In many ways, data, the trail of information that we add to every time we use the internet, is the new oil of the modern economy. Although we can’t always see it, it powers everything that is done online, from sharing pictures with friends, to paying bills and looking up what’s on during a bank holiday weekend. The recent scandal involving Facebook data, had led to an investigation of two things. Firstly, how much data is gathered about us when we use the internet, and in particular on sites like Facebook. I think many people have been surprised, for example that Facebook gathers data about non-Facebook users, as well as what its own customers do both on and off of their website. The second issue, focuses on who has the right to hold our data, and what powers we have to get it back. We know for example, that the political consultancy Cambridge Analytica was able to get hold of data from the accounts of over one million Facebook users in this country, without those account holders ever giving their direct consent to it.
Last Friday, the new general data protection regulations (GDPR) came into force, which gives people much more power to see what data is being held about us, and by which organisations. It also makes it easier for us to ask for the data back, or for it to be destroyed. These new regulations also put in place requirements on data holders to make sure that they have the consent of their customers or contacts to use it. This is good for consumers, but many businesses, charities and public bodies have been concerned about making sure that they are doing all that is necessary to comply with the new regulations. I recently spoke at a breakfast for local businesses which was organised by Barclays Bank at the Battle of Britain memorial centre at Capel-le-Ferne, and this was an issue that many people raised with me.
Whilst there are organisations that offer advice to organisation on what the new GDPR rules means for them, it is always worth checking with the Information Commissioner’s office, which is the regulator for our data protection rules. Their website, ico.org.uk, has guidance on GDPR both for data managers and consumers. This is also where you can make a complaint if you believe that your data protection rights have been breached. The general principles which underline the new regulations are clear though. Firstly, you must identify valid grounds for collecting and using personal data. Secondly, you must ensure that you do not do anything with the data in breach of any other laws. You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. Finally, you must be clear, open and honest with people from the start about how you will use their personal data. For many organisations, who are say keeping email addresses given to them people who want to be informed about their services, the new rules will not create much need to do things differently. If you have clear consent to hold and use the data you have collected, then you are on the right side of the rules.