Building trust in what you see
 
GDPR, Neighbourhood and privacy by design

GDPR, Neighbourhood and privacy by design

At Neighbourhood, privacy, trust and security are core to our values and offer to users. Our conceptual design, and the development of our technology, marketing and communications, follows a ‘privacy by design’ approach.

This year in the UK the new Data Protection Bill comes into force. This represents the regulatory alignment of the UK with the European Union’s new General Data Protection Regulation (GDPR), despite the UK’s intended withdrawal from the European Union (Brexit).

Illustration showing key elements of GDPR (effective 25 May 2018) – DPOs, Compliance, Data Breaches and Personal Data

The new measures specify:

  • That the public will have greater control over personal data – including the right to be forgotten
  • A new right to require social media platforms to delete information on children and adults when asked

(UK gov)

Neighbourhood has an advantage over existing social, location related applications, in launching at this time where we can take account of the mistakes and experiences of existing social media applications, implement practices and systems that align naturally with GDPR at their core, and build trust with our users on this front from the outset.

Key elements of GDPR and how Neighbourhood meets them

GDPR feature How Neighbourhood meets this requirement
Right to be forgotten
  • Messages on Neighbourhood are not publicly available or searchable, meaning that their comments will not come up in search engines, which has been a key issue in right to be forgotten claims
  • Our users will be able to have full control over deleting any of their data within Neighbourhood: whether within groups, about activities, or in relation to transactions and reviews
  • Our users will also be able to delete their entire profiles. If a user does that we will keep their data for a 14 day cooling off period during which none of it will be visible on Neighbourhood, after this time it will be fully deleted
Control over personal data
  • Our users operate under pseudonyms by default and control when and to whom they reveal their real names to other users and under what circumstances
  • Our users are encouraged to use avatars as visual representations, which mitigates the risk of cyberstalking, especially given the ‘local, social’ nature of Neighbourhood
  • Our users will be able to control the visibility and deletion of messages, from the time they are posted, indefinitely. It will be easy, inline and from all over the application, to delete messages.
Opt-in
The reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past. (UK gov).
  • When individual users join up to Neighbourhood they will be informed as to how their data will be used, and opt into this
  • Neighbourhood will be light on its collection of personal data: we will collect real names and age optionally, we will not collect date of birth. We will include an ‘I know and trust this person in real life’ button to add another level of trust to user identities, which is not reliant on personal data: this will be a form of ‘reputation’ that helps others understand how established and trusted others users are within the system
Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them. (UK gov). Referred to in GDPR as Right to Access. (EU).
  • Furthermore, our users will be able to access an archive of all of their messages and other data from the time they join.
  • They will easily be able to delete specific data items and all of their data from this archive page.
  • They will not need to contact Neighbourhood to access this data due to our built in transparency features.
Data Portability
GDPR introduces data portability – the right to transmit data to another controller. (EU).
  • The archive page above will be made a downloadable CSV for easy porting to other services.
Require ‘explicit’ consent to be necessary for processing sensitive personal data
Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA. (UK gov).
  • Neighbourhood will use cookies only to support the smooth user experience of our web application visitors, we will not plug in advertising or other partner technology that involves tracking users across the internet for advertising or other purposes.
  • Neighbourhood’s business model does not involve the sharing of personal data with any other businesses or organisations.
Identification from anonymised data

New criminal offences will be created to deter organisations from either intentionally or recklessly creating situations where someone could be identified from anonymised data. (UK gov).

We are keenly aware that even non-personal data can be combined in a way that negatively impacts individuals. Even though we do not collect many types of sensitive data (no medical, date of birth or financial information) we have considered that some Neighbourhood data, for example user’s fitness habits, might be of interest to health insurance companies and employers. We have no interest in supporting combination of data for these purposes. We will not provide any data profiles about our users to any partners or clients. Specifically, where appropriate to support our business model, we will provide only narrow, aggregated reports about our users to partners that allow no tracing or profiling of our individual users
Terms and conditions
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese. (EU).
  • Neighbourhood will display for users terms and conditions that are easy to understand and follow, in ‘clear and plain language’. We will also implement an innovative ‘in line privacy’ feature – where all around the site, users can click to see data privacy terms and controls relevant to that specific interaction/ activity.
  • We will carry our user testing on our terms and conditions and get feedback from our users on making sure they are quick to read and understand, while being appropriately comprehensive.
Data Protection Officer
  • As our Chief Operating Officer, Shivam will be responsible for our data processing activities. He will undertake GDPR training and will liaise with external GDPR service providers as needed to support on specific tasks and for security and privacy audits.
  • However our entire team are committed to privacy and trust is at the core of what we do and offer, therefore every feature we design and operation we undertake, will include ‘privacy and trust’ considerations, that we discuss as a team and document as we go along, meaning that we continue to have ‘privacy by design’ principles followed throughout the development and operation of our application.

Data protection bill image source: The DMA

Leave a Reply

Your email address will not be published. Required fields are marked *