- Posted by Marie Murphy
- On October 20, 2016
- data centric businesses, data protection myths, good data practice, privacy by design, Staff awareness
We can’t do that. Data Protection law won’t allow us to do that.
Its Monday. Someone said something that I profoundly disagree with and I am off on my high-horse for a ride around the argument! Let’s hope the rain stays off while I write all this down!
What sparked all this off…
Well, an engineer developing some super smart IoT technology said “We would like to do that but we can’t do that because of data protection law”. It doesn’t matter what “that” is. Here is an argument begging to be pulled apart and examined until the truth emerges.
So Engineer, either you are getting some very bad advice or you haven’t fully thought through the argument. Unless what you are proposing is illegal, I don’t believe there is such thing as “we can’t do that because of data protection law”.
You might not be able to do “that” in exactly the way you propose because you need to consider some aspects of data protection law in your implementation. You may not be able to do “that” because it’s so intrusive on privacy that customers won’t buy it. It might not be a good idea to do “that” because you are not able to properly secure the data you are collecting on the device and that could be potentially harmful to the people who own the data.
Is it illegal? Maybe the implementation is flawed? Is it impossible to secure? Might your potential customers not like it? These are all good reasons not to do “that”. Data protection law requires that you examine “that” but what you are addressing is not data protection law per se, it’s the underlying flaw that is causing “that” not to be a good idea in the first place.
Let’s take a look at each of these in turn.
First, is what you are proposing legal?
Leave data protection law aside for a few minutes and just look at the rights and wrongs? Does your business have a legitimate basis for doing “that”? A legitimate basis might be that the information is required in order to provide the service to the customer. It might be that the customer has provided consent to your processing of the data. If there is a legitimate basis then you probably can do “that”.
If it is legal, then you need to consider the how.
You have established that what you are doing is legal. For the sake of our argument, let us say you have identified that you are processing the data with customer consent. Now, you need to consider how you process the data in line with data protection law.
Instead of “we can’t do that” let us look at the how we can do “that”. You need to consider the principles of data protection when designing how you will collect, process, store and delete the data.
Think transparency. How will you let the user know that you are doing “that”? Consider ownership. The user owns the data so how will you design in the user rights to withdraw consent, access the data, have the data rectified or object to further processing of the data? Examine security. How will you handle the data securely and how will you dispose of the data when it no longer serves its purpose.
Looking at the bigger picture, does “that” make business sense?
It’s well documented and much discussed, end user’s concerns about data privacy threatens to slow the uptake of IoT devices. You have established by now that you have a legitimate basis to do “that” and you have established how “that” can be done in compliance with data protection law. Now you need to ask yourself if “that” is going to scare your customers off? Is the data you wish to process intrusive?
Are your customers going to object? Will their objection ultimately prevent them from purchasing the device? Are the benefits that you provide to your customers going to overcome any concerns that they might have about sharing the data with you? If the answer to this is no or even maybe not – then you need to take another look at your product strategy. Not because of data protection law but because your underlying business case may be unrealistic.
Finally, have you examined what you need to do to keep it secure?
So far, as long as it is legal, as long as you have a robust implementation, and as long as it’s not going to scare off your customers there is no good reason to avoid doing “that”. What about security?
Have you looked at what it will cost to secure the data on the device and when you collect it? What is the potential harm to your customers (and ultimately to your business and your company reputation) if you fail to properly secure the data? Does the benefit gained from collecting the data outweigh the cost?
If the answer is no, then you are right – you can’t do “that” because you can’t comply with data protection law and keep the data secure. Ultimately this is a business decision. You must examine the return on the investment you make to collect the data. Do you have to invest more money into processing the data and keeping it secure than the data is worth to your business.
Data Protection enables better business
Data protection law is not some kind of blocker to doing business. Rather, it’s a structure within which you can do better business. It’s not ultimately stopping anyone from doing “that”.
I urge you to consider data protection law as you design “that”. You will ask some important business questions that will result in a more robust business model for your product. It will help you to consider the cost of security and build it into your business model. That is better than finding these extra and often significant support costs later on. You may address potential customer concerns during your product design. That is ultimately helping you to build customer trust and enhance your business reputation.
You can do “that” – just make sure it makes sense and do it right!