Data Privacy Implications Under GDPR
First of all, what is GDPR? GDPR is the European Union’s General Data Protection Regulation Act, which supersedes the 1995 Data Privacy Protection guideline. It is the Nuclear Option for the citizenry when its data is being used by non-authorized entities against their explicit wishes. As a consequence; automatic, vague opt-ins checked based on hyperlinks to privacy policies for your personal reading pleasure etc. are no longer good enough.
Aside from explicit consent, data portability, data transmission, the right to be forgotten, explicit scope limitation, accountability and associated fines are the hallmark of the regulation.
The penalty for organizations: a maximum fine of 4% of global revenue or EUR20 million or whichever is greater. Gulp!
So what does this really mean operationally speaking for anybody storing or processing information deemed “private”?
The following are some thoughts, considerations and implications as I would think about this legislation. Full disclosure: Please do not take this as legal advice as I did not pass the bar exam anywhere on this planet.
In my estimation, this means geographically limited (to the EU) business models like utility services, e.g. landline phone, water, gas, power and so on should now map their inner-EU data flow between entities, use this legislation as a way to assess true need and use of such setup, adapt their opt-in statements and workflow as well as ensure a record-level audit trail is available in a heartbeat if needed.
Moreover- and here it gets really interesting-if the organization is non-EU based but its business model assumes their services and products are touching European Union residents, the same provisions must be put in place.
An example for this could be usage, location (meta) data capture when a (rented) vehicle drives across the German/Swiss border. How can an automotive OEM, a supplier, the rental company, the insurance underwriter, the app in the infotainment console, the wireless provider via the onboard SIM card, etc. take commercial advantage of this trip by providing relevant offers; pricing, risk, warranty or other optimizations, without violating GDPR?
After all, the renter may be a Swiss/French employee of a Swiss/German bank (or any combo really)? What if the insurance beneficiary is a Norwegian entity and the car is involved in an accident? What if the driver uses an infotainment or smart phone app in the car to check the status of a shipment or make a purchase? Do you have to ask for individual permissions before all these transactional permutations or cover all of them in a blanket statement at the start of a customer relationship via a general opt-in language?
When consulting the actual text (end of Article 2, page 76), it appears that any data monitoring (processing and storing) outside of the EU based on a physical product/service launched within the EU and even if utilized by a EU data subject, is possible outside of the GDPR provisions.
Whatever may be the case, the notification window closes a day after a significant change in data usage (international transit) occurred? Do you account for this possibility in your general disclaimer/explicit opt-in workflow or only after it occurs? After all, only a small fraction of vehicles crosses this border. How explicit do you want the legalese to be? Do you want to showcase examples how personal data will be captured, obfuscated and shared for what purpose?
If this transaction data is combined with a customer profile, the true value and risk becomes clear. A 2000 study from Carnegie Mellon indicated that 87% of the US population can be uniquely characterized by the data they provided around zip code, gender and date of birth. Add just one mundane attribute like last name, email address, cell (mobile) phone number, employer name, bank branch address or vehicle license plate and you are at 100%.
Maybe some of this data comes from 3rd party commercial data feeds or other internal applications like a mobile service app, your iPhone, a public database, your local gym, a transaction clearing house, etc.
As the operator of the software or even temporarily persisted instance of a flat file, you are now on the hook to show who authorized you and why you have this data, what you did to it, what you intend to do with it and how you ensured proper security of it.
What can your average data management software offer in this regard? How about:
- What individual or combination of attributes truly constitutes sensitive, private information? After all, all data has a cost to it.
- Where are these attributes persisted and who manages it under what privacy guidelines? My organization may or may not have a 3rd party interest/exposure.
- Are these guidelines in line with GDPR, aka the California Emission Standard equivalent of data protection?
- Who signed off on the business rules governing said data from a corporate and consumer POV and when given what language?
- How does this data travel, for what purpose and how does it change along the way under what auspices?
Read more about the implications in my upcoming book “GDPR…the devil is in the details”. No worries, there won’t be a book. The web is full of those already.