In May 2018 the European Union’s General Data Protection Regulations (GDPR) will come into force, replacing the existing Directive 95/46/EC, which will be repealed. The new regulations are seen as an enabling requirement of the European Digital Single Market – removing the current fragmentation of how the existing directive is implemented by member states, and providing legal certainty in particular regard to online activity.
GDPR gives EU citizens significant protection, by placing obligations and responsibilities on data controllers and processors, that are legally enforceable. These regulations don’t just apply to data controllers or processors based in the EU – most larger organisations, globally, who offer goods or services – regardless of whether they charge for them – to EU data subjects will be in scope of the regulations. Many of these organisations will have to appoint a representative who is subject to enforcement procedures in the event of non-compliance.
Over the last few years “Big Data” has been a buzz word in the boardroom, encouraging the collection and analysis of personal data to become core to many company strategies. Often, customer consent has been obtained in a far from transparent way; GDPR seeks to address this by introducing obligations that consent should be freely given, specific, informed and an unambiguous indication of the data subject’s agreement. It also provides protection that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
With fines of up to the higher amount of €20m or 4% of a company’s worldwide annual turnover, GDPR is a regulation with teeth. A corporate risk register without compliance to the GDPR on it would be incomplete. And for any organisation that approaches consent by including a line in their terms and conditions, or pre-ticking the consent box, it would be a folly to believe that they have obtained unambiguous agreement. Harvesting data because “it could be useful, or “we might need it in future”, or “we might be able to gain some great insights”, isn’t going to cut it. If you imagine the number of people organisations currently send marketing emails to, because they forgot to untick the box; now compare that to how many people in future would actively chose to be sent weekly offers, you can start to see the scale of impact that GDPR will have.
A post GDPR company, unless they’re a data services company, should wherever possible adopt a data minimisation approach. If data isn’t their thing – then companies should stop gathering it wherever they can. They should take a critical look at every data field they capture and ensure that they can objectively justify it. If the reasons as to why a data item is necessary aren’t clearly justified, then companies should stop capturing it and make plans to remove existing data from their processing systems. They should also look at whether they need the data itself or just the outcome – for example do they need to know someone’s date of birth or just that they meet certain age criteria?
With data minimisation becoming more prevalent, opportunities for companies to provide data services to others become much more valuable proposition; though adequate trust frameworks need to exist. There are two approaches to providing these services. Companies such as Mydex and Digidentity provide a great model of privacy by design, where only the data subject themselves has access to their data in unencrypted form. These companies hold data on behalf of the individual and develop services to allow them to utilise it as a means of monetisation – either paid for by the user or the organisations that they choose to interact with. Consent in this model becomes absolute, as the company themselves don’t define processing or sharing of the data – the power is entirely in the hands of the data subject. There are also opportunities for blockchain solutions that orchestrate connections to storage in database sharding architectures.
The other approach is for companies to become banks for user data. In this model the individual is still in control of their data, though the data service company is able to monetise the user’s data by aggregating it – much like a traditional bank aggregates the deposits of its customers to invest or lend to other customers. The development of services useful to the data subject being the catalyst for them to deposit more data – more money, more interest becomes more data, more services.
GDPR undoubtedly puts the data subject in greater control of their own data, with consent being the core principal. There are also new and strengthened rights for the data subject with the obligation to act upon these rights falling on the data controller or processor. Whilst certain derogations are made for micro, small and medium enterprises, the fundamental regulations apply universally. There are some great summaries of the regulations which every organisation should take the time to read and understand. Unless you’re going to invest the time to read and understand the regulation and impact assess your organisation against it – when it comes to being the controller or processor of personal data, my approach would be to say to your customer “you don’t need to tell me”.
Source: bryn blog