This is background reading, generally in support of the the principles behind the General Data Protection Regulation (GDPR).
The first Data Protection rules for use across Europe were drafted in the 1990s … for the world as it was in the 1990s.
At the time, and into the first decade or so of this century, the prevailing Data Protection rules served their purpose. Since then, times have changed, the world has moved on and our relationship with data, especially our personal data, has changed considerably.
Facebook, the world’s biggest social network now reports over 2.6 billion monthly active users (1Q 2020).
People across the world are routinely sharing their personal information online … and they are doing it without coercion or any other means of encouragement. Globally, it has become apparent that our relationship with personal data is changing. The GDPR is a necessary response to those changing relationships.
If you are interested in the detail and want to start from first principles, the EU has published a Complete guide to GDPR compliance as a resource for organisations and individuals researching the General Data Protection Regulation.
What is GDPR?
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
The GDPR does exactly what it says on the tin, it’s a general data protection regulation. It has been designed to protect personal data from abuse and misuse, wherever it is stored, accessed or handled. To that end, it limits what organisations can do with personal data and it provides a legal framework for people who wish to see what is being stored.
The Data Protection Act 2018 is the UK’s local implementation of the General Data Protection Regulation (GDPR) and controls how personal information is used by organisations, businesses and the government, in the UK.
Under the Data Protection Act 2018, any citizen has the right to see the information that any organisation, including the government, has accumulated about them.
Accessing my Spotify Data
As I was writing this, I thought it might be a good idea to test the process. I didn’t expect it to be particularly interesting but I asked for a copy of my data from Spotify. The request is simple and it’s made via the Privacy Settings tab under Account Overview. It took them about three days to collate and respond, and then I received these:
I wasn’t disapointed, everything that I received was all as interesting as I had expected it to be!
I opened the Read_Me_First.pdf first, and here is the English bit:
It refers back to one of the articles in the GDPR legislation. It also indicates that there is more information available, should I want it. Spotify has provided that which is demanded by the law – the user-related stuff – but have said that they will also provide the internal “technical log” and other “special data” should I want to have a look. None of it is of any particular use to me, but at least Spotify is demonstrating a commitment to transparency.
There is also a paragraph that refers to California residents. You should take from this is that the GDPR is only one of many data protection policies that exist around the globe. So, if you, or your site, is going be handling personal data anywhere in the world, compliance with General Data Protection Regulations is going to be required.
What are the GDPR Responsibilities?
The responsibilities defined and recommended by the GDPR are broad. They are not targetted towards any particular industry sector, nor is their reach determined by the size of an organisation. The regulations are designed to safeguard the privacy of individuals.
And … the principles of Data Protection are acknowledged and accepted throughout most of the world.
Everyone responsible for using personal data is required to follow strict rules and guidelines: the “data protection principles”. They must make sure that the personal information they are collecting, storing, retrieving and using is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information – see https://www.gov.uk/data-protection.
Ultimately, this is nothing more than common sense.
Why do we need Data Protection laws?
Sharing personal data creates a relationship between the data subject and the data user. Personal data is shared on the basis that it is used only for the specific purpose of the share, and nothing else. The data-sharing relationship is built on trust and must be protected if it is to operate in the interests of the public.
That’s not all.
We should also be aware of the potential unintended consequences of collecting and aggregating huge quantities of personal data.
Here are some key daily statistics that were highlighted by the World Economic Forum in April 2019:
- 500 million tweets are sent
- 294 billion emails are sent
- 4 petabytes of data are created on Facebook
- 4 terabytes of data are created from each connected car
- 65 billion messages are sent on WhatsApp
- 5 billion searches are made
And … here are more interesting and engaging statistics if you’re that way inclined.
By 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!
There is information to be garnered from the systematic analysis of the data that has come to be known as Big Data. This mainly serves the interests of the global corporates but it can also serve the interests of Government, and one has to say that those interests could be benign … or they could be malevolent.
The issues surrounding the use and misuse of data – and especially Big Data – is not just a question of the misuse of individual snippets of personal data. Useful information can be derived from the aggregation, amalgamation and analysis of seemingly unrelated datasets.
This is nothing new!
And it’s not necessarily all bad.
Network Analysis has been used to develop intelligence on adversaries during periods of conflict … and such methods can also be used in peacetime!
During World War II, the allies were able to infer intelligence about enemy operations based on the analysis of the incidence of radio broadcasts and their origin. Using Network Analysis methods developed for the purpose, the analysts were able to garner significant information from encrypted radio broadcasts without knowing the content of the messages – all of this was well before the Enigma Code was broken.
Moving on to the here and now.
Data collected from Smart Meters, primarily used to streamline the supply of electricity, can also be used to infer specific and general household activity and demographics.
Household electricity consumption is recorded by the smart meter at 15-minute intervals. The rate at which the usage data is delivered to the central servers can vary, but the “hidden” information is in the 15-minute readings. A simplistic example, maybe, but a surge in the early morning is likely to indicate a working family, and a surge around 4:00 pm is likely to indicate children of school age. High consumption of electricity during the night could indicate the ownership of an electric vehicle.
Combining the Smart Meter data with other datasets can be used to help marketers identify their target audiences. Simplistic examples they may be, but they demonstrate the value hidden of data, both big and small.
Just something to be aware of …
I have taken the time to illustrate the the growth in the generation of data and the potential for its misuse as I believe that the General Data Protection Regulation is essential for the sustained well being of all of us.
GDPR and Blogging
Having touced on the moral imperative that drives your adherence to GDPR principles, what happens if you don’t adhere to them?
According to the European Commission, the process for non-compliance begins with a Warning and then a Reprimand. If nothing then happens, things start to get a bit more drastic and will end in suspension and fines.
Hopefully, the initial slap would be enough to drive some remedial activity before things become serious, and responding to the initial warnings in a proper manner will allow you to escape the more severe consequences.
A GDPR Checklist
This is a quick heads-up on the stuff that you will need to be thinking about. The subjects are covered in more detail elsewhere … follow the appropriate links.
Your site should be supported by its own SSL certificate. The URL should begin with https:// rather than http://.
You should check the GDPR compliance status of any 3rd Party Services that you use, like PlugIns for example.
If you are collecting email addresses, make sure you are not abusing the rationale for collection and make sure that you provide an opt-out facility.
Make sure that all your software is up to date at all times, including themes and plug-ins, and the latest fixes have been installed. If there is an option for automating the update process, think about using it.
As bloggers, website developers and marketers, we should be aware of the need to protect the data shared with us. We should be putting the principles of Data Protection into practice … for the benefit of everyone!
- The Information Commissioner’s Office – ico.org.uk
- GOV.UK – https://www.gov.uk/data-protection
- Complete Guide to GDPR Compliance – https://gdpr.eu/
- The Data Protection Act 2018 – http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
- The History of Traffic Analysis: World War 1 – Vietnam – https://cryptome.org/2013/07/nsa-traffic-analysis.pdf
- World Economic Forum – https://www.weforum.org/agenda/2019/04/how-much-data-is-generated-each-day-cf4bddf29f/
- Oracle UK – https://www.oracle.com/uk/big-data/what-is-big-data.html