When I am discussing with clients the potential impact on their business processes of the forthcoming EU General Data Protection Regulation (GDPR), I am invariably asked for an example and I always endeavour to identify one appropriate for their business environment.
Imagine therefore, my delight when one, which is applicable to more than half the UK population, landed literally on my mat this morning.
The example in question was a letter from our local Electoral Registration Officer (ERO -the council chief executive) explaining that there are now two versions of the electoral register: the existing ‘electoral register’ and the new ‘open register’, but I didn’t need to do anything as I had automatically been put on both.
In the UK, the electoral register lists the names and addresses of everyone who is registered to vote in public elections, it is also used for detecting crime, calling people for jury service and checking credit applications. The new open register is an extract from the electoral register which can be sold to any person, company or organisation, in most cases for marketing by the person buying and to raise income for the ERO selling.
One of the central requirements of the forthcoming GDPR is that there is ‘explicit consent’ for the use of personal information, with a few exceptions for national security and public health. Therefore under the Regulation, rather than the wording of my letter being ‘Your name and address will be included in the open register unless you ask for them to be removed’. The wording needs to state ‘Please confirm you are willing for your information to go on the open register’.
This may make my ERO balk, because rather than a few members of the electorate ringing up his team to be taken off the open register i.e. ‘opt-out’, his team would potentially have to deal with a much higher number of requests to ‘opt-in’.
However, if the ERO looks again at the process; each year he sends a letter to the ‘head of the household’ requiring them to list the names and dates of birth all residents who will be 18 before the next election. It would be a simple change to require there to be a signature against each name confirming that that person wishes either to ‘opt-in’ or ‘opt-out’ of the open register. This should be compliant with the GDPR and as a bonus it could reduce the current opportunity for electoral fraud.
As I said in a recent AIIM webinar organisations need to see the GDPR as an opportunity, not an overhead, those that don’t will be caught by the regulator and it will cost, both in reputation and fines (up to €1 million or 2% of annual global sales). My suggested change to process will not cost the ERO any more than now, and may even save him the costs of some of his team answering calls from the worried electorate.