Tuesday 27 September 2016

You don’t need to tell me

In May 2018 the European Union’s General Data Protection Regulations (GDPR) will come into force, replacing the existing Directive 95/46/EC, which will be repealed.  The new regulations are seen as an enabling requirement of the European Digital Single Market – removing the current fragmentation of how the existing directive is implemented by member states, and providing legal certainty in particular regard to online activity.  

GDPR gives EU citizens significant protection, by placing obligations and responsibilities on data controllers and processors, that are legally enforceable.  These regulations don’t just apply to data controllers or processors based in the EU – most larger organisations, globally, who offer goods or services - regardless of whether they charge for them - to EU data subjects will be in scope of the regulations.  Many of these organisations will have to appoint a representative who is subject to enforcement procedures in the event of non-compliance.



Over the last few years “Big Data” has been a buzz word in the boardroom, encouraging the collection and analysis of personal data to become core to many company strategies.  Often, customer consent has been obtained in a far from transparent way; GDPR seeks to address this by introducing obligations that consent should be freely given, specific, informed and an unambiguous indication of the data subject’s agreement.  It also provides protection that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

With fines of up to the higher amount of €20m or 4% of a company’s worldwide annual turnover, GDPR is a regulation with teeth.  A corporate risk register without compliance to the GDPR on it would be incomplete.  And for any organisation that approaches consent by including a line in their terms and conditions, or pre-ticking the consent box, it would be a folly to believe that they have obtained unambiguous agreement.  Harvesting data because “it could be useful, or “we might need it in future”, or “we might be able to gain some great insights”, isn’t going to cut it.  If you imagine the number of people organisations currently send marketing emails to, because they forgot to untick the box; now compare that to how many people in future would actively chose to  be sent weekly offers, you can start to see the scale of impact that GDPR will have.

A post GDPR company, unless they’re a data services company, should wherever possible adopt a data minimisation approach.  If data isn’t their thing – then companies should stop gathering it wherever they can.  They should take a critical look at every data field they capture and ensure that they can objectively justify it.  If the reasons as to why a data item is necessary aren’t clearly justified, then companies should stop capturing it and make plans to remove existing data from their processing systems.  They should also look at whether they need the data itself or just the outcome – for example do they need to know someone’s date of birth or just that they meet certain age criteria?

With data minimisation becoming more prevalent, opportunities for companies to provide data services to others become much more valuable proposition; though adequate trust frameworks need to exist.  There are two approaches to providing these services.  Companies such as Mydex and Digidentity provide a great model of privacy by design, where only the data subject themselves has access to their data in unencrypted form.  These companies hold data on behalf of the individual and develop services to allow them to utilise it as a means of monetisation – either paid for by the user or the organisations that they choose to interact with.  Consent in this model becomes absolute, as the company themselves don’t define processing or sharing of the data – the power is entirely in the hands of the data subject.  There are also opportunities for blockchain solutions that orchestrate connections to storage in database sharding architectures.

The other approach is for companies to become banks for user data.  In this model the individual is still in control of their data, though the data service company is able to monetise the user’s data by aggregating it – much like a traditional bank aggregates the deposits of its customers to invest or lend to other customers.  The development of services useful to the data subject being the catalyst for them to deposit more data – more money, more interest becomes more data, more services.

GDPR undoubtedly puts the data subject in greater control of their own data, with consent being the core principal.  There are also new and strengthened rights for the data subject with the obligation to act upon these rights falling on the data controller or processor.  Whilst certain derogations are made for micro, small and medium enterprises, the fundamental regulations apply universally.  There are some great summaries of the regulations which every organisation should take the time to read and understand.  Unless you’re going to invest the time to read and understand the regulation and impact assess your organisation against it – when it comes to being the controller or processor of personal data, my approach would be to say to your customer “you don’t need to tell me”.


Read my other posts
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA


Connect with Bryn on Linked In: Bryn Robinson-Morgan