D2 Legal Technology: GDPR – Risk, Restriction or Business Enabler?
The prohibitive fines associated with the EU General Data Protection Regulation (GDPR) are creating a stir, according to D2 Legal Technology. However, despite the high level of potential liability stemming from it, this is an immensely pragmatic regulation that is focused on both safeguarding the rights of the individual to control their personal data, and enabling organisations to utilise that data in a secure and lawful way.
Critically, by encouraging organisations to move away from the restrictive anonymised data model toward the newly introduced concept of pseudonymised data, GDPR provides organisations with a real opportunity to better understand their data and its value. D2 Legal Technology founder and managing partner Akber Datoo, and COO Peter Newton, explain why it is time to change GDPR thinking.
Almost every headline associated with the forthcoming GDPR focuses on the punitive fines that potentially could be applied once the regulation comes into force in May 2018. And there is no doubt that figures of up to 4% of annual turnover or 20 million Euro focus the mind. But let’s take a step back: The GDPR is actually one of the most universally agreed and pragmatic regulations devised in recent years. It recognises today’s data driven economy and adopts an extremely practical approach to balancing individual concerns regarding personal data with lawfully unlocking the value organisations can derive from that information.
The underpinning objective of the regulation clearly has commercial interests in mind: enabling individuals to better control their personal data will allow businesses to make the most of the opportunities of the Digital Single Market by reducing regulation and benefitting from reinforced consumer trust. So why the universal melt down?
The data protection principles of the GDPR have not changed from previous legislation; in fact, the new regulation enhances them. And, to address the over-reaction specifically, high fines are likely to be given to businesses unable to prove data accountability and responsibility. A recent statement from the Information Commissioner’s Office (ICO) says: “If an organisation is put under scrutiny they will need to demonstrate that the failure was a one off or stemmed from a risk that would be considered unforeseen rather than a consequence of a systemic fault”. There is an implicit acceptance that breaches will occur at a certain point, and if a business can provide demonstrable proof of intent to follow the principles / comply with the GDPR, this will be a significant mitigation against massive fines in the event of a breach.
One of the biggest changes is the implicit requirement within GDPR to move away from anonymised data. It relaxes the definition of irreversibility, and links it to the state of technology at the time. The GDPR instead encourages the use of pseudonymised data. Essentially a security technique that splits, stores and processes key identifiers separately and controls access to safeguard the data, pseudonymisation minimises the harm to the individual in the case of a breach, and also allows organisations the potential to link data sets and re-identify for legitimate use.
For organisations, this step away from anonymising data is incredibly significant. The fact is that although anonymised data does not fall under data protection legislation, doing so significantly reduces its value. Why retain any data if its inherent value is inaccessible because it has been anonymised? Data held about individuals that is required for Know Your Customer (KYC) or marketing – from website hits to email addresses or credit risk reports – could also be useful in other contexts, such as, for example, Anti Money Laundering (AML) compliance. Indeed, the value of most data held by an organisation is inherently linked to the extent to which it can be shared. Anonymising this data undermines both its business use and, potentially, other compliance activity.
By introducing the concept of pseudonymised data, GDPR is actually encouraging organisations to manage data properly, to ensure the individual pieces of data related to an individual are stored and processed separately. For example, an email address stored within a marketing database is retained in a separate location to a credit risk report, so that should a hacker access one database, it is only one portion of an individual’s data that is compromised, minimising the harm to the individual and as a consequence the risk to the organisation in a breach scenario.
By pseudonymising the data in this way, organisations can also bring individual characteristics together as required – such as KYC or due diligence – but limit the breadth of information that is accessible by, for example, marketing. Taking this approach both safeguards individual data and enables an organisation to explore that information for legitimate business use.
The process of achieving this degree of separation is fairly straightforward from a technical perspective, and is a constituent part of Privacy by Design and Privacy by Default, both mandatory under the GDPR. The challenge – and opportunity – for organisations is to undertake a complete and robust assessment of existing data resources. What data is held by the company? Where is it located? Who has access? What is it being used for? What consent has been given for its use? It is only once this extensive data map has been created that organisations can begin to determine the way forward.
The process of creating this data map is fundamental to understanding an organisation’s current resources of personal information – something that many, especially those within the financial sector, risk underestimating. From shareholder information to contact information held within legal contract data, trade reporting, information about charitable donors or insurance case records, every organisation collects – and therefore must safeguard – some degree of personal data.
This data mapping process is essential for GDPR compliance but also provides a significant operational benefit. Once a business understands its data resources, it has the chance to determine just how much of this information has value and the source of that value. A significant proportion of data retained by organisations has no value – it has been kept simply on a ‘just in case’ basis, often without being subject to any legal retention requirements. This GDPR compliance exercise provides an excellent opportunity to rationalise data retention strategies and minimise data volumes, reducing data costs.
Data is without doubt the currency that now underpins the digital economy. But its value is intrinsically linked to excellent governance and an accurate understanding of its purpose and value to the organisation. GDPR is being implemented in reaction to a changing data world and while the fines are attention grabbing, it is the immense practicality of this regulation that organisations should be actively embracing as an opportunity to better understand their data.