This has really been the year of marketing and doomsday predictions for companies that need to follow the new European privacy regulations. Everyone from lawyers to consultants and numerous experts of every breed is talking about what a big problem it will be for companies to follow the new regulations, and the only remedy would be to buy their services. Yet, they give very few details on what those services actually are.
Let's start with the new regulation; not the "what to do" but the "why it is coming." The privacy conscious search engine duckduckgo.com gives the following definition:
Privacy: The state of being free from unsanctioned intrusion: a person's right to privacy.
Who hasn't felt his or her privacy intruded upon by marketing networks and information brokers online? The state of modern business is the practice of tracking people, analyzing their behavior, and seeking to influence their decisions, whether it is how they vote in an election, or what purchasing decisions they make. In the vast majority of cases, this surveillance-based mind control activity occurs without conscious consent from the people being tracked. It seems clear that there is a need to protect the rights to privacy and freedoms of individuals in the age of tech-based surveillance.
This is what the new regulation is about - the purpose is not to make life hard for businesses but to make life safe for individuals, allowing them to make conscious decisions rather than being brainwashed by curated messages in every digital channel.
Still, for businesses, this means that things must change. There may be a need for consultants but there is also a need for practical tools. The way to deal with the GDPR that all businesses should follow is:
- Understand why this is necessary.
- Learn to see things from the end-user or customer perspective.
- Learn the key principles of good privacy management.
- Create an overview of what data is being gathered and why.
With these 4 steps in place, it is much easier to sort the good advice from the bad, and the useful from the wasteful.
Most businesses are used to thinking about risk in terms of business impact. What would the consequence to our business be, and how likely is it to happen? That will still be important after May 2018, but this is not the perspective the GDPR takes. If we are going to make decisions about data protection for the sake of protecting privacy, we need to think about the risk the data collection and processing exposes the data subjects to (data subject is GDPR speak for people you store data about).
What consequences could the data subjects see from the processing itself? Are you using it for profiling or some sort of automated decision making? This is the usual "privacy concern" - and rightly so. Ever felt that it is creepy how marketers track your digital movements?
Another perspective we also need to take is what can the consequences of data abuse be for individuals? This can be a data breach like the Equifax and Uber stories we've heard a lot about this fall, or it can be something else, like an insider abusing your data, a hacker changing the data so that automated decisions don't go your way, or that the data becomes unavailable and thereby stopping you from using a service or getting access to something. The personal consequences can be financial ruin, a poor reputation, etc.
A key principle in the GDPR is data minimization; you shall only process and store the data where you have a good reason and a legal basis for doing so. Practicing data minimization means less data that can be abused, thereby a lower threat to the freedoms and rights of the persons you process data about. This is perhaps the most important principle of good privacy practice: try to avoid processing or storing data that can be linked to individuals as far as you can (while getting your things done).
Surprisingly, many companies have no clue what personal data they are storing and processing, who they share it with, and why they do it. The starting point for achieving good privacy practice, good karma - and even GDPR compliance - is knowing what you have and why.
From Scare-Speak to Tools and Practice
We've had a year of data breaches, and we've had a year of GDPR themed conference talks, often with a focus on potential bankruptcy-inducing fines, cost of organizational changes and legal burdens. Now is the time for a more practical discussion; going from theory to practice. In doing this, we should all remember:
- There are no GDPR experts: the regulation has not yet come into effect, and both regulatory oversight and practical implementations are still in their infancy phases.
- The regulation is risk-based: this means the data controllers and processors must take ownership of the risk and governance processes.
- Documenting compliance should be a natural part of performing the thinking and practical work required to safeguard the privacy of customers, users, employees, visitors, and whatever category of people you process data related to.
We need practical guidance documents, and we need tools that make it easier to follow good practice and keep compliance documentation alive. That's what we should be discussing today - not fines and stories about monsters eating non-compliant companies.