When I am discussing with clients the potential impact on
their business processes of the forthcoming EU General Data Protection
Regulation (GDPR), I am invariably asked for an example and I always endeavour
to identify one appropriate for their business environment.
Imagine therefore, my delight when one, which is applicable
to more than half the UK population, landed literally on my mat this morning.
The example in question was a letter from our local Electoral
Registration Officer (ERO -the council chief executive) explaining that there
are now two versions of the electoral register: the existing ‘electoral register’
and the new ‘open register’, but I didn’t need to do anything as I had
automatically been put on both.
In the UK, the electoral register lists the names and
addresses of everyone who is registered to vote in public elections, it is also
used for detecting crime, calling people for jury service and checking credit
applications. The new open register is an extract from the electoral register
which can be sold to any person, company or organisation, in most cases for
marketing by the person buying and to raise income for the ERO selling.
One of the central requirements of the forthcoming GDPR is that there is ‘explicit consent’ for the
use of personal information, with a few exceptions for national security and
public health. Therefore under the Regulation, rather than the wording of my
letter being ‘Your name and address will be included in the open register
unless you ask for them to be removed’. The wording needs to state ‘Please
confirm you are willing for your information to go on the open register’.
This may make my ERO balk, because rather than a few members
of the electorate ringing up his team to be taken off the open register i.e. ‘opt-out’,
his team would potentially have to deal with a much higher number of requests
to ‘opt-in’.
However, if the ERO looks again at the process; each year he
sends a letter to the ‘head of the household’ requiring them to list the names
and dates of birth all residents who will be 18 before the next election. It
would be a simple change to require there to be a signature against each name
confirming that that person wishes either to ‘opt-in’ or ‘opt-out’ of the open
register. This should be compliant with the GDPR and as a bonus it could reduce
the current opportunity for electoral fraud.
As I said in a recent AIIM
webinar organisations need to see the GDPR as an opportunity, not an
overhead, those that don’t will be caught by the regulator and it will cost,
both in reputation and fines (up to €1 million or 2% of annual global sales). My
suggested change to process will not cost the ERO any more than now, and may
even save him the costs of some of his team answering calls from the worried
electorate.