We all know about ‘the Knowledge’ – the legendary, brain-growing process through which the London black cab drivers get to know the city. In Tel Aviv, host city for Berwins’ latest trade mission, we’ve been using Gett, which is the default taxi calling app used by about half of London’s black cabs. It’s an Israeli product, and it seems to be accepted as a friend by the cabbies, rather than as the threat Uber can be viewed as posing.
Some taxi drivers like to talk, some don’t – like their customers. Because they are using their smart phones to bring them business, these are of course on their dashboards, providing directions. Today’s taxi driver, after getting over the fact that someone from the UK wasn’t thereby from London, used his to set about searching for information about Leeds. Whilst driving. And whilst changing lanes, missing cyclists, stopping millimetres away from the car in front, and accelerating off.
So he thought Leeds looked like a country town – I corrected him. He saw something about Leeds United, and as usual, I had to explain that they used to be something. He assured me they would be again, so I’m reassured now.
So all the time, the taxi driver is finding out about his passenger. Gett know lots about passengers too – where they visit, where they habitually travel from, when they’re travelling in a different city. How much they spend, what cards they spend it on. Which restaurants they prefer to eat at. What time of day they leave home.
Of course it isn’t just (or even principally) Gett, nor just Estonian equivalent Taxify nor Uber – or just taxi companies. All the time, those with whom we interact are receiving our data. They are doing so, because we give it to them. In a sense, it’s the bargain we make – giving away our privacy in exchange for convenience. How comfortable are we with that? We shouldn’t be too comfortable, and governments have taken the role as guardians on behalf of their citizens to protect us from companies far more powerful and pervasive than taxi companies. Google, Facebook and Twitter are just the start. They monetise data, and there is a constant tug of war to retain a balance.
The next chapter is already law – the General Data Protection Regulations 2016, which comes into force on 25 May 2018. The changes look, on the face of it, to be incremental, but for businesses they will be substantial. We’ve been working on these, and taking from the principles and the rights set out in the Regulations the questions – if the Regulations say this, that means companies have to do that. Our summary of the principles and rights is this:
- Data processing must be lawful, transparent and consented to, or otherwise necessary;
- Consent has to be specific, informed and unambiguous indication of an individual’s wishes and it can be given by a statement or by a clear affirmative action
- Data must only be collected for specific purposes which are explicit and legitimate;
- Data must be adequate, relevant and limited to the required purposes;
- Data must be accurate and up to date;
- Data must not be kept longer than necessary;
- The security of data must be maintained by appropriate technical and organisational measures
Rights of Subject
- Right to be informed of the processing of information, and that the processing is fair
- Right of Access
- Right of Rectification
- Right of erasure of data where there is not a legitimate reason for it being processed
- Right to restrict processing (note: this means data could still be stored – this may be temporary e.g. whilst investigating)
- Right to data portability – to be able to obtain and re-use personal data, in a structured, machine readable and common format e.g. as CSV file
- Right to object to data being processed:
- Rights not to be subject to automatic decision making and profiling
Just saying you do these things won’t cut it – there are new obligation of accountability, transparency and governance, and with that comes a lot of recording of information and processes. This will entail a lot of cost to business, and a load of responsibility.
We are ready to work with clients to develop the steps which need to be taken to comply. But some of the key things to bear in mind are:
- Yes, you need to comply, but understand why it is important to individuals;
- Remember that it’s not just commercial organisations that like your data – so do criminal organisations;
- It’s not just about technology to achieve compliance – that alone won’t cut it. It’s about culture, awareness, training, support, resources
- It’s in many ways of a piece with information, or cyber security. If you don’t have security you’ll make your data, and that of your customers and clients vulnerable, and cause real damage to them.
- And if you do that, you’ll suffer damage – to your business, to your reputation, and when breaches are reported – which under GDPR, becomes mandatory – to your pocket. Fines, which are now a maximum of £500,000 become €20 million, or 4% of global turnover.
Here’s good news for us Tel Aviv taxi-riding folk – Gett is an Israeli company. Israel leads the world in information security, as shown by its hosting of Cyber Week 2017 . And Israeli privacy laws pass the EU’s adequacy tests, a high bar which the UK are going to have to achieve, and won’t automatically do post Brexit (because of its Investigatory Powers Act 2016).
Be careful out there.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins