GDPR text outline the requirements for compliance, which range from making it easier to request organisations that hold data on you for that information, to greater explanation for how organisations have gathered personal data and why they continue to hold it.
With the onset of GDPR changes, we can see the roots of a movement. This is a movement of citizens reclaiming their digital agency. It’s a movement which can spark a new way of interaction between organisations and supporters or consumers. It’s a move towards transparency, accountability, and responsibility.
I caught up with Jim Killock, CEO of Open Rights Group about all things GDPR. (it’s a really fun interview, promise!)
SCA: Can you give an overview of what Open Rights Group do and why your work is so important especially now?
JK: Here at Open Rights Group we work both on free expression and on privacy on the internet. We’re building a movement of people who are willing to defend fundamental rights on the internet and in digital technology.
We’re going through some huge changes as a society as things are moving online, and this is having some profound repercussions. What we’re seeing is that the response to these repercussions isn’t always well balanced.
Politicians, for example, feel responsible to deal with anything that happens online that is baad, or appears to involve criminality, extremism or copyright infringement. Their simple answer has been to put a stop to the problem by getting the company to remove the material.
However, this can lead to the problem of over-censorship and limitations of people’s genuine freedoms. We think there needs to be balance, legal responsibility and accountability for any kind of censorship.
SCA: Can you tell us a bit about GDPR and its implications?
JK: Essentially, GDPR attempts to curate a fair relationship between individuals and organisations who hold information about you. It leaves no one behind. From charities to Facebook to the insurance industry to banking and the government. Each organisation is keeping information about you and can be making judgements about you that can be life changing. GDPR changes the way that this works. Now, businesses and organisations have to be transparent. GDPR gives you the right to understand the data behind processes that decide things like your insurance policy or banking. It gives you the right to get your data.
It would be a mistake to view GDPR as a hindrance. This is a way to empower us as consumers, it’s a way to make markets work for us. And, more than that, it’s about your right to information.
I see GDPR as forcing ethics back into data gathering. And that goes for both business and charities. For example, one thing that may have to change is opt-in measures after signing petitions. Rather than an automatic opt-in, organisations will have to ask to opt in people to their database. This just raises the bar of consent, which isn’t such a bad thing.
SCA: It feels like many people/orgs don’t fully understand GDPR. What do you think is the most difficult thing for organisations/people to get their heads around and how would you suggest getting around it?
JK: I’m not a lawyer with all the details about every aspect of GDPR but here are some of the questions people have raised with me:
- Ensuring that your suppliers are GDPR compliant. It’s not just about your organisation, but ensuring the whole chain of organisations are applying the rules. This may be harder in larger organisations, but it has to be done to make sure data is shared in a trustworthy way.
- Understanding what exactly constitutes an opt-in. And, related to that, if you have consent that isn’t valid after May, how do you renew consent? If organisations leave things until the last minute, then their current customers will be people they can no longer talk to.
I also think that if people and organisations don’t know about things like GDPR, then this is a problem of governance and management. How we conduct our businesses – be they charities or for-profit businesses – is almost entirely reliant on the technology choices we make. Data rights are fundamental to everything that we do. But many organisations are still thinking in rather traditional terms.
Changes to GDPR regulation feel like they’ve hit the UK particularly hard, but that’s because previous data protection law was simply not compliant with the European data protection directive. We’ve had a muddled interpretation and a lack of enforcement of it for years, so these new laws seem like a shock. In other areas in Europe, however, the changes won’t feel so significant.
SCA: Thank you for calming down the frenzy around GDPR, I think we all needed that. I’ll leave you with one final question: how would you envisage a world where everyone was in compliance with GDPR and used it to their advantage?
JK: I have two competing images for this. One is a world that’s very bureaucratic, where everyone treats GDPR as a tick-box exercise, and sees it all as one huge inconvenience.
The other is that organisations treat GDPR as a way to regain and develop trust. If people develop an understanding of the role of data in decision making, then we have a world that we can understand much better, where we can hold companies to account for their decisions, where people can get better prices for their products, and where people can see where prejudice enters into company systems.
For charities especially, up until now all of the conversation has been about how to comply to the regulations. In a year’s time, the conversation we need to be having is: how do we use GDPR as a campaigning tool? How do we expose companies by insisting they show how3 their algorithms work? How do we demand companies are transparent about their data practices so that we can see how they profile people? Data is ruling many decisions, soon – if not already – it’ll be used to exclude people who are already marginalised. Having data that we can easily access will allow us to hold those companies and algorithms to account.
It’s been eye-opening to speak to Jim about GDPR. While there has been a haze of anxiety around compliance, Jim has provided the vision for a more hopeful future. There is the potential for a whole movement to develop from these regulations. This is a movement of holding organisations to greater account, of deeper understanding about how data in the online world interacts with decisions made in the online world, and in bridging the gap between those in the know about data – and therefore those with power – and those who aren’t. We’re witnessing the birth of a movement that recognises in law human rights on the web.
To learn more about Open Rights Group you can visit their website here.
If you’re interested in learning more about GDPR and its implications for your organisation, Jim is running an event on consent and GDPR obligations. You can book your spot here.