The European Union’s (EU’s) General Data Protection Regulation (GDPR), intended to strengthen and unify EU member personal data protection laws, will replace Data Protection Directive 95/46/ec on May 25, 2018.
This new mandate requires all organizations worldwide doing business with EU customers to assess their information strategy, technology, processes, and staff against GDPR rules regarding personal data, and implement changes to comply. According to the GDPR, personal data is defined as any information relating to an identified or identifiable natural person.
Are GDPR Criticisms Justified?
Since GDPR was originally proposed by the European Commission in 2012, criticisms of the new regulation have been far-ranging. Challenges include: the potential impact of slowing down development and use of Artificial Intelligence (AI) in Europe; impediments to medical research; and threats to new jobs and increases in consumer prices.
In contrast to the potential impacts and challenges posed by the GDPR, it can be an incentive for stimulating innovation to achieve compliance without sacrificing revenue goals. For example, Wells Fargo Bank employees abandoned ethical standards for a short-term increase in profits and the promise of job promotions - this clearly demonstrates the cost of non-compliance, which included financial and emotional harm to customers, loss of customer trust, immense fines, and irreparable harm to corporate brand.
Five Considerations for Stimulating Innovation
The five considerations outlined below provide guidance in complying with the GDPR, and also represent potential opportunities for stimulating innovation:
1. Thought process – Fuel innovation through new perspectives and approaches to solving problems as this will lead to new paradigms in best-case scenarios. “Privacy by design” is an information strategy to incorporate data privacy in systems and processes when they are being developed or revised. This approach, which is mandated by the GDPR for new projects, necessitates investing in data privacy “up front”. This is in the belief that such an investment will pay off overall via customer loyalty, and will avoid costs associated with penalties and rework to retrofit systems and processes to accommodate future personal data privacy rules. It provides the opportunity to “design-in” flexibility necessary to accommodate future clarifications and changes to the GDPR.
2. Identify scope of data relevant to GDPR – Data-driven innovation requires a clear understanding of the data to be collected and the reasons for collecting it. Personal data governed for compliance with the GDPR is no different from any other data. As a first step to GDPR compliance, organizations must define the scope of GDPR-relevant personal data that is, or will be, collected or derived, processed, and shared. Once a company identifies the scope of GDPR-relevant personal data, it should catalog all data sources that fall within this scope, including departmental systems and other internal and external sources.
The criticism that GDPR compliance might restrict innovations in AI is unsubstantiated and grossly ignores a subject’s right to privacy and consent. An individual who is denied an insurance policy based on the application of AI algorithms to personal data without the individual’s consent deserves an explanation for the denial.
3. Prioritize metadata management – Metadata assists organizations in defining the scope of data by providing visibility, resulting in enhanced understanding of the data by illuminating the: who, what, where, why, and how of data. For example, metadata can provide answers to the following:
- Who is using this data?
- What is the security level or privacy level of this data?
- Are there regional privacy or security policies that regulate this data?
- What is its usage and purpose?
- Applying good metadata management practices contributes to data-use auditability and GDPR compliance.
4. Exploit data virtualization – Achieving a holistic view of the data is challenging given the fragmented data ecosystem is comprised of diverse data sources. Data virtualization establishes a layer of abstraction between data consumers and data sources; thereby, making it possible to leave all source data exactly where it is, and establish a virtual view for accessing all data. It offers a solution to support a data minimization strategy by obsoleting the necessity of consolidating all the data. It facilitates data privacy by design in new systems, which is a key requirement for GDPR compliance. It also supports data cataloging as well as search and discovery of both data and metadata. Finally, it provides a mechanism for organizations to audit centrally and glean lineage of sensitive data while also tracking consumers’ retrieval of the data.
5. Align Privacy and Security Teams – Some critics regard the new role of DPO as “overhead”, and voice concern that filling DPO positions would threaten the creation of more productive jobs that could contribute to product innovation. On the contrary, the mandated DPO role provides a value-added opportunity for organizations to better align data privacy and data security in the common pursuit of protecting personal data through the “privacy by design” principal. Leveraging the role of DPO as a catalyst to foster collaboration between an enterprise’s privacy and security teams and other business owners (e.g., Marketing), facilitates a clear understanding of business goals like improving customer engagement and experience. Such collaboration instills a culture of privacy throughout an organization and elevates the role of DPO to a level that exceeds the demands of simply protecting personal data.
Today, it is imperative for enterprises to protect the privacy of consumers by securing their personal data, which is being collected in vast amounts from devices and sensors. Although GDPR may pose challenges, it provides opportunities for improving customer trust and fueling innovation reliably and responsibly.