Just a month away from the enforcement deadline, how will GDPR (General Data Protection Regulation) begin to affect the lives of private EU citizens?
When does GDPR take effect?
GDPR takes effect on the 25th of May 2018.
Will it really protect your data?
How will it affect businesses processing your data?
Does the legislation truly give us a solid legal framework for cyber-citizenship, in the developing digital economy?
These are all important questions to ask when considering our self-sovereign identity and right to atomic ownership.
GDPR in a nutshell
GDPR is an update of data protection regulations that were created in 1995.
The General Data Protection Regulation, first proposed in early 2012, was born out of a broad array of complex amendments.
It was aimed at keeping track of how businesses handle personal data, as a much-needed upgrade to the Data Protection Directive of 1995.
It doesn’t just apply locally but to all businesses doing business in the EU.
The legislation places strict control over the transport of data abroad unless the destination country has guidelines “in alignment with strict standards of GDPR”.
GDPR — What is personal data, and how does this legislation affect you?
The computing world has undergone huge amounts of change since 1995, and the ability to collect, analyse, and manipulate data has exploded.
GDPR requires organisations to take management of personal information seriously.
For the first time, data now has a liability dimension. In the past, the general attitude of all engineering and marketing organisations was collect as much data as you can, and keep it forever.
Not that they had a good reason for retaining it, it was for ‘just in case’ we need it.
Now there is a liability to collecting data, so an organisation must rationalise why they are collecting it?
Is it really needed to conduct business?
Collect only what you really need, and keep it only as long as defined.
Permission to use this data must be granted on a per use basis. So, if an organisation has consent to use data for test A, they cannot use it for test B unless explicit permission is granted.
GDPR can be regarded as either a carrot to encourage organisations to be transparent with how they are processing/using data, and through this increase the level of trust and engagement of an organisation’s’ employees and customers.
Or it can be looked at as a hammer to whack organisations that show blatant disregard for the care and security of data.
This legislation is an attempt to level the table in who actually owns the data that is being fed into big data, AI, and deep learning. It defines three parties: the data subject, the data controller and the data processor.
GDPR — What you need to know
GDPR codifies 8 fundamental rights with respect to the data subject. These are:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
A Data Controller is any organisation that collects and holds data from the data subject. All organisations (government, non-profits, businesses, universities, etc.) are subject to GDPR. The only bodies explicitly excluded from GDPR are Foreign Services, Intelligence Services, and Police Services.
What does GDPR mean for you as an employee?
GDPR applies not only to customers but also employees.
It means that the individual now has the legal right to force organisations to share all the information that has been collected about them, require that the information be correct and accurate, and require timely correction where inaccuracies are identified.
It means that organisations that are cavalier about how they engage and interact with their customers and employees (and ex-employees) should be very concerned.
Organisations could be crippled by Subject Data Access Requests (SDARs) if a coordinated campaign was launched against them, likewise, an organisation found in disregard for the regulation could be subject to fines up to 20M Euros or 4% of Gross Global Revenue, whichever is larger.
What does GDPR mean for small businesses?
From an inward perspective, to meet GDPR means that small businesses will need to understand their own business processes better.
Most of what needs to be done to meet GDPR is the creation and maintenance of sound processes.
From a product perspective, to meet GDPR means establishing data protection and privacy by design within your product development organisation.
It means, establishing transparency about what data you are asking for, and what you are going to do with it.
It should be looked at as an opportunity to strengthen the engagement and relationship with their customers.
The implementation of such a broad and yet intricate set of rules has potential to be economically detrimental to the growth of businesses shouldering compliance costs and logistics.
There has been a lot of controversies because compliance costs were estimated to cost upwards of multiple 6 figures for private companies, according to a group of studies done in 2017.
This includes the appointment of a data protection officer which means companies will be asked to shoulder more administrative responsibilities with little to no government incentives to do so.
Not only is the cost a problem but the demand for data privacy experts will be insurmountable under the existing structure of the legislation.
Businesses will be audited to minimise their data on customers which could be a major economic setback for things like targeted marketing and product development.
Anyone who has ever worked with a voluntary focus group knows this all to well.
The consequences of compliance could harm international trade if not properly implemented. It made its way through European parliament by May 2016 to be enforced at the end of May 2018.
It is a great idea to make people the gatekeepers of their own information.
Restricting data utilisation to only a few concentrated data aggregators has marginalised economic opportunities for most to maximise the profitability of a few.
It’s obvious that this model is unsustainable.
There has to be a better way to do it in the long run though. Software, alongside legislation, will provide unique opportunities and stable logistical architecture.
With the help of products and software from companies like The Pillar Project, autonomy for citizens and optimisation of business resources may be able to coexist in a much more plausible way.
This is why the Pillar Project is deeply committed to building strong relationships with regulatory bodies and associations across the globe. Learn more about our mission to build your personal data locker.