What makes GDPR such a significant change is that it has been designed to encourage corporate innovation in data privacy – creating opportunities for all of us who develop new technology-based products and services.
Previous data protection regulations tended to obstruct innovation by directing the attention of data controllers to compliance with particular regulatory requirements, rather than encouraging them to seek out and address non-compliance-related weaknesses, or to think about data privacy issues holistically. This has encouraged a culture of tickbox compliance.
In contrast, the GDPR draws on developments from other jurisdictions, such as privacy-by-design and privacy impact assessments, as part of a shift to a more reflexive accountability. It has been designed to encourage data controllers to seek out and address non-compliance-related weaknesses, and to think about data privacy issues holistically. Both data controllers and processors have had to adjust from thinking primarily about ‘shallow’ data privacy compliance to addressing ‘systemic’ data privacy impacts and risks.
Under the previous legislation, for example, it was possible to meet compliance criteria easily e.g. addressing the data subject’s right to information by providing specific information to them at a particular point in time. However, under the GDPR the ability to demonstrate ongoing assessable and auditable accountability for data processing becomes the new norm.
While many people see the changes required by the GDPR as onerous legislation, I believe it offers significant opportunities to those of us who are prepared to look beyond the requirements of the regulator and see the wider implications.
First, the GDPR provides an opportunity for organizations which rely on data to improve their public image. After some initial rumbling and grumbling, most commercial organizations have responded positively to the spotlight it shines on their business and their operating processes.
Undertaking an early GDPR impact assessment to establish the risks, costs and opportunities that the GDPR poses for any given system will allow both service providers and service users to evaluate new cost-effective strategies for achieving and demonstrating compliance to the satisfaction of both data subjects and the ICO.
Second, I believe that the GDPR will incentivize innovation by encouraging industries to develop a robust co-regulatory relationship with regulators and develop new technologies and services while reducing risk of data protection breaches.
As a result I expect to see a new breed of systems in all sectors offering a more social-based interactive alternative that will develop into a far more effective solution than those currently touted. By using technologies such as cloud, organizations can meet the new regulations while improving data accessibility and opening up new applications for visual data, such as smart cities.
Of course technology is continually developing, and the data protection environment must keep pace. The need for the GDPR was driven by technologies which were in their infancy or non-existent when the previous regulations came into force in 1995, such as widespread access to the internet and mobile communications, the rise of e-commerce platforms and social networks, cloud computing, and the development of the Internet of Things.
These innovations have significantly altered both the data protection environment and public perceptions of what constitutes acceptable data processing.
Thus the GDPR is just the first step in what I expect to be a continuing evolution in international data protection law, moving away from the highly formalized and prescriptive approach of the Data Protection Act. It already includes provisions that will impact how data is collated and used in applications that apply AI, analytics, and deep learning techniques to that data.
Just as in 1995, we could not predict today’s technology landscape. We do not know what will become commonplace in even five years’ time. However, by creating a regime which encourages accountability, incentivizes data controller innovation in compliance and actively encourages the involvement of industries in devising appropriate mechanisms to raise standards and increase awareness of good practices, we are putting in place strong foundations on which to build future regulations.
The GDPR also encourages us to consider how technology improvements that address compliance goals could enhance the value of existing products and services. This might include making important data more rapidly accessible, providing validation and authentication, or simply by providing accurate timestamping to enable data to be used in future investigations. I expect future regulations to continue to encourage such improvements.
Finally, public perceptions of the way organizations treat their data are at an all-time low. The GDPR provides a welcome opportunity for businesses to tackle this negative image head-on. It is vital that the next generation of regulations address whatever concerns may arise in the future, enabling the public to share data in an informed way with the confidence that it will not be abused.