Many of you may have heard of General Data Protection Regulation (GDPR) coming out of the EU. Brexit or not, every UK organisation, will need to comply. It’s about personal data and is much wider and deeper than the UK’s existing Data Protection Act (DPA). GDPR will come into force mid 2018 and aims to more equally balance the rights of the individual against organisations who collect and use their data. That’s a good thing in my opinion!
I don’t know about you but I’m finding that despite the best efforts of lawyers and professional advisors, the mere mention of GDPR can leave me feeling bored and negative.  Bored, because my encounters with GDPR sometimes leave me lost in legal jargon and negative, because I can sometimes feel like the sky is falling from the children’s story  Chicken Little!
However, I keep reminding myself that this movement and more like it are probably the first real signs of the potential that in our world full of data there is a prospect of more balance between individual and organisation. My friend Stan from Reading Police calls it part of the “devolution” agenda.  Magic!  Moreover, data can actually enable us to move towards work that serves us better.
So the question in my mind is “how can we make GDPR more interesting?” “How can we make it more accessible for the average Joe on the street?”. On reflecting a tiny bit, I don’t think it’s that hard. What follows is a little snip of what I’m starting to test on some live projects. SkillsPlanner as well as some ecosystems we are developing elsewhere.
In a nutshell: GDPR is this new law that gives more power to individuals (not just customers but employees and citizens too). In order for an organisation to store info about you (your email address or even personal info collected when you visit their websites), they now have to ask you for permission first. They also have to tell you exactly what they are going to do with it.  You have to actually give them permission (it’s not OK for you to have to explicitly “opt out” anymore).  What’s more, if they want to do something different in future, they have to come back to you again and ask permission for the new use.  You also have “the right of erasure”. That means you can tell an organisation to delete the info they hold on you or to simply disclose what they hold. GDPR in a nutshell is that simple.

If an organisation finds itself on the naughty step, there are big fines. So you now have much more power – keep an eye out and make sure organisations are doing what they have to.
GDPR and Ethos: we work on many projects whose objectives are to improve lives through work.  We should only hold information on you IF a/ the future of work interests you OR b/ we are working on a programme that may positively impact your work/living or well-being.  Occasionally, we may wish to email you or contact you about things we are doing. This means holding your email address and other contact details.
Can we have you permission please?
You can always opt in or out of our different lists by clicking the link appearing at the bottom of each email we send out as a mailer. Going forward, we will always ask permission to hold and use your data before we collect it.   In addition, as a network organisation, we implement data sharing agreements with various organisations we work with who are partners on our projects.  This means we may share information about you in both directions but we will be obliged to make that explicit on all our data collection forms from May 2018.  We will endeavour to minimise the data we hold and make it anonymous if possible.
Our vision for the future is that all the information Ethos has about you will be stored in your own personal information store where you will have the power to chose what/when/who/how to share your information. You can tell us to erase it or erase it if you wish.  This store is yours and you can use it freely (within a free storage limit). The stores exist for many people already (using Google Drive) and will develop in line with our capacity to scale.  That’s our GDPR compliant policy in a nutshell. This is all very new to us as it is everyone else and so implementing something really slick is work in progress.
For example, we are working on setting up an easy to remember URL for everyone (something like ethosvo.org/your_email) to access your folders and there will be a much longer policy document spelling all this out in minute detail.  For now, we’d love your feedback, reactions, thoughts and ideas on “how to enable the future of work through GDPR?” Thoughts on a postcard please to [email protected].