Personal data is the new plutonium



Personal data is rapidly becoming the new plutonium. Amazingly powerful, but dangerous when it leaks, difficult to clean up and there are serious consequences when it goes wrong. Everyone involved in public engagement needs to know how to manage it securely and safely. At Commonplace the data we collect is central to everything we do, so we invest a lot of time making sure we are the best we can be at collecting and managing it.

Data privacy is probably not the first thing on your mind when you start planning a new community engagement project. But that’s all going to change from the 25th May 2018 when the new General Data Protection Regulation (GDPR) comes into force. In fact, you need to start thinking and planning for it right now.

The GDPR is a major update of the 1998 Data Protection Act to reflect how data is being used and abused today. A lot has changed since 1998. In many ways the GDPR is a legal response to counteract the way the tech world has been (sometimes unintentionally) riding roughshod over people’s privacy for far too long.

It affects all personal data, both digital and on paper. It imposes tougher data security and data management standards on the storage and processing of the data; and respondents have full control over their submissions. They can ask to see what data you have on them, demand that their data be removed and can choose to opt out of receiving communication from you at any time.

The change is designed to give people - in our case residents responding to public engagement - control of how their personal data is used by organisations. Companies should not see themselves as owning the personal data they collect. In fact, they now need to seek people’s permission to do anything with it. That’s quite a shift in thinking.

The GDPR gives the Information Commissioner’s Office (ICO) the power to impose multi-million pound fines on companies which flout or ignore these regulations.

Let's look at how this new law applies to community engagement

Consent is at the foundation of the new regulation and individuals must provide consent for all personal data that is collected as part of any engagement project. You have to be able to prove to the regulator (the ICO) that you have obtained consent for all the personal data you collect and process.

The rules around consent have been significantly strengthened. You will have to be very clear on what data is being collected, what it’s going to be used for and who will see that data. People have to actively give their consent; you can no longer have pre-ticked boxes or hide the consent somewhere deep in the small print of the Terms and Conditions.

The collection and storage of all data must be kept to a minimum and only data relevant for the intended purpose should be requested. You do not have permission to use personal data for anything else, share it with anyone else or keep it afterwards, no matter how useful it may seem.

Anyone has the right to change their mind

People have the right to change their mind and withdraw their consent at any time.

Anyone who runs community engagement projects now needs to have clear policies and procedures to protect all the personal data they collect.

A “privacy by design" approach is now mandatory. 

You will need to keep accurate data records and know exactly where all the data you are responsible for is stored at any moment in time so that it can be removed where necessary. This includes paper forms. You also need to have good security procedures in place to protect against potential tampering by hackers or loss due to staff mistakes. Failure to implement such procedures could have extremely serious consequences for your business.  Few companies could afford the level of fines which could be levied in cases of non-compliance under the new law.

Some of the questions you need to start asking yourself include:  

  • Do you analyse data using spreadsheets?
  • Do you know the exact number of copies of these spreadsheets in existence at any given time?
  • Are the spreadsheets encrypted and password protected?
  • Would someone be able to access this data were you to lose a company laptop?
  • Do you email copies of the data to your customers/project stakeholders without encrypting the data?
  • Do you use simple passwords hackers could crack in a few seconds?
  • Do you keep the data after you have finished the project when you no longer need it?
  • Where is your data stored?
  • Do people keep it stored on their laptops after the project has finished?
  • Do you use multiple computer systems? Are these systems totally secure?
  • Would you be able to remove a user’s personal data from all of these if asked to do so?
  • Do all your email communication channels enable people to opt out? 

If you can’t yet answer some of these questions, there is going to be an increasingly urgent need to make plans to address them as we approach May 2018.

Andy Pols

Andy Pols

CTO - Technology and Analytics