Since May of this year, our self-titled "Privacy Sheriff", Rebecca, has been cracking the whip on our efforts to understand and prepare for the General Data Protection Regulation (GDPR), which takes effect on 25th May 2018.
We've undertaken an information audit (an ongoing process), identified steps that we must take as an organisation to protect our data and that of own data subjects, and have made ourselves battle-ready. We have a few feet to cover before May but we're proud to report that Solomon, as an organisation, will meet all the demands of the new data protection laws.
That work covers our role as a Data Processor; a party who acts on data on behalf of our customers. But what about our customers, as owners of the data held in Solomon; what the Information Commissioner calls Data Controllers?
On the one hand, our BID customers are in a good position because they have a "legitimate interests" in processing much of the data they hold. Going a step further, we would argue that there is a "legal obligation" to hold liable party information, to ensure a Ballot/Renewal is legitimate. When it comes to some other points of data that is personally identifiable - personal information about individuals the BID team communicate with day-to-day - GDRP includes some new rights for data subjects that BIDs, as Data Controllers, must take account of.
Today we are announcing that we plan to spend the first few months of 2018 adding some new features to Solomon that will provide tools to address these new rights, and to make all our customers "compliant by default."
Undertaking this work will mean pressing pause on the development of some new features but this is a major shift in the law that affects all BIDs, regardless of size and shape, and we what to do everything we can to help.
Three key areas require our attention:
Consent and the right to unsubscribe: every data subject must give consent for their data to be processed, including email addresses used for electronic communication. Data Controllers must receive "positive, freely given, specific, informed and unambiguous" consent for their data to be processed. Controllers need to say how long they will hold data for, what they will do with the data, have clear procedures for deleting the data once any deadline passes, and outline the subject's rights. We want Solomon to incorporate a set of tools for managing consents.
The right to access: upon request, any data subject can ask a Data Controller to provide, free of charge and in a commonly used electronic format, copies of any data held about that subject. We want Solomon to incorporate a "one-click" solution for our customers.
The right to be forgotten: every data subject has the right to request that the Controller erase any personal data held concerning them. We want Solomon to incorporate tools that allow you to flag personally identifiable data, and destroy it on-demand.
GDPR represents the biggest change in data protection rules in two decades. Delivering these new features will require a huge amount of effort from our team but it's essential to us that Solomon customers are compliant by default.