Memory Lane – The GDPR and the right to be remembered
Category : Blogs
One of the key principles of the upcoming European Directive on General Data Protection Regulation (commonly known as GDPR) is the right to be forgotten. This is a new principle and is one of the most discussed topics in data circles right now. This is an interesting challenge from a data management point of view, because it implies the ability to recognise the customer in the first place. Although it does not specifically state this additional requirement, by definition, you cannot forget something you didn’t already know!The multichannel environment we live in now is a very different data landscape to when the 1998 Data Protection Act, the GDPR’s predecessor, was written. Almost every customer journey is multichannel is some way, and therefore, the right to be forgotten implies that you, as an individual customer, can be recognised across all your different channels. To take the contrary example, if you can only recognise a customer in one channel, then you will be in trouble when your customer asks to be forgotten, and you still recognise them via a cookie in another channel. As a result, this means that building out an omnichannel single view of the customer will become a strategic requirement at a regulatory level, as well as the multichannel customer level at which it resides currently.But there is a flip-side to this; does the customer have the right to be remembered?Currently, there is no explicit part of the law that says so, but, if you can only forget something you already knew, the principle of the right to be forgotten should also apply in relief. The same technical data approaches should apply – one to suppress and forget, the other to remember?Let me explain with a recent example of my own.—Recently, my local train station car park has leapt into the 21st century by moving from old-fashioned payment machines (where you had to put in the right change) to Automatic Number Plate Recognition systems, which automatically detects your car’s number plate, and then pre-populates that information on the payment kiosk screen when you pay, using contactless payments.This has not only simplified the process from a customer experience point of view, it has reduced queues and sped up transaction times; when you know you are late for a train, this makes a real difference. So, this is a good use of customer data and “Internet of Things” technologies; it is the same concept that we are all used to on digital channels, and it is now starting to be used in wider, real-world applications.From a data technology view, it is interesting that the technology here is tried and tested, not new and bleeding edge; ANPR has been around for a while, although it has mostly been used by law-enforcement agencies, rather than commercial enterprises. However, crucially from a Data Protection point of view, it is using a very clear personal identifier – the vehicle number plate – as part of its transaction process. This would definitely be subject to the GDPR – not least because the GDPR takes a broader definition of what information is regarded as personally identifiable.However, the actual customer experience has highlighted several challenges with this, particularly in relation to the right to be forgotten/remembered principle.After a few weeks of working perfectly and spotting my car seamlessly, the ANPR system stopped recognising my number plate. It identifies other cars that arrive at the same time as me, but no longer can it see my car. This now means that I can’t buy a ticket from the machine, and from a customer experience point of view, this forces me to use the comparatively poor alternative channels; it took me 20 minutes last week to buy a ticket on my phone using the web site, because the user experience is so badly designed, compared to about 20 seconds with number plate recognition.But more fundamentally, this now means I don’t really trust the system and technology any more. I have seen that the system works, and I know that my car has not changed at all, nor have my preferences. However, it is no longer detected. I have questioned whether this means that the underlying technology is flawed in some way and I have managed to uncover a data protection version of a smoking gun. And yet this is a well-established technology that is admissible as evidence in a court of law.So, in this instance, then, I have already been forgotten; I was recognised, and now I am not. But I haven’t asked to be and it makes my customer experience longer and more painful. I don’t want to be forgotten – I want to be remembered.There are various technical theories I have come up with for why this may be happening.Does this mean that the technology has picked it up, but just doesn’t show it on the ticket machine? This seems unlikely, as the other cars around me are spotted and recorded there. If I were to drive out again, would the system suddenly “remember” and trigger the original recognition? Or has the system simply failed, there is no record of my entry into the car park, and therefore I get free parking!? Or has the timestamp gone wrong, so it is recorded, but only on a delay which will only appear after I have got the train?All of these seem implausible, but then so does the idea of a legally-admissible technology failing to operate on a regular basis. In which case, I can only assume that there is something wrong with the implementation, and/or that my personally identifiable information is not being treated correctly.It may or may not technically be a breach of the proposed terms of the GDPR – all of my scenarios above are hypotheses, and I am a data expert, not a lawyer – but a sustained failure to identify me in an era where consumers are much more aware of their rights in this area would at the very least be damaging reputationally. It would also increase the risk of customers asking about their data, either by requesting access (principle 2 in the GDPR) or invoking their right to be forgotten (principle 4). Which would increase your data management costs and reduce your usable customer data volumes.But as it stands, I don’t have a right to be remembered, under the proposed law. But I do have the right to be forgotten. And that seems odd, not least because you can’t do the latter without the former.However, the one thing that it does mean is that it will become an essential requirement to join up your customer to have a single customer view. And in the next article in this series, we will explore what you need to do to join these dots, so that you can demonstrate that you adhere to the new principles of the GDPR.