New EU regulations are not always a source of design inspiration but bear with me while I explain how the General Data Protection Regulations (GDPR) are much more than the introduction of more red tape and bureaucracy for the public sector and businesses in the UK.
What is the GDPR?
The GDPR is a new regulation for the way data is collected, managed and stored in organisations. It was adopted in April 2016 and will be directly applicable to all EU member states. It takes full effect in May 2018.
Similar to the Data Protection Act (DPA), the GDPR applies to data controllers and data processors. Controllers are the organisations that decide the purpose and manner in which data is collected — for example, a local council. Processors act on the controller’s behalf — for example, software providers — and will have additional obligations under the GDPR.
Just like the DPA, the GDPR applies to personal data. However, the GDPR has broadened the definition of what constitutes personal data, making it more appropriate for the internet age. On a basic level, this means that cookies (that track browsing habits) and IP addresses (used to identify a computer or phone) will now be seen as personal data. An individual’s rights over their data will also extend, with measures like the right to be forgotten. Although there will be exemptions, this is likely to be difficult to implement — as many organisations’ data isn’t stored in a way that allows for quick identification and deletion.
What about Brexit? The UK Government has confirmed that the decision to leave the EU will not affect the start of the GDPR (although what happens when we’ve actually left is anyone’s guess).
The GDPR will undoubtedly act as a catalyst for the public sector to tighten up its approach to data management, if for no other reason than to avoid the huge fines now within the reach of the Information Commissioner’s Office. Although, despite the recent claims from sections of the media, the chances of actually being handed a large fine in the early days are negligible. Elizabeth Denham, Information Commissioner, recently dispelled several myths on this subject.
We think it’s shortsighted to consider the avoidance of a fine as the only way to save money via GDPR when the reality is that there’s a bigger opportunity for the public sector if it uses this time to think about data protection legislation more broadly.
The opportunity for the public sector
GDPR is ultimately about the trust you build with your service users and how you use their data. This is a constantly changing relationship as people interact more and more with digital services. Seemingly small things in the new GDPR legislation, like banning pre-ticked consent boxes, actually signal a big shift in attitude and approach.
We now need to look at working with data from the perspectives of fairness, transparency, agency, accuracy, security and an individual’s rights. A well-governed organisation should already be doing these things but it’s often managed through a compliance regime that catches issues when they arise. How might we change this approach and embed data protection into our design thinking?
This is not a new concept. A report that was published in 1995 called “Privacy-enhancing technologies: the path to anonymity” and was the result of a joint project between the Dutch Data Protection Authority and the Ontario Information Commissioner. Although very technology focussed, it explored approaching privacy protection, by designing systems with no (or much less) personal data, that could still deliver the required features.
Privacy by design
When designing the services for local government, the challenge is to think about privacy as early as possible. Where technology is involved, this means having a clear plan for minimising the need for user data before a line of code has been written. This moves how we respond to data protection legislation from a question of compliance and post-doc impact assessment to a design constraint that will help us deliver the best possible services for citizens.
Privacy by design is an opportunity to design digital services that are more secure, require less personal data, give our users more control over their own information and cost less to provide.
For example, in local government, there’s often a lack of trust between agencies when it comes to data sharing. This is particularly prevalent when it comes to highly sensitive information such as health and social care records. Clearly, data of this nature needs to be handled securely, but a reluctance to share can result in over-administration. This, in turn, leads to valuable front-line workers spending more time at their desks than they do with citizens. By designing technology that’s built around a smarter approach to data management, you could simultaneously reduce administration while improving outcomes.
The forthcoming GDPR is an opportunity to ignite a long-overdue debate on how to balance the nuances of privacy with a national desire to improve public services. The last time we broached the subject in the UK was during the failed introduction of ID cards. But surely things have moved on since then? Haven’t they?
If you’d like to discuss how to design services that consider data and privacy from day one, speak to me at [email protected].