One of the requirements of GDPR is that, even if a company obtains customer consent to use their personal data, that data cannot be processed or used for any other purpose other than that for which consent was given. If they wish to do so, they must state how the data will be processed and for what purpose, when obtaining consent. This will help ensure, for example, that if a customer permits Google to use their browsing data to personalize their search results, they won’t subsequently receive an unwanted text from another company using their search history to sell them a product.
The potential implications of this for a data-driven economy that depends on our ability to find new ways to extract value from masses of user information are worth considering.
Analysis of personal data is now critical to everything from smart cities to the Internet of Things (IoT). Many smart products and services, from travel apps generating personalized routes to the use of algorithms and artificial intelligence to predict consumer behavior, depends on the ability to harvest, analyze and share vast amounts of data, some of it now considered personally identifiable under GDPR.
By requiring companies to obtain explicit consent from every data subject, not just for new data, but for all data collected in the past, GDPR inherently increases the cost of collection, storage and processing the data. Critically, harnessing rising computing power to extract commercial value from data often depends on the ability of organizations to make their data available to others for analysis.
For example, ‘profiling’ – where algorithms can work out where you like to shop from the route you travel – is one of the main methods of commercializing data. Companies will now have to obtain explicit consent for this profiling to take place if it is to involve any personally identifiable data or the profiling itself could make a subject identifiable.
Overall the regulation will increase the costs and risks of storing personal data, which could mean many businesses simply erase any ‘dark data’ (data of unknown value). With a looming deadline for implementation less than a year away, there is the possibility that companies could delete far more of this than is necessary, dramatically shrinking the data pool that is essential to fueling our digital economy.
Billions of pounds’ worth of valuable information could be lost forever before its economic benefits have been fully realized. Further, companies could become reluctant to make consumer information available to third parties for analysis, shying away from the ability to extract value from data.
To avert this, it is essential that companies look at GDPR not as a huge risk, but as an opportunity to shine a light on the dark data they hold. Businesses must not simply delete data archives en masse, but instead use GDPR as the spur to do a thorough ‘stock-check’ of all their data, so they don’t simply throw out the baby with the bath water. A thorough data audit may reveal potential gems that warrant the effort of obtaining consent to use.
For their part, regulators should take account of the scale of the task involved in compliance and the level of progress to date, recognizing that it may well be in the public interest to show lenience to companies, particularly if they are making a genuine effort to comply.
Achieving full compliance within the required timescale represents a daunting task. In establishing a GDPR Task Force, the (ISC)2 EMEA Advisory Council has worked to accumulate the experience of those of our members who are working on the front line of compliance across Europe, and outside it.
It is clear from their reports that many companies are only just getting to grips with the task. Business units have been slow to understand their role, appreciate the workload and apply the resources needed. The Task Force has worked with these professionals to develop 12 areas of activity and related tasks that serves as a high-level overview of the work required, including who needs to be involved.
We have also learned of particular challenges experienced by businesses with everything from securing consent for historical personal data obtained in a non-digital format to the challenges of managing employees’ downloading of data onto personal laptops and devices.
We have also seen the immense efforts already being undertaken to comply. One participant told us they had 10-20 people dedicated to achieving compliance with GDPR; another medium -sized company estimated 36 full-time equivalents and none have reported feeling that they had adequate resource.
Further, guidance on many aspects of the legislation is still being issued by governments across the region and demonstrates the enormity of the task of compliance: the Danish government issued a report last month to help firms comply with the law, which was over 1,500 pages.
We would hope that enforcers will acknowledge all of this, despite current reports of regulators now hiring extra trial lawyers and enforcement officers in anticipation of the law coming into force. Unduly harsh action could well set back a data-driven economy in Europe.
GDPR could encourage more responsible management of data, and be an opportunity to help our digital economy move forward. If we are to achieve this, all stakeholders, including regulators will need to work together to negotiate the still mammoth task ahead.