In May 2018 the
European Union’s General Data Protection Regulations (GDPR) will come into force,
replacing the existing Directive 95/46/EC, which will be repealed. The new regulations are seen as an enabling
requirement of the European Digital Single Market – removing the current
fragmentation of how the existing directive is implemented by member states,
and providing legal certainty in particular regard to online activity.
GDPR gives EU citizens
significant protection, by placing obligations and responsibilities on data
controllers and processors, that are legally enforceable. These regulations don’t just apply to data
controllers or processors based in the EU – most larger organisations, globally,
who offer goods or services - regardless of whether they charge for them - to
EU data subjects will be in scope of the regulations. Many of these organisations will have to
appoint a representative who is subject to enforcement procedures in the event
of non-compliance.
Over the last few
years “Big Data” has been a buzz word in the boardroom, encouraging the collection and analysis
of personal data to become core to many company strategies. Often, customer consent has been obtained in
a far from transparent way; GDPR seeks to address this by introducing obligations
that consent should be freely given, specific, informed and an unambiguous
indication of the data subject’s agreement.
It also provides protection that personal data should be adequate,
relevant and limited to what is necessary for the purposes for which they are
processed.
With fines of up to
the higher amount of €20m or 4% of a company’s worldwide annual turnover, GDPR is a
regulation with teeth. A corporate risk
register without compliance to the GDPR on it would be incomplete. And for any organisation that approaches consent by
including a line in their terms and conditions, or pre-ticking the consent box, it would
be a folly to believe that they have obtained unambiguous agreement. Harvesting data because “it could be useful,
or “we might need it in future”, or “we might be able to gain some great
insights”, isn’t going to cut it. If you
imagine the number of people organisations currently send marketing emails to,
because they forgot to untick the box; now compare that to how many people in
future would actively chose to be sent weekly
offers, you can start to see the scale of impact that GDPR will have.
A post GDPR company,
unless they’re a data services company, should wherever possible adopt a data
minimisation approach. If data isn’t
their thing – then companies should stop gathering it wherever they can. They should take a critical look at every
data field they capture and ensure that they can objectively justify it. If the reasons as to why a data item is
necessary aren’t clearly justified, then companies should stop capturing it and
make plans to remove existing data from their processing systems. They should also look at whether they need
the data itself or just the outcome – for example do they need to know
someone’s date of birth or just that they meet certain age criteria?
With data minimisation
becoming more prevalent, opportunities for companies to provide data services
to others become much more valuable proposition; though adequate trust
frameworks need to exist. There are two
approaches to providing these services. Companies
such as Mydex and Digidentity provide a great model of privacy by design, where
only the data subject themselves has access to their data in unencrypted
form. These companies hold data on
behalf of the individual and develop services to allow them to utilise it as a
means of monetisation – either paid for by the user or the organisations that
they choose to interact with. Consent in
this model becomes absolute, as the company themselves don’t define processing
or sharing of the data – the power is entirely in the hands of the data subject. There are also opportunities for blockchain
solutions that orchestrate connections to storage in database sharding
architectures.
The other approach is
for companies to become banks for user data.
In this model the individual is still in control of their data, though
the data service company is able to monetise the user’s data by aggregating it
– much like a traditional bank aggregates the deposits of its customers to
invest or lend to other customers. The
development of services useful to the data subject being the catalyst for them
to deposit more data – more money, more interest becomes more data, more
services.
GDPR undoubtedly puts
the data subject in greater control of their own data, with consent being the
core principal. There are also new and
strengthened rights for the data subject with the obligation to act upon these
rights falling on the data controller or processor. Whilst certain derogations are made for
micro, small and medium enterprises, the fundamental regulations apply
universally. There are some great
summaries of the regulations which every organisation should take the time to
read and understand. Unless you’re going
to invest the time to read and understand the regulation and impact
assess your organisation against it – when it comes to being the controller or
processor of personal data, my approach would be to say to your customer “you
don’t need to tell me”.
Read my other posts
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business AnalysisI have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity
Connect with Bryn on Linked In: Bryn Robinson-Morgan
