Disruptive GDPR - A new EU take on data privacy merits attention

Are you aware of the GDPR (General Data Protection Regulation), an EC Regulation intended to strengthen and unify data protection for individuals within the EU, give citizens back the control of their personal data, and also address export of personal data outside the EU? I am beginning to think that this may be a huge disruptive opportunity for new businesses, if the regulations go the way they appear to be going. This was highlighted for me by an old friend Geoff Revill (CEO Krowdthink), who isn’t entirely disinterested, as he is responsible for a new conference in this area: The Privacy Advantage. This conference looks to be well worth attending (I’ll be there, I hope) – ARM is a sponsor, there’s an interesting range of speakers and there’ll be a Q&A session, including the Assistant EU Data Supervisor, the FTC, the ICO, and a leading privacy law practitioner, on the implications of the new GDPR and privacy in general. As I’ve implied here, CIOs and CEOs really do need to be aware of emerging data regulations and their impact on doing business – and the opportunity they represent, for organisations and vendors that can handle privacy better.

As I understand it, GDPR is a regulation that leaves less wriggle room for individual countries (there is still some left) and will likely impact the UK business model even if we stay in the EU. We currently have a rather lax implementation of data protection compared to, say, parts of Germany and we speak English, which makes us – along with Ireland – attractive to companies setting up European offices. After GDPR we will have to harmonise with the stricter European PoVs, and, if we are still in the EU, we’ll have to negotiate a compromise point-of-view on GDPR as it evolves. If we leave the EU, Ireland probably wins the European office business and we may find that we need to comply with every letter of a restrictive view of GDPR in order to trade with Europe.

GDPR seems to both harmonise and tighten up the treatment of personal data and may have a huge impact on Cloud assurance. According to Geoff, most companies are not well set up for processing data which they think of as their own but which actually belongs to someone else (this is the essence of the GDPR issue). Basically, you need to track the provenance of personal data wherever it is processed (do you have permission to anonymise it for testing, for example, and its owner may be able to question you on how well it is anonymised, even if you do; Philip Howard is blogging about this currently). If you have been collecting masses of data you don’t really understand, how do you know if it is personal or not? If it is, its owners, with GDPR, may “own” you, in effect.

It will be very hard to retrofit the required data management and maintenance of provenance information to existing applications – this is potentially much bigger than the Y2k issue was, for example. If you don’t understand your data semantics well and don’t model data currently (including data items that aren’t in relational databases, sometimes mis-named “unstructured data”), tracking data through your systems really is going to be difficult. This could be a major maintenance overhead for current players – providing a real opportunity for disruptive innovators, working from scratch, to succeed in the market.

You can read Geoff’s blogs here. He’s an interesting case study himself, as he felt he had to rebuild his conference website for privacy after privacy advocates noticed that his 3rd party supplied site was riddled with tracking code and cookies, and he said that this was sometimes non-trivial to do. If you are a company which sources 3rd party services which are built on further 3rd party services, which last come with tracking code that tracks the first company’s customers, he says that the first link in the chain is the company responsible for having explicit permission for any such tracking. If, when GDPR is put into effect, “consumers have the right to know who you pass their data to and for what purpose and they can demand their data deletion and portability rights all the way through the foodchain of data processors. Failure to sustain records of such processing agreements can also incur substantial fines” – to quote Geoff – this could be a real killer for firms with large critical legacy systems and no real grasp of data modelling.

The UK Information Commissioner also has a view on GDPR: “The reforms agreed will mean change. Four years of work has created a set of rules that will need adjustments from consumers, businesses and, of course, the regulator. But it’s progress that the EU is moving on from trying to regulate 21st century digital developments with legislation dating from 20 years ago. Most crucially, a new law will remind people of their data protection rights, and remind organisations of their data protection responsibilities. That can only be welcomed.”

This is really going to be a Governance issue – including, but not limited to Data Governance. You certainly do not want to allow your marketing department, say, to orchestrate its own “CRM” systems out of what is available on the Web, without reference to GDPR. Of course, this is government-level regulation and it all depends on how the GDPR is enforced – but I do think that it could be a potential differentiator for new entrants to the market with products that can deal with all the implications of GDPR.