Matthew Sherlock, Product Director – Campus Solutions, Ex Libris
Next year will see a major change in how data protection is managed across Europe. It may be the biggest shake-up of the legislation since the 1995 Data Protection Directive, and has far reaching consequences for anyone involved in data management and technology.
Fast forward to today and it seems that the whole world knows everything about you. Most of us have a smartphone in our pockets, a device which is more powerful than early computers, and we spend increasing amounts of time online managing everything from our social life to our finances. We also share huge quantities of data.
Whether it is targeted marketing messages on social media or smart devices in our homes helping us manage our energy consumption, many of today’s advances claim to make our lives easier — all we have to do is give a little of our personal data away.
It sounds like a good deal. The problem is that as we give more and more of our data away, there are increasing ways that criminals can take advantage of it. Last year £1 billion was lost to cybercrime in the UK alone. It is in this landscape that GDPR (the General Data Protection Regulation) comes into force.
GDPR creates much more stringent laws around how data is collected and stored, gives users the “right to be forgotten,” and enforces strong penalties for anyone who breaches the regulation.
To comply with the GDPR, companies need to keep a record of how and when an individual has given consent to store and use personal data. It’s not just enough to have a pre-ticked box anymore — active agreement is needed and an audit trail of consent must be kept.
In addition, users have the right to know exactly what data is held on them and to withdraw their consent for this data to be available at any time – not just removing access to the data, but permanently erasing it. This “right to be forgotten” is a cornerstone of the legislation.
Another fundamental principle is privacy by design and default. This means that it is not enough to retroactively think about a user’s data privacy; it needs to be “baked in” to systems and services.
There are many other aspects of the new law, but it is clear from these few examples how significant the change it is likely to be. At Ex Libris we are currently in the process of ensuring that we are compliant ahead of the upcoming legislation. We already have a track history of solid data protection and compliance (Ex Libris have been awarded the ISO/IEC 27018:2014 standard certificate, which establishes controls and guidelines for protecting Personally Identifiable Information), and see this as an opportunity to give users even more control over their own data.
Of course, sharing data can provide users with many benefits by tailoring experiences and targeting engagement based on the individual, such as providing upcoming transport options based on the individual’s location, signposting services based on previous activity, and predicating outcomes based on current actions compared to historic data. these can all be part of the positive use of data sharing. But there is a deal to be struck between the end user and service providers and clear usage boundaries must be set on the use of said data so that the benefits can be shared by all.
It will be interesting to see if this law lasts two decades before it needs updating. Technology continues to develop exponentially and areas such as artificial intelligence bring up new questions about what “personal” really means. We will likely need to continue to ask ourselves what we are willing to give up to make our lives easier.