Outcomes matter more than principles
Interestingly, the ICO acknowledged the emerging view that current data protection principles are no longer adequate to deal with the big data world. “The GDPR continues the existing human rights-based approach, which puts constraints on how data owners can process an individual’s personal data,” Fulford argues. “However, the ICO recognizes that ‘how’ data is used is not necessarily the problem any longer, but that it is the outcome that matters.”
On the positive side, the GDPR introduces new accountability and transparency requirements, which may be more appropriate in a big data world. For example, there is specific reference to profiling in relation to automated decisions and direct marketing. These new and enhanced obligations, and the higher fines if companies get it wrong, mean that there is a real incentive to invest in getting this right and increasing customer trust, even if total clarity remains elusive, Fulford concludes.
Transparency elusive in complex, connected living
The new complexities of connected living and business, and the corresponding lack of transparency enshrined in the GDPR, is also alluded to by Alexander Hazell, Head of UK Legal at Acxiom. “While the consent language in the General Data Protection Regulation is more restrictive than in the Data Protection Act it replaces, there is another ground called ‘legitimate interests’.
“This allows companies to use the data if their legitimate interests are not ‘outweighed’ by the rights and legitimate interests of the individuals concerned. A level of awareness is still required, as that is part of fairness, but individuals are not required to opt in. It’s a new balancing test that encourages companies to develop an ethical framework as privacy-enhancing measures such as encoding someone’s name in the data set can help cement the legitimate interest’s ground.”
GDPR to increase digital trust
Nick Gibbons, Cybersecurity Expert and Partner at insurance law and risk firm BLM, points out that an ever-growing amount of data is tied to individuals, which will accelerate as the IoT grows. “By 2020, it is expected that for every person on the planet, there will be 40 devices connected to the internet – an overwhelming trove of data linking person to product or service.”
Responsibility for data protection ultimately falls to the companies gathering and storing it, and the GDPR is an opportunity for companies, he says. “GDPR is an attempt to standardize data handling across the EU and give citizens back control of their own information. Compliance is an opportunity for organizations to build consumer trust by improving the stringency of internal data protection policies.”
Right to be ‘forgotten’
Certainly a key driver for the GDPR is the huge increase in the collection and sharing of personal data on a global basis, driven by advances in technology and the IoT. Everyday devices can collect large amounts of potentially sensitive personal data relating to a person’s lifestyle, habits, health, interests and family, and this can be used to create a user profile.
To counter this, the GDPR has strengthened an individual’s right to know more about how businesses collect and use data, explains Kolvin Stone, Partner at law firm Orrick and co-chair of the firm’s Cybersecurity and Data Privacy Group. “GDPR ensures that individuals have control over their personal data, with rights of access and erasure (also known as the right to be forgotten).”
Awareness of connected data opaque
GDPR goes further than previous regulations in addressing the need for rigorous privacy standards, though Ross Woodham, Director Legal Affairs and Privacy at Cogeco Peer 1, concurs that awareness of privacy issues remains behind the pace of technological developments. “The reality is that the only real control an individual has is whether to share their data or not.”
IoT has led to an explosion in the volume of data that forms an individual’s ‘digital footprint’. Theoretically, the GDPR will protect the misuse of this information and enable individuals to access this information and the derived data. This, however, assumes they are aware the data exists. “In reality, oversight and jurisdiction is going to be very challenging and highly dependent on the transparency of private companies,” argues Woodham.
More integrated data management
Adherence to GDPR will also call for more integrated data management across companies, points out Richard Stiennon, Chief Strategy Officer at Blancco Technology Group. “I believe that the GDPR will force businesses to take data privacy much more seriously and stop compartmentalizing data management and customer experience into separate categories.”
Once the GDPR comes into play, businesses will need to change their way of thinking about data management across the entire life cycle, so that this kind of compartmentalization doesn’t keep happening. “Enterprises need to proactively plan for the secure removal of data at the same time as they are collecting, storing and analyzing data,” explains Stiennon.
Whatever the deficits of the GDPR, it is the most rigorous data privacy law to emerge yet, and compliance provides the opportunity to improve business practice and increase customer trust. Alvarez and Marsal’s Managing Director, Phil Beckett, says: “Complacency is no longer an excuse for firms. They need to know what they’re doing with consumer data, or face the consequences.”