With less than a month left until the General Data Protection Regulation (GDPR) takes effect in Europe, the Pillar Project’s in-house GDPR specialist, Michael Shea, examines how the new law will begin to affect the lives of private EU citizens.
Ahead of GDPR D-Day on Friday, 25th May 2018, there are a number of critical concerns we need to address such as: Will it really protect your data? How will it affect businesses processing your data? Does the legislation truly give us a solid legal framework for cyber-citizenship in the developing digital economy?
These are all important questions to ask when considering our self-sovereign identity and right to atomic ownership.
GDPR in a nutshell
An update of data protection regulations that were created in 1995, GDPR was born out of a broad array of complex amendments.
Aimed at keeping track of how businesses handle personal data, the idea was first mooted in early 2012 as a much-needed upgrade to the Data Protection Directive of 1995.
GDPR doesn’t just apply locally but to all companies doing business in the EU. The legislation places strict control over the transport of data abroad unless the destination country has guidelines “in alignment with strict standards of GDPR”.
What is personal data, and how does this legislation affect you?
Technology is continuing to rapidly change the way we live, work and learn. Since 1995, the computing world has undergone huge amounts of change, most notably the ability to collect, analyse, and manipulate data has exploded.
GDPR now requires organisations to take management of personal information seriously and, for the first time, data now has a liability dimension. In the past, the general attitude of engineering and marketing organisations was ‘collect as much data as you can, and keep it forever’. Companies may not even have had a good reason for retaining it, it was more a ‘just in case’ way of thinking.
Now there is a liability to collecting data, and organisations must rationalise why they are collecting it. Is it really needed to conduct business? The principle is clear – collect only what you really need, and keep it only as long as defined. The legislation states that permission to use this data must be granted on a per use basis. So, if an organisation has consent to use data for test A, they cannot use it for test B, unless explicit permission is granted.
GDPR can be regarded as a proverbial carrot to encourage organisations to be transparent with how they are processing or using data, with which they can increase the level of trust and engagement of an organisation’s employees and customers. Alternatively, it can be looked at as a hammer to whack organisations that show blatant disregard for the care and security of data.
This legislation is an attempt to level the playing field, addressing who actually owns the data that is being fed into big data, AI, and deep learning. Essentially it defines three parties: the data subject, the data controller, and the data processor.
Know your rights
GDPR codifies eight fundamental rights with respect to the data subject.
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
The Data Controller is any organisation that collects and holds data from the data subject. All organisations (government, non-profits, businesses, universities, etc.) are subject to GDPR. The only bodies explicitly excluded from GDPR are Foreign Services, Intelligence Services, and Police Services.
The Data Processor is any organization that provides services that utilize the personal information of the data subject on behalf of the data controller. The data processor must also ensure that they comply with all the articles of the GDPR.
What does GDPR mean for you as an employee?
GDPR applies not only to customers but also employees. Under the new regulation, the individual has the legal right to force organisations to share all the information that has been collected about them, require that the information be correct and accurate, and expect timely correction where inaccuracies are identified. This means that organisations that are cavalier about how they engage and interact with their customers and employees (and ex-employees) should be very concerned.
Organisations could be crippled by Subject Data Access Requests (SDARs) if a coordinated campaign was launched against them. Likewise, an organisation found in disregard for the regulation could be subject to fines of up to €20 million or 4% of Gross Global Revenue, whichever is larger.
What does GDPR mean for small businesses?
From an inward perspective, complying with GDPR means that small businesses will need to understand their own business processes better. Most of what needs to be done to meet GDPR is the creation and maintenance of sound processes.
From a product perspective, complying with GDPR requires establishing data protection and privacy by design within your product development organisation. This means establishing transparency about what data you are asking for, and what you are going to do with it. Small businesses should look at this as an opportunity to strengthen their engagement and relationship with their customers. However, the implementation of such a broad and yet intricate set of rules does have the potential to be economically detrimental to the growth of businesses shouldering compliance costs and logistics.
There has been a lot of controversies surrounding compliance costs, with upwards of multiple six figures for private companies, according to a group of studies done in 2017. This includes the appointment of a data protection officer which means companies will be asked to shoulder more administrative responsibilities with little to no government incentives to do so. Not only is the cost a problem, but the demand for data privacy experts will be insurmountable under the existing structure of the legislation.
Businesses will be audited to minimise their data on customers which could result in a major economic setback for things like targeted marketing and product development. Anyone who has ever worked with a voluntary focus group knows this all too well. The consequences of compliance could also harm international trade if not properly implemented.
Making people gatekeepers of their own information
Restricting data utilisation to only a few concentrated data aggregators has marginalised economic opportunities for most, to maximise the profitability of a few.
It’s obvious that this model is unsustainable and there has to be a better way to do it in the long run. Software, alongside legislation, will provide unique opportunities and stable logistical architecture.