This Sunday, the 28th of January, the world celebrates International Data Privacy Day – or at least the privacy geeks and professionals of the world do. But privacy shouldn’t be just for privacy geeks and professionals to care about. Why? Thanks to advances in technology we are all creating an enormous and ever-increasing amount of personal information. A growing number of our belongings, from toys to fridges to cars, will be connected to the internet and generate information about us. How can we stay in control of our personal information and be confident that it is used securely and responsibly?
Existing privacy laws have focused on giving individuals control over their personal information via two key mechanisms. Firstly, they require organisations to be transparent by making clear to individuals how they use the collected personal information (“privacy notices”). Secondly, they also often provide individuals with the right to request access to their personal information. In principle, this sounds good, but who has time to read all the privacy notices (research indicates it could take you 76 working days to read all of them) or request access to their personal information?
To solve these issues, legislators are increasingly focusing on making organisations more accountable and trustworthy. The new European Union General Data Protection Regulation (GDPR), which will be effective on the 25th of May , explicitly enshrines the principle of accountability. Accountability means that organisations will need to be able to demonstrate to their regulators that they are compliant with applicable privacy laws. They need to document internally how personal information is used and how the impact on individuals is minimised – for instance, by implementing data protection impact assessments. Moreover, the GDPR promotes the concept of “privacy by design.” Privacy by design means that privacy should be considered from the outset for any new project, product and process rather than as an after-thought. In other words, privacy needs to be embedded in those projects, products and processes from the start with the aim of getting more privacy-friendly products and processes as results.
How is Blackboard approaching this challenge? First of all, an essential premise: when the EU legislative bodies drafted the GDPR, they had specifically in mind social media and internet companies that collect and use data directly. Blackboard operates differently: we collect and use personal information under our clients’ instruction and with the sole scope to provide products and services to our clients and their end users – we act as a “data processor.” This means that we do not collect or use personal information to sell advertising or to “monetize” information about individuals. Moreover, as a “data processor” we know how important it is to support our clients with their compliance with the GDPR and other privacy laws and to make sure we are trusted by them and their end users.
At Blackboard we think that accountability and privacy by design are crucial to continuing to earn this trust. That’s why the two concepts are at the heart of our Global Data Privacy and GDPR Implementation Programme. We are embedding a robust privacy by design process with checklists to make sure that relevant changes are reviewed, and all the important privacy questions are asked and answered. Are there new data transfers that require an update to our data transfer mechanisms (EU-US Privacy and model clauses)? Are there new subcontractors with whom we need to put in place data processing agreements and inform our clients about? Are we minimising the amount of personal information we collect to what is required for the specific change? Our privacy by design approach also means that changes are documented (accountability) and Data Protection Impact Assessments are conducted where required. Most importantly, it informs the development of privacy-friendly products for the benefit of our clients and the learners.
Happy Privacy Day!