GDPR is big news for everyone.
The new regulation applies to controllers and processors handling the personal data of individuals. Perhaps one of the most important things to note is that this new regulation applies to ALL organisations collecting and processing personal data of individuals regardless of the company’s physical location.
So what do you need to know about GDPR?
Consumers are going to be given beefed-up, world-leading digital rights. Data is power, and the EU wants to give consumers access to that power. This means consumers have to consent to the use of their data. They can withdraw that consent or request to see the data that companies have on them.
Article 4 of the GDPR clarifies the different roles between controllers versus processors, which are defined as:
Fundamentally, common-sense applies. GDPR is intended to move ownership and control of personal data back to the person, from where it has undeniably drifted in recent years.
So what does this mean for “Big Data” - one of 2017’s biggest buzz topics within the tech industry?
The capabilities of big data are only just being unlocked. The Internet of Things (IoT) has been steadily growing since the mid 2000s and the potential for Smart Cities and other innovative technologies is endless.
However, when big data also includes personal data, it falls under the remit of GDPR. And, according to Sheila FitzPatrick, Worldwide Data Governance Counsel and Chief Privacy Officer at NetApp, GDPR is about data privacy and not data security.
Although security is undoubtedly important, GDPR is concerned with the privacy of customer data. To use FitzPatrick's analogy: “It doesn't matter that a bank robber stores his ill-gotten gains in a securely locked safe, since he has no right to possess them in the first place.”
The UK’s Information Commissioner’s Office (IOC) released a paper - Big data, artificial intelligence, machine learning and data protection - which looks into this issue in greater detail. With potential sanctions of up to 4% of global profits at risk for a breach of the GDPR once it’s in place, this is something which no business can overlook the importance of.
One of the easiest ways to check your compliance, is with a privacy impact assessment (PIA). GDPR states that a PIA – referred to as a data protection impact assessment (DPIA) – is required in the case of:
a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
With this in mind, it’s highly likely that under GDPR, DPIAs will be legally required for most big data applications involving the processing of personal data.
What should you be doing to comply with GDPR?
Pick up the handy Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now PDF which was produced by the IOC last year. It contains plenty of useful guidance to put in place before May 25th.
Continental Europeans in general tend to be more protective of their personal privacy than US/UK citizens, as evidenced by their social media use and other metrics. Companies that act in good faith to respect this should be fine. Companies which are already adhering to the existing data protection regulations both within the UK and abroad, are likely to find there won’t be many changes under GDPR.
Those that don't may wish to consider that 4% of global profits figure carefully.