The General Data Protection Regulation (GDPR) is designed to govern how organizations manage the personal information of European Union (EU) citizens. Any company that conducts business in Europe or stores data belonging to EU citizens is impacted, no matter where it is based.
Organizations that fail to comply by the time the regulation takes effect in May 2018 could face heavy fines of up to 4 percent of turnover. While some organizations will inevitably fail to take the law seriously, security leaders who embrace the GDPR for its potential to drive innovation will emerge as champions in this new era of privacy.
A New Era of Data Privacy
In simplistic terms, the GDPR could be viewed as the evolution of current European privacy laws. But in reality, it’s so much more. For my money, the GDPR is the greatest catalyst for innovation that we have seen in years.
While it is often misinterpreted as yet another indulgence of Europe’s obsession with privacy, the GDPR’s foundation is based on the simple principle of relinquishing control of personal information to consumers. The law will also regulate how suppliers (e.g., banks, insurers, utilities companies, social networks, airlines, etc.) use EU citizens’ personal data.
The GDPR gives consumers the right to know when their data has been breached, to move their data to a different provider and to be “forgotten” entirely. In short, the regulation puts consumers back in control of their data and forces all suppliers to take a privacy-by-design approach to their customer interactions. It’s the consumerization of identity management.
Winners and Losers
Both winners and losers will emerge from this GDPR privacy Armageddon. The losers will be the companies that don’t take the law seriously and react by patching their current security architecture with minimal safeguards, such as data encryption.
Smart companies will leverage the GDPR to rethink their end-to-end data protection strategies and put clients back in control with self-service consent management capabilities. Organizations that do this will gain a huge advantage over their competitors in the next few years.
A GDPR Reference Architecture
The GDPR requires enterprises to implement a two-pillar architecture. The first pillar, Control, consists of a set of data protection controls designed to minimize the risk of a data breach. This set of controls typically falls under the chief information security officer’s (CISO) responsibilities.
The second pillar, labeled Rights, consists of a consumer identity and access management (CIAM) layer that gives EU citizens access to all their data and the ability to exercise their rights. This is what consumers see, regardless of what their suppliers do behind the scenes. For many business leaders, addressing the GDPR from a business point of view is what matters most. For this reason, this layer is typically tied to a business function such as marketing or sales.
The European Union’s (EU’s) General Data Protection Regulation (GDPR), intended to strengthen and unify EU member personal data protection laws, will replace Data Protection Directive 95/46/ec on May 25, 2018.
This new mandate requires all organizations worldwide doing business with EU customers to assess their information strategy, technology, processes, and staff against GDPR rules regarding personal data, and implement changes to comply. According to the GDPR, personal data is defined as any information relating to an identified or identifiable natural person.
Are GDPR Criticisms Justified?
Since GDPR was originally proposed by the European Commission in 2012, criticisms of the new regulation have been far-ranging. Challenges include: the potential impact of slowing down development and use of Artificial Intelligence (AI) in Europe; impediments to medical research; and threats to new jobs and increases in consumer prices.
In contrast to the potential impacts and challenges posed by the GDPR, it can be an incentive for stimulating innovation to achieve compliance without sacrificing revenue goals. For example, Wells Fargo Bank employees abandoned ethical standards for a short-term increase in profits and the promise of job promotions – this clearly demonstrates the cost of non-compliance, which included financial and emotional harm to customers, loss of customer trust, immense fines, and irreparable harm to corporate brand.
Five Considerations for Stimulating Innovation
The five considerations outlined below provide guidance in complying with the GDPR, and also represent potential opportunities for stimulating innovation:
- Thought process – Fuel innovation through new perspectives and approaches to solving problems as this will lead to new paradigms in best-case scenarios. “Privacy by design” is an information strategy to incorporate data privacy in systems and processes when they are being developed or revised. This approach, which is mandated by the GDPR for new projects, necessitates investing in data privacy “up front”. This is in the belief that such an investment will pay off overall via customer loyalty, and will avoid costs associated with penalties and rework to retrofit systems and processes to accommodate future personal data privacy rules. It provides the opportunity to “design-in” flexibility necessary to accommodate future clarifications and changes to the GDPR.
- Identify scope of data relevant to GDPR – Data-driven innovation requires a clear understanding of the data to be collected and the reasons for collecting it. Personal data governed for compliance with the GDPR is no different from any other data. As a first step to GDPR compliance, organizations must define the scope of GDPR-relevant personal data that is, or will be, collected or derived, processed, and shared. Once a company identifies the scope of GDPR-relevant personal data, it should catalog all data sources that fall within this scope, including departmental systems and other internal and external sources.
The criticism that GDPR compliance might restrict innovations in AI is unsubstantiated and grossly ignores a subject’s right to privacy and consent. An individual who is denied an insurance policy based on the application of AI algorithms to personal data without the individual’s consent deserves an explanation for the denial.
- Prioritize metadata management – Metadata assists organizations in defining the scope of data by providing visibility, resulting in enhanced understanding of the data by illuminating the: who, what, where, why, and how of data. For example, metadata can provide answers to the following:
Who is using this data?
What is the security level or privacy level of this data?
Are there regional privacy or security policies that regulate this data?
What is its usage and purpose?
Applying good metadata management practices contributes to data-use auditability and GDPR compliance.
- Exploit data virtualization – Achieving a holistic view of the data is challenging given the fragmented data ecosystem is comprised of diverse data sources. Data virtualization establishes a layer of abstraction between data consumers and data sources; thereby, making it possible to leave all source data exactly where it is, and establish a virtual view for accessing all data. It offers a solution to support a data minimization strategy by obsoleting the necessity of consolidating all the data. It facilitates data privacy by design in new systems, which is a key requirement for GDPR compliance. It also supports data cataloging as well as search and discovery of both data and metadata. Finally, it provides a mechanism for organizations to audit centrally and glean lineage of sensitive data while also tracking consumers’ retrieval of the data.
- Align Privacy and Security Teams – Some critics regard the new role of DPO as “overhead”, and voice concern that filling DPO positions would threaten the creation of more productive jobs that could contribute to product innovation. On the contrary, the mandated DPO role provides a value-added opportunity for organizations to better align data privacy and data security in the common pursuit of protecting personal data through the “privacy by design” principal. Leveraging the role of DPO as a catalyst to foster collaboration between an enterprise’s privacy and security teams and other business owners (e.g., Marketing), facilitates a clear understanding of business goals like improving customer engagement and experience. Such collaboration instills a culture of privacy throughout an organization and elevates the role of DPO to a level that exceeds the demands of simply protecting personal data.
Today, it is imperative for enterprises to protect the privacy of consumers by securing their personal data, which is being collected in vast amounts from devices and sensors. Although GDPR may pose challenges, it provides opportunities for improving customer trust and fueling innovation reliably and responsibly.