The recently approved General Data Protection Regulation, which will enter into force in May 2018, represents a radical departure from the compliance-based approach in relation to data management.
The immediate reaction from most CDOs or security professionals after reading in detail the document is feeling overwhelmed. Not in vain, according to the research company Ovum, more than 50% of CDOs from large businesses worldwide fear they are going to be fined by the Data Protection agencies.
Why this reaction? The reason is compliance with the new regulation from a traditional mindset seems an impossible task. A new approach is necessary. There are four key areas where a shift needs to take place:
- Security: The regulator is no longer telling organizations what security measures are required. Given the quick pace of technological change, compliance checklists are no longer viable. This is why organizations are told to base their security related decisions on risk audits, not only internal, but encompassing the impact for customers or individuals. Security decisions become a matter of judgement. Given that breaches will have to be notified within 72 hours, it will be better to err on the side of caution.
- Transparency: Until now, once individuals gave permission to an organization to use their data, they lost visibility and control over it. Under GDPR, organizations will have to open up completely to individuals.
In the first place, tacit agreements in relation to data use will no longer be valid. Customers will have to take affirmative action. Furthermore, this will not be the end, but the beginning of a transparent and proactive reporting cycle with customers and individuals. Every action departing from the agreed use of information will have to be notified. Actually, individuals may request information to be accessed, erased, or even transferred to a competitor.
This is a reminder that data remains the property of individuals. Organizations will have to honor that, and transparency will represent a great deal in customer satisfaction and trust.
- Responsibility: Under this new framework, whoever interacts with individual information becomes responsible, be it an information-processing company, or an actor in the supply chain. In plain language, there is nowhere to hide. This prevents the creation of weakest link in the information cycle outside a given organization. That’s where most attacks take place.
This changes relationships among players in the value chain, and contracts will have to reflect it accordingly: responsibility is closely tied to liability.
- Treatment: Data per se is no longer the key concern. What organizations do with it is what matters. When companies had only a piece of information about individuals, this was considered almost innocuous. Now, with the emergence of Big Data, it is becoming too easy to combine information, and extract insights that may affect individual in unsuspected ways. This is why organizations will have to keep record of how they treat individual information. The GDPR wants to make sure the far reaching implications that may unfold from the use of analytics and Big Data are not beyond control.
In summary, this regulation treats data as the core asset in every organization, as well as a key element in personal security. This understanding is where the mind shift needs to take place. Once this is clear, the implications deriving from it make sense. It is true that the degree of imprecision sometimes deliberate, in this regulation may create areas of legal uncertainty. But, seeking compliance instructions of a regulator is no longer viable in a data driven world. Everyone will have to lead their own journey. The regulator is just pointing at the boundaries and responsibilities.