Data Protection and Its Impact on the Older Population

Rupert Brown
Author: Rupert Brown
Date Published: 14 February 2023

At 92 years old, my mother has been a widow for two years and is the sole survivor among her four siblings. Today, that is perhaps not as remarkable as it would have seemed in the 1970s, but she also faces another set of hidden challenges. She is a director of two family enterprises and finds herself being a person of significant control, having accrued various inheritances.

Although she is in full possession of her mental faculties, she spent all her working life in an analog world and has no online identities (e.g., Microsoft Live, Google Gmail). Some of the family bank accounts require two signatories on the mandate, so most key invoicing and payments remain manual via a steady procession of chequebooks: the same chequebooks that banks are now quietly getting rid of by reducing the number of checks at each renewal.

Since the death of her husband, my mother has tried to reduce many of the various membership subscriptions they accrued over the years. This is proving to be challenging as the concept of cancellation due to old age seems to be difficult for large charitable organizations to understand and process. In the end, she has resorted to cancelling direct debits wherever possible and then ignoring the chaser paperwork that then follows.

A 2017 survey focused on the increasing average age of Financial Times Stock Exchange (FTSE) 100 index enterprise board members. But this is only the tip of the iceberg; nothing comparable has been done for privately held enterprises where most day-to-day economic activity takes place.

So not only does society face the challenge of having transitioned many analog systems to digital ones in the face of an aging population who had little or no input on their design and usability, but there is also the set of largely manual controls on top to address fraudsters who have ruthlessly exploited the age-related gaps that were not considered.

I wonder what will happen if my mother has to reverify her identity for a service—her passport and driving license both expired some time ago. Recent know your customer (KYC) refresh programs by major banks in the light of new money laundering regulations are an accident waiting to happen.

In today’s digital world, elderly people naturally offload much of their day-to-day administration work to family members and carers with the digital know-how to efficiently complete the needed tasks; however, regulations such as the EU General Data Protection Regulation (GDPR) do not facilitate a common-sense approach to dealing with this ever-increasing problem. This is an all-too-common scenario that demonstrates the failings of personal data protection laws: while they look good on paper, they do not take into account real-world data sharing needs.

Chapter 9 of the GDPR, Provisions Relating to Specific Processing Situations, is ripe for reform now that many common scenarios have been encountered and legally tested. Article 88 within it only deals with employment and not the data management issues of day-to-day small business corporate actions. Retirement, family support, third-party carer scenarios and emotionally draining end-of-life scenarios are all lacking clarity as well, particularly when complex medical condition data are being processed and when personal data expires and can be safely deleted due to old age.

Editor’s note: For further insights on this topic, read Rupert Brown’s recent Journal article, “When Data Protection Is a Hindrance Rather Than a Facilitator,” ISACA Journal, volume 6 2022.

ISACA Journal