The General Data Protection Regulation, or GDPR, comes into force on 25 May 2018. It has been a topic of considerable interest recently, and particularly its likely effect on individual sectors or business areas such as marketing and sales. Software manufacturers and consulting companies have been developing and launching solutions and approaches to help businesses better meet the new regulatory requirements. But now that the initial excitement has died down and the uncertainty is over, many companies are starting to realise that the GDPR offers new opportunities to rethink and improve existing practices related to personal data.
GDPR is designed to prepare European companies for the safe handling of personal data in the digital age, and also strengthen the rights of citizens in relation to their personal data. Roughly speaking, it regulates the handling of personal data across:
- Control and consent of the citizen.
- Transparency in case of security breaches.
- Withdrawal or “the right to be forgotten.”
The rules apply to all companies dealing with personal data of European citizens. Just about all businesses come into contact with personal data in some form, meaning that not even the smallest craft businesses are excluded. However, the biggest impact, and thus the main regulatory effect, is on companies whose business model is closely linked to the collection and processing of data. We have recently seen the impact of failing to protect large amounts of personal data in the Facebook scandal. GDPR should help to avoid future problems like these.
If we are honest, most of the GDPR provisions are actually principles that are – or should be – standard in most companies. The new, and globally uniform, standards and particularly customers‘ strengthened rights to transparency, however, are obliging many companies to make selective improvements to their operations to enable them to continue to process personal data and use it for analytical purposes. After all, few are going to give up the advantages of analytics for the sake of some changes.
Rethinking the future
The GDPR, therefore, means that companies are likely to rethink precisely how they manage personal data and analysis in the future. In particular, they may adopt new technologies and architectures that make it easier to comply with GDPR requirements. These include:
-
Real-time analysis
Real-time analytics may be used to avoid the time and effort required to securely and transparently store personal information. Personal data can then be analysed rapidly, directly after input, and discarded immediately. This eliminates the need to protect personal data in long-term storage, and would also reduce the amount of personal data that the company stores about its customers. The results of the analysis could be used during the customer contact and stored without personal identifiers.
-
Edge analytics
Processing of personal data could also be pushed out “on the edge” in the future, for example, on devices such as customer mobile phones and tablets. Technically speaking, the data never leaves the customer, and so is under their control. The advantage here is transparency because the customer can directly influence the processing of the data.
-
Self-determination
Another interesting idea is to reverse the privacy policy process. Rather than having each company make separate privacy statements about the use of personal information, in the future we may be using consistent privacy and use terms, similar to open source licenses. This would allow individuals to decide what their personal data could be used for, and companies would have to agree to individual terms and conditions if they wanted to use the data. Users would therefore determine which information could be used. Personal data would remain on user devices, always up-to-date and ready to access. It would no longer be necessary to store personal information on corporate servers.
-
Blockchain
Last but not least, blockchain is a new technology that could help companies improve the security of personal data. Compared to classic security mechanisms with user name and password, blockchain offers much more comprehensive protection. Public and private keys, which form a digital signature, secure the data in the blockchain. The public key acts as a kind of address for the individual transactions, but only the private key allows the user to access the transaction data in the blockchain. As many public and private key combinations are needed to read the data, blockchain technology is making the massive theft of personal data impossible.
The General Data Protection Regulation is an important step in protecting personal data. It will, however, also be interesting to see what the future holds and how new concepts and technologies will help to safely use sensitive data.
This blog post was originally published in German on the regional blog site Mehr Wissen.