Challenge: Bring the General Data Protection Regulation to Life
Promising to change the way European businesses secure their data, the General Data Protection Regulation(GDPR) will represent an important step in placing the power back in the hands of consumers. Providing a harmonized Data Protection framework across Europe, it will make it easier for organisations to understand and meet their obligations in respect of storing, managing and using personal information. GDPR aims to reflect a consumers’ right to privacy, to better mirror globalisation and the latest technology trends and impose sanctions where necessary to achieve compliance.
And with organisations now facing a seemingly never-ending threat of cyber-attacks – the Carphone Warehouse being the most recent victim, losing some 2.4m customer records – putting in place measures to ensure the safety of customer data has never been more crucial.
But will it work?
The honest answer of course is that only time will tell. At the moment the GDPR is expected to be passed by the end of 2015 but dates for achieving this have come and gone in the past. And even if it were to pass this year there is still an intended two-year transition period for organisations to come into line with the new regulations, allowing organisations time to put in place the tools, techniques and process needed to comply.
The draft regulation is expected to contain a number of rights that from the outset will cause serious headaches for CIOs. Organisations can expect issues in fulfilling many of the GDPR’s requirements – namely the right to be forgotten and the right of consumers to see what data a business holds on them.
The former, based on the landmark ruling in which a Spanish citizen successfully challenged Google to remove details of his previous home-repossession on the grounds that they have been fully resolved for a number of years (and were therefore no longer relevant), the right to be forgotten has significant implications for businesses.
As an organisation, ask yourself: do you know the full extent of the data you hold on a particular individual? Can you be confident you know exactly where that data is? Can you be certain you can erase it all and, moreover, provide proof that it has all been erased?
The principle of Privacy by Design will also raise some eyebrows. Will organisations be able to demonstrate that GDPR’s principles have been the default position in every new systems project? How well are you monitoring your organisation’s data? How soon after a breach will you be aware of it and how would you go about informing the regulator in a way that was consistent with your management of the incident itself?
One of the biggest unknowns is what the emergence of GDPR will mean for consumer understanding of data privacy. Can we expect high-profile cases awaken consumers up to the privacy debate, encouraging them to ask more questions about the safeguarding of their data? The extent to which this will happen is up for debate, but it’s likely to generate interest in the subject and result in some potentially awkward questions for some organisations.
But what does this added citizen control mean for the value of data? Will consumer’s bargaining power start to rise and will we see an increase in ethical data use? Find out in my next post…