A few years ago the sounds of piloting new software was pretty exciting and still is however one thing has changed in my job is ensuring we are compliant with numerous layers of regulations, standards and policies. The list is long and can be complicated depending on the service your looking to pilot however it is worth it? Is someone reading my EQIA, is my DPIA thorough enough? are the cookies necessary and do we have non-invasive pop-ups that don’t block functionality of the site available for users to opt out? Is the accessibility statement out of date already due to a weekly deployment schedule????
The short answer is these are all important factors that should be reviewed to ensure privacy, legality and accessibility. To ensure the users and institution have transparency of the service they will promote or access. Below is a list of the steps I take (in no order) when thinking about compliance:
- Cyber security Questionnaire
- Data Protection Impact Assessment
- GDPR Compliance
- Equality Impact Assessment
- Accessibility Statement
- Data Protection Agreement
- Cookie Audit
- Legal review of contracts
- Modern Slavery Act Statement
- I may have forgot something, its Friday
Sometimes I feel like when an account manager see my emails asking lots of questions their finger must hover over the delete button (aka the not him again asking another question) however part of me wonders why don’t vendors have templated answers to all the same questions all the institutions in the UK should be asking. Which leads me to think are other institutions asking these questions? Well, that’s not our concern and it doesn’t keep me awake at night but why wouldn’t we want to ask the above list?
Technology is evolving at light speed and as vendors pop-up or evolve their own products its their responsibility to ensure they meet the numerous standards and regulations. But what if we don’t understand those standards or regulations? Off the top of my head the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 states that website or mobile app will meet the newer legal requirements if you meet the international WCAG 2.1 AA accessibility standard however the Govt regulation exemptions (3.2.c) conflict with WCAG 2.1 AA standard on live video with audio. WCAG state for live video (with audio) captions are required to meet AA standard. JISC* also states that live captioning is not covered in the regulations which leaves the sector in a head scratch.
This leads to the interpretation of the regulations from numerous bodies which can lead to confusion between best practise and regulations. Eek! So as quickly as the tech evolves the new regulations that affect it everyday utilisation is stuck in a swamp, located in a beach full of sinking sand with the tide coming and the tide is bringing in sharks.
We are lucky as we have internal groups, expertise, status (16th in the QS rankings this week – I get a free pen everytime I mention it) and resource to interpret and push vendors to review their processes and implement change. I think I heard someone laugh ironically….and yes vendors vary with some embracing feedback poorly (aka that’s a great idea we will talk to the team about it) but other vendors are keen to work with us and see the benefit of providing products that meet compliance as its great PR (and £££££).
With the pandemic and the “PIVOT” ( yes I watched the Friends Reunion and yes i know feel super old-er) to digital tools the focus on compliance is even greater to ensure tools we provide are accessible and if not list what we are doing about it (accessibility statement), ensure that by adopting or creating a process introduced by technology we are not discriminating users with protected characteristics (EQIA), ensuring users personal data is safe and we know the ins and out of how the data processor will handle data (DPIA) etc etc.
So are we complying with compliance? There’s a lot of clauses, acts, policies and regulations to keep up-to-date but honestly who wouldn’t want to be compliant.