Most of the conversation surrounding the EU’s General Data Protection Regulation (GDPR) – an expansive new set of data protections which come into force in May 2018 – has focused narrowly on how to make sure businesses are in compliance with the letter of the law – and thus how to avoid incurring its infamously sizable penalties. And these many self-assessments, lists of guidelines and resources, and technical how-tos are undoubtedly useful – indeed, Olive + Goose would be happy to help you work through exactly these sorts of assessments and implementation plans. And yet, following the letter of the law is only half the story – if even half. As Gartner analyst Frank Buytendijk pointed out while discussing the law with Computer Weekly,
Technology shows what you can do, laws and regulations tell you what you’re allowed to do, but ethics tell you what you should do. If you limit yourself to complying with laws and regulations, you get stuck at the level of a toddler that only obeys because it is forced to do so, not because it wants to. [emphasis mine]
Is your company a toddler? No? I didn’t think so.
So let’s talk a little bit about ethics. Or better yet – let’s talk about the basic ethical principles underlying the GDPR, and how your business can get in the habit of operating in harmony with those principles: following the spirit of the law, not just the letter. Because trust: the GDPR will not be the last restriction of its kind – just as it isn’t the first. It’s merely the most broadly applied, with the stiffest penalties…for now. Taking the time to think through what your company should be doing with regard to customers’ and employees’ personal information, then, is not just good ethical practice: it’s a way of future-proofing against another mad scramble to get your systems into compliance. Put differently: if you’re already operating ethically, you’ll have less to fix when the next new law puts more of those ethics into force.
Now, parsing out all of the ethical foundations of this particular law would take a bit more time than I suspect most readers here would want to give. So I’ll just highlight a few elements that I found particularly important and thought-provoking in my reading of the regulation:
Principle 1: People come before non-people
The rights and interests of “natural persons” – i.e. you and me – trump the interests of “legal persons” – corporations and other similar undertakings – pretty much every time. When considering a new data management product or strategy, the first question must always be: how will this affect the interests of the actual human beings whose data is being managed?
Principle 2: Consent must be clearly and effectively informed, and freely given
You know those impenetrable privacy policies that pop up and annoy you every time you try to start using a new app on your phone or a new service on the web? They’re not just annoying – they’re unethical (and under the GDPR, illegal). A true consideration of the rights of individuals to their data requires informed consent. And if those individuals can’t parse the agreements you offer them, they cannot be effectively informed. The GDPR recognizes this: it requires that such messages be concise and easy to understand, use clear and plain language, and include visualizations where appropriate – and if kids need to understand it, the language needs to be at their level. There’s a great deal more that could be said here – the concept of informed consent is a weighty one, with years of scholarship behind it – but for now, just take a moment to consider: how accessible and understandable are your privacy policies? Would you say that your average user (or employee, or customer) actually understands exactly how you plan to handle their data? If not, it’s time to think about simplifying, clarifying, and perhaps even illustrating the policy documents you’re sharing.
Principle 3: People should be able to find out how data about them is being used and should have some control over whether and how it continues to be used
Informed consent is only the beginning (literally). The GDPR requires that entities that process or control personal data provide some usable and freely accessible mechanism by which individuals can find out what information about them is being used, and how. It also grants individuals the right to correct inaccuracies in data about them and to withdraw their consent to its use at any point. The ability to support this level of transparency is, shall we say, not the status quo in many organizations right now. Could your organization provide it? And if not, what steps would you need to take to make transparency part of your public presence?
Principle 4: Data collection should be limited in scope, and data storage limited in duration (with some exceptions)
There’s a definite tendency, in this age of Big Data, to try to amass as much data as possible, then keep it around indefinitely, just in case some future need arises where it might become useful. But go back to Principle 1 – what does this type of practice imply for the actual people this data is about? If your organization does not have a specific need to know some piece of personal information, it’s ethically better not to collect it. And further, if the need for some piece of information already collected has passed, that data should be deleted. Under the GDPR, these principles have legal force. Where there is no immediate and compelling business interest in using a piece of data, the individual’s interest in their own personal privacy will win the ethical contest every time.
Principle 5: Being allowed to process individuals’ personal data is a public trust that entails a substantial responsibility to keep that data secure
We’ve all seen the breaches; it seems like a new one hits the news every few months. In every case, the financial and personal harms to users have come paired with an enormous sense of ethical failure: these companies betrayed the public trust by insufficiently safeguarding the personal information of their users, employees, and customers. And that betrayal, it should be noted, has caused in some cases irreparable harm to the companies’ reputations – and their bottom lines. If your company is in the business of managing or processing personal information, do you have complete confidence that your security infrastructure can keep that information safe? If not, what would it take to build that confidence?
The GDPR comes into force on May 25, 2018. After that date, all organizations that hold or process personal data about EU citizens – regardless of the location of the organization – will be required to comply with all of its strictures, or face heavy penalties (4% of annual global turnover or €20 Million, whichever is greater). If your company does business with EU citizens, and you’re not yet sure you’re fully GDPR-compliant, please do reach out to Olive + Goose: we can help.
And yet, don’t let GDPR compliance be the end of your journey into data ethics. Even organizations who don’t currently do any business in the EU, or who feel like they’ve covered their GDPR-compliance bases – even these organizations would be well-advised to regularly re-assess the ethics and security of their practices with regard to the handling of personal data (and here too: Olive + Goose can help). The GDPR won’t be the last data regulation we see: let Olive + Goose help you prepare for the next one.