The EU General Data Protection Regulation (GDPR) should be welcomed as an immensely pragmatic regulation. GDPR both safeguards the rights of the individual to control their personal data, and enables organisations to utilise that data in a secure and lawful way.
Moreover, by replacing the restrictive anonymised data model with the new concept of ‘pseudonymised’ data, GDPR actually provides organisations with a real opportunity to better understand their data and its value.
Data protection principles
The headlines that focus on the punitive fines associated with the forthcoming GDPR undermine the potential value of the regulation. The reality is that GDPR is actually one of the most universally agreed and pragmatic regulations devised in recent years.
It recognises today’s data driven economy and adopts an extremely practical approach to balancing individual concerns regarding personal data with lawfully unlocking the value organisations can derive from that information.
The data protection principles of the GDPR have not changed from previous legislation; in fact, the new regulation enhances them. And, to address the over-reaction specifically, high fines are likely to be given to businesses unable to prove data accountability and responsibility.
A recent statement from the Information Commissioner’s Office (ICO) indicates an implicit acceptance that breaches will occur at a certain point, and if a business can provide demonstrable proof of intent to follow the principles / comply with the GDPR, this will be a significant mitigation against massive fines in the event of a breach.
One of the biggest changes is the implicit requirement within GDPR to move away from anonymised data. It relaxes the definition of irreversibility, and links it to the state of technology at the time. The GDPR instead encourages the use of pseudonymised data.
By introducing the concept of pseudonymised data, GDPR is actually encouraging organisations to manage data properly, to ensure the individual pieces of data related to an individual are stored and processed separately.
For example, an email address stored within a marketing database is retained in a separate location to a credit risk report, so that should a hacker access one database, it is only one portion of an individual’s data that is compromised, minimising the harm to the individual and as a consequence the risk to the organisation in a breach scenario.
By ‘pseudonymising’ the data in this way, organisations can also bring individual characteristics together as required – such as KYC or due diligence – but limit the breadth of information that is accessible by, for example, marketing. Taking this approach both safeguards individual data and enables an organisation to explore that information for legitimate business use.
The process of achieving this degree of separation is fairly straightforward from a technical perspective, and is a constituent part of Privacy by Design and Privacy by Default, both mandatory under the GDPR.
The challenge – and opportunity – for organisations is to undertake a complete and robust assessment of existing data resources. What data is held by the company? Where is it located? Who has access? What is it being used for? What consent has been given for its use? It is only once this extensive data map has been created that organisations can begin to determine the way forward.
The process of creating this data map is fundamental to understanding an organisation’s current resources of personal information – something that many, especially those within the financial sector, risk underestimating.
>See also: Benchmarking global readiness for the GDPR
From shareholder information to contact information held within legal contract data, trade reporting, information about charitable donors or insurance case records, every organisation collects – and therefore must safeguard – some degree of personal data.
This data mapping process is essential for GDPR compliance but also provides a significant operational benefit. Once a business understands its data resources, it has the chance to determine just how much of this information has value and the source of that value.
A significant proportion of data retained by organisations has no value – it has been kept simply on a ‘just in case’ basis, often without being subject to any legal retention requirements. This GDPR compliance exercise provides an excellent opportunity to rationalise data retention strategies and minimise data volumes, reducing data costs.
Data is without doubt the currency that now underpins the digital economy. But its value is intrinsically linked to excellent governance and an accurate understanding of its purpose and value to the organisation.
GDPR is being implemented in reaction to a changing data world and while the fines are attention grabbing, it is the immense practicality of this regulation that organisations should be actively embracing as an opportunity to better understand their data.
Sourced by Akber Datoo, managing partner, and Peter Newton, chief operating officer, D2 Legal Technology
Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!