Before GDPR comes into full force next May, we’ve taken a side step and identified five of the not-so obvious, but key elements of everyday business that will be affected by this legislation.
It’s estimated that Tesco’s clubcard has 17million users alone, now think about all the other loyalty cards that exist. Loyalty cards are part of everyday life, for years they have been tracking purchases, linked and re-linked to different addresses and stores - and used as a very powerful tool in a retailer’s marketing strategy.
Ahead of May 2018, the owners of these loyalty schemes will have to assess a number of key areas that include what information stored within those loyalty schemes is classified as “identifiers” under the new GDPR guidelines. Permissions will have to be examined – even if a customer opted into the scheme, the way they were asked matters. If they weren’t asked in a GDPR compliant way, customers will have to be asked again, so gone are the days of that 15% discount as a sign-up bargaining chip.
Communication is another area that’ll be scrutinised - such as how organisations are going to use the data and communicate with the user, and this can’t be hidden in sneaky size 8 font on the back of a leaflet anymore. Finally, withdrawal process must be looked at – as customers can withdraw at any time, and if they chose this option, it must be completed in 28 days. Therefore, organisations will have to move quickly to withdraw a user and suspend all communications - across potentially millions of others.
Over the last decade there has been a rapid increase in the availability, reliability and accuracy of facial recognition technology. This way of identifying people has been integrated into so many of the online and mobile services used for the authentication/verification and security of devices, accounts and premises.
Under GDPR, facial recognition falls under the “biometric data” bracket, meaning that it is treated as sensitive and personal – so the information captured requires enhanced protections. Therefore, organisations will have to review the software and technology they possess that captures facial characteristics, and identifies, categorises and differentiates individuals. This task will also involve assessing where these recognition algorithms are stored and how long facial profiles are retained.
For those that have signed up for a charity or relief fund, how they opt in and out of contact will change drastically. Even if the opt out process is compliant, what next? The question of the follow-up and ownership and sale of that data now comes into question.
The above issue could apply to fundraising for example. The question of how fundraisers can lawfully contact donors and supporters, or identify and approach potential new supporters, has been a cornerstone of the debate within the charity sector when it comes to GDPR. Volunteers are often the ones that collect this information, under GDPR, these volunteers are no different to employees - so they must be trained and equipped to protect data.
Customer monitoring and profiling
Under GDPR, personal data now extends to behavioural-derived, self-identified data. According to the legislation under GDPR - when “individuals are tracked on the Internet, including potential subsequent use of data processing techniques - which consist of profiling an individual, particularly in order to take decisions concerning her or him, or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
This particular piece of legislation will almost certainly hit e-retailers particularly hard – especially when types of profiling, ‘intend to lead’ to a conversion – which will be non-compliant. When retailers are specifically tracking and profiling of abandoned baskets, the information held by them to build up a profile and track the online customer behaviour, could potentially be personally identifiable - thus becoming GDPR non-compliant.
Think about all the personal information that goes into a fitness app, whether it’s Fitbit, My Fitness pal, Strava etc. Users often enter comprehensive amounts of personal details – including; name, DOB, weight, height, race and use devices to track biometrics that sync back into these apps, tracking stride, heart rate, activity levels and GPS. As this is highly identifiable information, the makers of these apps and devices will need to re-think their privacy policies and how they secure this data. They will also need to reconsider how long data is held and how they may or may not be able to use the data to re-marketing purposes.
Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses
By Sean Hanford, information governance consultant at bluesource
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017
COUNTY HALL, LONDON