The General Data Protection Regulation (GDPR) has long been in the spotlight. And for a good reason – it is bound to profoundly affect organizations’ data operations. The Regulation comes into effect on May 25, 2018, which means it’s about time organizations revised their online strategies to have them in place before the law takes effect.
We have invited Aurélie Pols, a former Data Governance and Privacy Engineer, previously with Krux Digital Inc. now acquired by Salesforce, a member of the European Data Protection Supervisor’s Ethics Advisory Group, a professor at IE Business School in Madrid, and an advisor to the International Association of Privacy Professionals (IAPP) to shed some light on the GDPR, what the changes in legislation mean for businesses, and how to prepare for them.
AP: My background is in economics and statistics. Early on I delivered on actuarian work, using tools such as Matlab and SPSS on top of working on business issues solving such as loyalty. The Internet came along – aka lots of data! – and to cut a long story short, my Brussels based agency OX2 was one of the first Google Analytics partners before being sold to Digitas LBi (Publicis).
After the sale, I moved to Spain, exchanging the start-up for a family. This is also where I got in touch with lawyers to discuss my worries about extensive data uses and flawed accountability mechanisms. It was the ePrivacy Directive that caught my initial attention, once those cookie walls discussions started in 2011. Since then, I’ve been bridging legal and analytics worlds, which increasingly includes engineering in light of big data.
Now that the ink on the GDPR is dry, I help clients get ready for the May 2018 deadline while keeping an eye on the ePrivacy Directive/Regulation debate that’s about to start. Building beyond, in light of data governance initiatives and increasing data quality issues, discussions are also unfolding about ethical data uses and customer expectations.
How do you assess the present state of privacy legislation? Is the law catching up with the technological world?
AP: I’m not sure the objective of the law is to catch up with technology. If one had to frame the reason for legislation, it would probably encompass the ideas of protecting people, enforcing Rights, solving conflicts, and indeed ultimately regulating society, one way or another.
What’s clear is that technology is advancing fast and as data is increasingly recognized as an asset – aka it has value – the first waves of laws focussed on protecting this asset, in the form of data breach notification laws. Over 100 countries have passed data breach notification laws over the past 2-3 years.
With the GDPR, we are moving beyond the premise of protecting the data companies are entrusted with, reintroducing the individual into the data equation if you will, underlining some of our Fundamental Rights. This piece of legislation addresses consequences on “human dignity” technology is bringing about for EU citizens.
With the advancement of technology, rights are obviously being reshuffled. Think for example about Freedom of Expression vs. the Right to be Forgotten battle that’s been raging for a while now or Freedom of Expression vs. fake news. The questions arise:
What is acceptable and how far is too far? What is more important: the right of a single individual or society at large? What are the consequences of digitization of our societies as every action and thought is being recorded and might be used against us? Does this bring harm or benefit and to whom? How do we make sure we continue to build an egalitarian society, certainly when you think about Europe?
The GDPR is bound to replace the current Data Protection Directive in May 2018. What triggered the changes? Where is the current directive lacking?
AP: The current Data Protection Directive dates back to 1995, the early steps of the Internet. Since then, we’ve witnessed significant technological evolutions and, with the advent of big data, fundamental changes in information sharing as well as communication. Additionally, Directive 95/46/EC, being a Directive, has been implemented differently across the 31 (28 EU Member States + 3: Iceland, Norway, and Liechtenstein) countries, which created compliance issues for companies.
The changes therefore first come in the form of a Regulation, assuring more cohesion across the board with fewer conflicting obligations than before. It is not perfect, yet a step in the right direction, imho.
Secondly, the risk equation changes with fines moving up to 4% of global turnover or 20 million euros, whichever is higher, and it will definitely require organisation-wide changes for many businesses. Whether this touches upon digital data will depend upon the readiness assessment undergone for the GDPR by each company on top of another piece of legislation that is currently being re-negotiated, which is the ePrivacy Directive/Regulation.
The GDPR is already paving the way, making “valid consent” more difficult to obtain. Businesses that rely on consent will need to carefully review their current practices to ensure that the way they obtain it is explicit and indicates affirmative action from the “data subject”.
And while the debate about what is considered to be personal data (the US calls it PII but, contrary to EU law, it is just one single variable, not a combination of variables) continues to rage on, the GDPR introduces a new data category: pseudonymous data, which includes cookies, unique identifiers etc., which will fall under privacy legislation, unlike today. Again, to which extent these obligations will change how we work today will probably be addressed under the, to be discussed/bartered, ePrivacy Regulation.
How radically is the law going to change with the GDPR coming into effect? Which of the changes proposed are going to have the biggest repercussions?
AP: The GDPR really talks about Rights of EU citizens, whose data – personal or not, up to which point – is increasingly being commoditized and traded as a data market is taking shape. This means that the regulation also applies to companies outside of the EU, addressing the EU market.
The other big difference I see in terms of mentality change is that the burden of proof is reversed: If you are using data, you need to assure the required mechanisms are in place to pursue your endeavors. There is, therefore, a “documentation obligation” that kicks in, shifting the burden of proof that until now was set out in the contracts between B2B entities (article 5, paragraph 2). The accountability is, then, reinforced with a conditional appointment of a DPO (Data Protection Officer) to assure data protection policies and information notices are transparent and easily accessible to the data subject.
This then needs to be put in parallel with the different (EU citizen) Rights’ the GDPR is adding or clarifying: the Right to Object to Profiling, the Right to be Forgotten, the Right to Data Portability, etc.
All in all, there are number of new challenges that need to be addressed or old habits that need to be either reinforced or replaced. The work to be done will take some time, while the May 2018 deadline is just around the corner.
This has been the first part of the interview with the expert. In the next part, Aurélie is going to fill us in on which industries the GDPR is going to affect most, how the changes could support innovation, if we have reasons to worry the quality of web analytics data, what repercussions the enforcement of DNT may have, and how to prepare for what’s to come. Stay tuned for more input from Aurélie! Feel also welcome to subscribe to our newsletter – we’ll keep you updated!