360 days from now the General Data Protection Regulation (GDPR) comes into force. Anyone handling personal data from an EU citizen or subject (and the Information Commissioner has been clear we should assume that includes Brits regardless of what happens around EU exit) will be held to new standards in how they obtain, store, process and dispose of that data.
I was asked to speak about compliance at Salford Centre for Professional Development’s event on GDPR, and used it as an opportunity to try to encourage everyone to think beyond compliance.
Slides are on speakerdeck, but as usual they probably don’t make much sense out of context. So here’s a quick write-up to capture the gist.
If compliance is our goal we’ll always be playing catch-up
While organisations have been starting to wrap their heads around GDPR, the Conservative party have included a clause in their manifesto saying that if elected:
“we will bring forward a new data protection law, fit for our new data age, to ensure the very best standards for the safe, flexible and dynamic use of data and enshrining our global leadership in the ethical and proportionate regulation of data”
The GDPR has been seen as a once in a generation change in how data protection works, but it’s unlikely that will remain true. The ways in which we generate data, the ways in which it can be exploited, and the debate around what’s acceptable are moving quickly and that is finally part of the political debate.
When it comes to managing data, it’s all too common for compliance to become the end in itself.
Recent changes to information security risk management in government (eg. the new classification policy and the updated Security Policy Framework) were in part made to address the fact that meeting certain “baseline control set” requirements had taken the place of making sensible security decisions in context. At its worst that meant people had to bend the rules to respond to security incidents rapidly.
I also used the example of the Digital by Default Service Standard, noting that I rarely saw any correlation between the time people spent preparing for an assessment and the likelihood of success. The people who were successful were the ones who invested time in their users and service design, not preparing for assessment.
If organisations want to be on the front foot, they can’t allow current regulation to set their level of aspiration. Instead we have the transition to new regulation as a force for wider transformation.
GDPR puts the focus on users. We should all be doing that already.
GDPR gives individuals a lot of new rights, to be informed, to be able to restrict processing, to understand automated processes, and so on.
The way those rights will be interpreted in law is yet to be determined, but organisations that have really invested in understanding their users will be in a far better position to shape and defend their approach than those who allow corporate policy to ignore users.
And if we actually respect our users, get close to them and have a conversation with them we’re more likely to be able to find new opportunities and build their trust and loyalty.
We should try and go beyond GDPR’s expectation that policies will be explained in “plain English”. Or at least not fall into the trap that that solely means applying better writing to sign-up forms and privacy policies. I cited If’s “New Digital Rights” work as an example of actually applying design thinking to the relationship with users around data.
Understand our organisations
There are all sorts of trade-offs that everyone’s going to have to face in meeting GDPR’s requirements. Hold on to data for potential future analysis, or dispose of it to reduce your liabilities? How much consent should you ask of your users? And so on.
It would be foolish to try and balance those trade-offs without understanding our organisations’ purpose, but all too often people are asked to do just that. People responsible for GDPR compliance need to push that conversation, to make sure that decisions are made in the context of overall value.
That also means finding ways to express that purpose and the way in which it’s being worked out right across the organisation. I cited the design principles we created at GDS as a tool for that. Principles like that give people a common frame of reference, and create a better environment for constructive challenge.
Better cultures, better feedback loops
Most organisations are going to struggle with GDPR compliance not because they’re doing anything nefarious, but because data has sprawled all over their organisations.
The reasons for that vary, but a common pattern is that people have one or two core tools that are theoretically their core data stores, but those stores are inflexible and so people create parallel systems (usually spreadsheets) in order to get their jobs done. Over time it gets less clear which the authoritative data set is, and more and more copies emerge.
Spreadsheets are an important tool and usually the easiest way to do some simple analysis, but they’re not the best choice for long term data storage. Their use is the sort of thing a purely compliance approach would try to stomp out, but doing that without an alternative won’t help.
Those charged with compliance should instead try to get to grips with the real causes of that information sprawl and help create feedback loops that limit it. Make sure that data stores have clear custodians who can adapt them to help people get their jobs done. Create channels where people can be open about the workarounds they’ve had to create and can have a grown up debate about the right way to manage that data in the future.
Not only will that focus reduce the risk that everyone works around compliance (cause they still need to do their jobs), there’s a really good chance that organisations will get more efficient if a culture is created that’s rich with feedback loops and includes empowered custodians.
That all applies to security, too
People are understandably worried about the risk of “data breaches” after a range of high profile incidents, and the GDPR increases the expectation that people will respond clearly and quickly.
For too many organisations, the biggest risk they have around data breaches is simply not knowing what data they hold, or where it is. Exactly the same principles around providing great tools and developing feedback loops are what’s needed there too.
There is an important place for discussions of specific technical security measures, like encryption, data minimisation, sharing, and so on. And it’s important that people understand the divisions in responsibility between their teams, software as a service providers and others. But none of that’s of much use unless we know the real data flows of the organisation.
Finding that out and improving it will work best in the context of recognising that people can be the strongest link in security, making sure that we have a security culture that recognises that most people are trying to do “the right thing” and supports them in doing it.
It also means practicing. My favourite clause in GDPR seems to recommend “game days” which seems like a very positive idea:
Regulation isn’t aspiration
Everyone will have to comply with GDPR, but if that’s all we focus on we’ll always be playing catch-up.
Educating staff about compliance may be important, but if that’s where it stops it’s unlikely to be transformative.
Instead, organisations should focus on understanding their users, providing the right data services for them, and building internal product ownership and feedback loops that make sure staff can contribute to improving data management over time.
There are a lot of hard challenges coming in working out what’s possible with data, with privacy and with consent. We need to free up organisations’ capacity to work on that, not on the endless cycles of compliance.