The European General Data Protection Regulation (GDPR): beyond the hype

The GDPR, adopted by the European Commission at the beginning of this year, will apply as from May 2018. The new legislation will update the existing 1995 European Data Protection Directive and set the scene for the protection of personal data.

The way personal data is defined is an important aspect of the new law. The new GDPR refers to personal data as data that allows the identification of an individual, directly or indirectly. It’s a quite broad definition and we expect to see this definition even expanding over time. More specifically, this means that also IP-addresses, location data or other factors that can identify a person, are covered by the new law.

The definition of ‘personal data’ in the law gives a good indication of the tone of the new legislation, whereby data is considered as a valuable asset and regulations about it are tightening up. Not coincidentally this goes hand in hand with technological trends such as cloud computing, social, mobile and Internet of Things whereby data gathering and adequate data analysis are becoming strategic differentiators. In that sense, the European regulator is catching up with reality.

4 elements of change

If the existing legislation laid the foundations for data protection, the GDPR is about building a solid house on it. In recent years there have been several data privacy developments – not in the least the invalidation of Safe Harbour – which created a lot of hype about the GDPR. As a result, a lot of organizations have serious concerns about the new legislation but, in fact, there’s no need for that, says Kalliopi Spyridaki, Chief Privacy Strategist Europe at SAS: “The rules are tighter now, but the basic principles are the same as we have had for many years. In that sense, the GDPR is more about reviewing compliance procedures, then about building something from scratch.”

Nevertheless, Spyridaki highlights 4 high-level elements that are changing with the introduction of the GDPR:

1. More enforcement

With the new regulation, law enforcement gets tougher. The Data Protection Authorities will have more resources and will come together in a new pan-European body with binding opinions. Besides, the fines will be so high – up to 4% of the annual global turnover of an organization – that the GDPR automatically shakes organizations across all industries awake. “Actually, in Europe we only find a comparable level of fines in competition law. The fear of being fined should not be the primary reason for compliance, but it’s certainly a reason to pay attention now. Whereas 5 years ago data privacy was a legal compliance issue that didn’t make it to the top 10, today it’s on top of the compliance agenda”, said Spyridaki.

2. Great accountability

The GDPR makes organizations accountable for the protection of personal data. They will have the burden of proof when it relates to whether, how and how well they protect personal data. Today we have a fairly formal process in place to gain authorization to process data: what type of data do you process? Do you transfer it to other parties? In the future it will be more about how well the business processes are organized, rather than formally getting an authorization. In this respect, it will be helpful to have someone, either internally or externally, who understands data privacy and knows how to make changes and apply the law.

3. Privacy by design

The first step for every organization will be a data flow mapping exercise in which the whole organization is involved, because privacy by design requires that all departments look at their data and how they handle it. Once you have identified where your personal data is and what you do with it exactly, you have to secure it in the right way. “Looking at your data from a data privacy point of view, from product development over the supply chain to the end customer, is the essence of the new data privacy law. Most companies already have a system in place to be able to identify personal data, because they should already be compliant with the existing data protection law. The new law forces organizations to go more in detail but, luckily, there are a lot of solutions which can support this reviewing process. SAS is well-placed to support our customers with the identification and management of data flows in order to enable compliance with the GDPR.”

Privacy by design also presupposes that there’s more transparency about data and data transfers. And probably you’ve already heard about the hot potato of the new regulation: the right to be forgotten. That brings us with the fourth big factor of change in the data privacy field: the clear focus on the customer.

4.Putting the individual first

The new data protection regulation empowers the individual by placing the customer in the centre of data protection. For example, the right to data portability foresees that when customers want to change their mail provider, they should be able to move their entire data to the new provider. Today, consumers can already ask to delete their personal information, but the GDPR enhances the deletion right with the so-called ‘right to be forgotten’. “But beyond compliance, the biggest change will be the shift in organization’s attitude towards privacy. Privacy is becoming a business consideration. It will be a key component to build customer trust and to gain a competitive advantage, because customers do value privacy. They also value easy and transparent procedures to enforce their rights”, Spyridaki commented.

Embracing innovation

Together with the renewal of the data protection rules, innovative players are entering the market place. For example Hoxton Analytics, a next-generation people counter that helps retailers understand their customer without registration of personal data. Their solution creates a smart floor that gathers images of people’s footwear. The images in combination with multiple layers of machine learning and artificial intelligence, means that the system automatically counts people. What’s even more surprising: it can also intelligently categorize people’s demographics based on the shoes they wear and their walking pattern.

Together with the renewal of the data protection rules, innovative players are entering the market place.

Spyridaki: “There’s a transformative power in the digitalization of the world and I’m convinced we will continue to see more innovation around data and privacy. Therefore, we will also see more rules being introduced to help people feel comfortable about data-related innovation. Data protection and privacy are now in a transitional era. If you compare the data industry with a more traditional sector, like financial services, it becomes quite clear that the data market is under-regulated because it is in a way an emerging market. It will take a few years but, in the end, the data industry will be a mature, regulated market as well.”

Europe is at the forefront of privacy legislation, but other countries in the world are also at a comparable level (for instance, Canada or Australia) or making big leaps forward in the data regulation space. “It’s much easier to transfer data to jurisdictions that have an adequate level of data protection. We see a trend in upcoming economies, particularly in Asia and Latin America, that value the data economy of mirroring the new GDPR. But also within the European Union, the GDPR will bring more transparency and will lead to more harmonized rules. The interpretation of the Data Protection Directive is nowadays different among EU-Member States. Eventually, that harmonization will be good for business”, Spyridaki concluded.