GDPR: The Data Subject Perspective
I always find it good to get a different perspective on a topic that I am immersed in. For over 12 months, large portions of my working hours have been spent discussing the GDPR: Implications for data management; Implementation strategies for compliance; and of course, the long-term value the GDPR can deliver if used to bring improvements in data governance and data management throughout an organization.
Being invited to sit on a panel discussion at CPDP 2018 provided me with such an opportunity. I’ll start with an introduction, as the conference is far removed from my usual circles of conference attendance. CPDP is an annual conference on Computers, Privacy and Data Protection. It is in its 11th year and from what I understand growing quickly. There are no keynote sessions, just panel discussions representing the views of academics, regulators, lawyers, data privacy advocates and business. An excellent place to gain an insight into several different viewpoints. As it turns out, both the size of the conference and the discussion on site re-enforced my thoughts I laid out in my last blog – organizations should not underestimate the passion and protectiveness individual data subjects feel about their data. The GDPR has been written based on a strong demand from individual data subjects and organised data privacy advocates alike.
My next two blogs serve as a summary on the panel sessions I found most interesting and thought provoking.
This is the panel I was asked to speak on, representing the business viewpoint – why organizations want to track individuals, and the value analytics based on personal data can deliver to both organizations and individual data subjects. I was joined on stage by: Daniel Le Métayer, Research Director, INRIA (Chair); Gloria González Fuster, Research Professor in Law, VUB (Moderator); Anna Fielder, Trans Atlantic Consumer Dialogue; Mathieu Cunche, INSA Lyon; and Jules Polonetsky, Future of Privacy Forum.
Mathieu opened the discussion with an insight into the mechanisms for tracking people via wifi and bluetooth. I gave the viewpoint from data management, and the value that personal data (of which physical tracking data is a subset) can deliver to both organizations and data subjects. Gloria and Jules both looked at data gathering and use from a consumer perspective. In the context of physical tracking, there was a focus on how to inform people they are being tracked in a public space.
Whilst there was no conclusion to the discussion, some interesting points came up:
- Wifi and bluetooth were designed as communication methods, not tracking methods – so have no concept of privacy.
- There are methods (e.g. Future of Privacy Forum code of conduct) for organizations to sign up to self-regulation for use of physical tracking data.
- Few areas who do physical tracking inform people of this tracking, and on-site signage may not be enough to give informed choice to individuals due to time pressure.
My key takeaway was from the first bullet point: technologies are being used for purposes which the designer of that technology had not envisioned. In some cases, (like the way mobile phones look for wifi networks) this can compromise data privacy. I see parallels here to the data world. For example, a sales order (or till receipt) was designed to gather data to complete a transaction (items ordered, shipping address, payment means, etc). However, once this data is in an organization it can facilitate all sorts of analysis: Personal preferences, profiling of neighbourhoods, market basket analysis, etc. In both cases, as our digital world evolves rapidly, there will be new communication methods and interactions that produce data points which enable us to identify and analyse individual data subjects.
GDPR implication: Designing a compliance solution based solely on today’s data and technological environment is not advised. GDPR compliance activities and technologies must be able to adapt to an unknown future of rapidly changing and evolving data gathering and analysis methods.
Article 25 – Data Protection by Design and by Default
This was a lively discussion, but did not result in a definition of what privacy by default, or privacy by design entailed. My interpretation is that there are differing views as to what these concepts are – and there was no official guidance on how to implement Article 25, beyond the law as it is written. However, an interesting question was raised:
Why are we prepared to bargain with our privacy, but not our other human rights?
The answer is complicated. As other panelists pointed out, we do bargain with our other human rights: NDAs and employment contracts limit our freedoms of speech and movement to some extent. However, we are happy to limit these freedoms should we see value in the agreements. The discussion that followed highlighted a key point: the value of the data means that stakes are high. Organizations are understanding how much value can be driven by intelligent use of data. My opinion is that many individuals have sold themselves short in negotiations around use of personal data. This is because individual data subjects have had limited knowledge, power or influence at a negotiating table that doesn’t really exist – unlike the agreement process for other contracts in which both parties are normally well informed.
GDPR implication: The key is intelligent use of data. Personal data which is not managed correctly will have less impact on an organization’s bottom line, and will become a burden under GDPR. Organizations should review their data collection mechanisms and consider data minimisation, and data masking technology to implement privacy by default and design. This panel again showed the passion behind individual’s desire to have control over their data. Organizations should also be prepared to engage with data subjects as they exercise their rights to privacy given by GDPR.
Attending the conference gave me a huge insight into another view of GDPR – those who have been campaigning for privacy on the behalf of all individuals. These people have a good understanding of the power of data, and hence the need to create an environment of trust and security as more organizations wish to use our data.
Shortly after the conference, I met with a retail customer of ours, who mentioned that they are already getting inquiries from customers about their data and the use of it. These initial inquiries from data subjects should be seen in a positive light. Processes for data subjects’ rights can be tested at low volumes – so that each organization can understand where they will benefit from automation when data privacy discussions expand beyond conferences like CPDP and step into mainstream daily activity. Given the interest in data privacy individual data subjects expressed at the conference, I imagine the requests will ramp up once the GDPR applies.
My second blog on this topic will cover the regulators, legal and academic viewpoints I heard at the CPDP conference.