Developing the taxi theme from our Tel Aviv inflected travelogue – and if you’ve missed it so far, check these out our look at cyber security and General Data Protection Regulations (GDPR) – today’s taxi driver was crowd surfing down the road.
At every street corner, he’d stop, open his window and shout out to people to see if they wanted to get in the taxi. Maximising the seats in his taxi to maximise his fare; very commercial. Maybe it followed from that that he wasn’t a Gett driver. Either you’re with Gett (or Uber, or Taxify or similar) – and gathering data, taking payment on credit cards, e-mailing receipts and on the app; or, it seems, it’s cash-only, crowd surfing and very freelance. In this tech-heavy country, there’s still no chip-and-pin, no contactless. Ah, to be in Estonia sometimes!
So today’s driver wasn’t collecting any data about his passengers, other than where they wanted to go. No names, no routes, no credit card details, no ratings. And so, of course, no data protection issues there. Unlike my sign up to my Gett account, I didn’t have to accept any terms and conditions. I just climbed in and told him where I was going. I didn’t have to give him a specific, informed and unambiguous indication of my wishes in relation to collecting my data, and he didn’t have to ensure that my consent was given in a distinct statement or by a clear affirmative action. He didn’t have to worry whether my affirmative action was affirmative enough. General Data Protection Regulations? Pah!
He was carrying me to my destination, so I was portable. Berwins Digital was being portable. We’ve ported it to Tallinn, and to Tel Aviv, as well as to Leeds, Harrogate and London. But he didn’t have to concern himself with the portability of my personal data. When I got out of the taxi, I carried my personal data with me.
So, you may be wondering – as people often do with me – what is he on about?
A new right under GDPR, which didn’t exist under the Data Protection Act 1998, is to data portability – the right for data subjects (i.e. people) to be able to obtain and re-use personal data, in a structured, machine readable and common format.
The Information Commissioner’s Office suggests this means, for example, as CSV file. The right makes sense, and the principle makes sense. Technically, how easy is this on the basis of the software you use to store personal data? The obligation is (without charge) to provide the data within a month.
By the time GDPR, which is already law, comes into effect on 25th May 2018, you need to be able to do this, and so one of the areas of preparedness for GDPR will be to check with systems vendors on the process. It may be simple. It may be that the systems weren’t designed for a requirement like this. You need to know, either way, and have the process well documented and ready to roll.
Over the next few months some of the requirements will become clearer, and guidance is being prepared and provided all the time. The ICO’s website is a treasure trove of developing material. We’re all going to be needing to prepare for GDPR, because there isn’t a sunrise period starting on 25 May. Now is the sunrise period.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins