GDPR: Don’t Lose Sight of the Why
From our position as industry advisors, we’ve seen a fair amount of hand-wringing over the volume of work required by data controllers to come into GDPR compliance before the May 25th deadline. Conducting a comprehensive data inventory is time and resource intensive. Postponing the work on new product features in lieu of work to facilitate data subject access/deletion/portability requests isn’t sexy and likely won’t help drive revenue. Figuring out which recipients within your multi-million user base consented to receive marketing messaging—but maybe not have their opens/clicks tracked—may seem like an impossible task. The list of challenges can seem endless, but at a time when companies might be tempted to just throw their hands up and say “it’s not worth it,” we need to be reminded why the regulation was introduced in the first place.
It’s not about us. It’s about the data subject (the “natural person” whose personal data you are collecting), and their rights as owners of their data.
It’s about protecting all of a data subject’s personal data, not just traditionally legislated categories like contact information, national identifiers, biometric identifiers, financial account details, etc. Under the GDPR, “any information relating to an identified or identifiable natural person” counts. So pseudonymized data (like the MD5 hashed representation of a data subject’s email address) falls in-scope, as will any kind of behavior-based analysis of a data subject, like an email account user’s clicks, opens, and reads. Unless you’ve anonymized the data and there’s no possible way to reassociate the data with an individual, it’s governed by the GDPR.
The GDPR is about arming and empowering data subjects with the means to understand the what, how, when, where, and why their personal is collected and processed. Among other things:
- Privacy notices have to be easily accessible and understandable.
- Consent flows (we’ll go into this more in a subsequent blog post) have to clearly describe all the potential uses of data, to allow a data subject to truly give informed consent.
- Contact information for an organization’s Privacy or Data Protection Officer has to be easily findable, so data subjects have a vector for exercising their rights of access, deletion, portability, etc.
- Information needs to be readily available on a data controller’s legal grounds for processing data, where it’s processed, and if there are third parties involved.
Data subjects can take advantage of these rights by reaching out to company Privacy/Data Protection officers. If the responses they receive are unsatisfactory or indicate company negligence, they can reach out to the relevant European supervisory authority (or DPA, Data Protection Authority) for redress.
The GDPR is about ensuring that sufficient security protections exist on data and data processing systems and that in the event of a breach, a process is followed for providing both data subjects and supervisory authorities proper notification of the breach and its potential harm. These requirements make sense: breach reporting is inconsistent (some companies report breaches, some don’t), while still being ubiquitous from the data subject’s perspective. The GDPR will silence breach notices where there’s no material harm while amplifying those where there is.
Perhaps most notably, the GDPR is about giving the data subject a voice within companies who process their data. Through the appointment of a Data Protection Officer (DPO, required at any company where the regular and systematic processing of a data subject’s data occurs) the data subject will have an advocate, arguing on their behalf. From the design phase of a product or project (via privacy by design and privacy impact assessments) through a product’s delivery and/or mass-release, the DPO will be accountable for what data is processed, where, for what purposes, and how it’s protected. In some cases—like in social media applications—the DPO will even work to protect data subjects from their own potential missteps (ex: through exercising privacy-by-default, where a user’s ability to share their information is restricted by default).
Sure, the threats of being fined up to four percent of our global revenue are motivational, but the bottom line for us is that GDPR compliance is about doing the right thing by data subjects. Our business depends on consumer trust. Violating that trust is simply not an option.