During the last two years, I have been involved in quite a number of meetings and conferences about the EU’s General Data Protection Regulation (GDPR). My role has been to provide information about the regulation and its impact and what organisations need to do as a result.
Known unknowns and unknown unknowns
Despite having access to excellent legal advice and plenty of expert information, I found it hard to answer some of the questions posed. I had read a lot about the subject, but did I really know what I was talking about? Come to think of it, were the articles that I had read actually even correct? With a sense of unease about “unknown unknowns,” I decided that I needed a proper training course on the GDPR, and about data privacy more generally. I turned to the International Association of Privacy Professionals (IAPP), which offers a good training program with certification addressing both the “what?” and the “how?” of data protection.
I thought I would learn about data protection and privacy, and the course certainly provided that. But it has also changed my perspective about privacy and the role of data protection law.
A risk or a benefit?
The main way that many businesses see GDPR – and data protection law more generally – is probably as a risk to the company. And in several important ways, of course, it is: It imposes legal requirements and constraints, and probably has significant budgetary implications. Noncompliance is a huge risk area, especially since there is so much in the regulations that is new and untested.
It is, however, important to remember that the GDPR was not designed specifically to make life difficult for companies. Its purpose is, in fact, to put individuals back in control of their data, which turns out to have implications for organisations. In other words, this regulation is designed for each one of us as individuals, and has us, and our children, at its heart. It allows us to control our own digital footprints, and challenge decisions made by machines if we believe that they are unfair. It is about us being able to say that we no longer want a relationship with a company, and the company having to respect that – and no longer keep any data about us.
This is huge. This right to privacy is fundamental. The European Convention on Human Rights says that we all have the right to respect for private and family life, and the GDPR shows that the EU remains committed to this right, even in a digital world, when delivering on it is hard.
Information technologies and analytics are changing our world at an incredible pace, and will continue to do so. However, legislators and regulators alike have shown that they are committed to protecting our right to privacy. Last December at the TechUK Data Ethics Summit, Elizabeth Denham, the UK’s Information Commissioner said: “The idea that data protection, embodied in legislation, does not work in a big data context is wrong.”
Doing what is right
If we as individuals believe that this right to privacy is fundamental – and I, for one, do – then we have to applaud this. As employees and providers of software services, we need to be thinking about how our organisations store and use personal data, and not (really) because of the fines for noncompliance. Consumers need to have confidence in how organisations are managing their personal data whatever the technology. It does not matter whether we are using big data or artificial intelligence, or some future technology. The same principles will apply.Consumers need to have confidence in how organisations are managing their personal data whatever the technology. #GDPR Click To Tweet
Organisations need to deal correctly with personal data because it is right to do so, not because they are afraid of the regulator. It is a fine distinction, but one that cuts to the heart of organisational integrity.