GDPR: The view from 1995
It's almost funny to think that until the GDPR comes into force next May, the current EU law dates from 1995. So just for fun, let's take a jump back to the days of CDs, John Major and Furbys and see if it reveals anything about just why the GDPR is coming our way, and its real impact on organisations.
Imagining the world of personal data in 1995 is a challenge especially for anyone under 35, bearing in mind that barely a quarter of households had a computer, and only a few people had mobile phones. The internet was irrelevant to daily life, cameras used film and a tablet was medicine. People sent each other postcards from holidays.
So you have to give quite a bit of credit to the 1995 DPD and its UK derogation, the 1998 Data Protection Act, providing for data subjects' rights to access, rectification, restriction of processing and so forth. This was prescient stuff, but given the changes of the last 22 years it is hard to argue against the fact that new legislation is urgently required.
The first change is the vast explosion in the amount of data in the world of 2017. Consider the trillions of digital photos taken annually, social media platforms, the advent of the internet of things, data retained for security or compliance purposes, or digital medicine for just a few examples. An update in the law is needed because otherwise there will be no overall accountability for this vast ocean of data.
One stat to consider is that 90% of all the digital data in existence was created in the last two years. That exponential growth trend will not change, and organisations must instil a new culture of governance around data in order not to accrue risks through a loss of control.
The second obvious change from 1995 is the number of devices that contain our data. Not only does this fuel the data explosion but it also has other major implications. The interconnected web of data controllers and processors relating to the personal data from a smartphone or an always-listening home assistant device is highly complex. The GDPR brings data processors under the scope of the law, and in my view this cannot happen soon enough. The work of unpicking the controller-processor relationships, terms and conditions and so on must be taken on with urgency.
Thirdly the very definition of personally identifiable information (PII) has evolved since 1995. PII now goes beyond a data subject's name, address etc. Today, data points such as IP address and geolocation stamps count as PII, as well as other pieces of sensitive information such as political affiliations, or membership of a trade union. Under the GDPR, organisations would be well advised to evaluate the legal basis for the processing of any such information, especially if the organisation performs automated decision-making or profiling activities around those data.
In brief, what 1995 has to tell us is that it's time to grow up where personal data is concerned. What is more, there is an opportunity to be grasped: it is possible to use the GDPR as a reason to re-engage with your customer base, to declare your company's enlightened positioning on personal data and to take a 'best foot forward' approach. How would your organisation cope with a massive uptick in the number of data subject access requests? Have you created customer journeys for data portability or erasure requests? These will be the significant day-to-day issues next May rather than the threatened fines.
The GDPR is not an IT problem, nor a Compliance problem. It is an enterprise-level issue which makes explicit the need to create a data governance structure. At Salvatore we advocate - and can deliver - integrated programmes of change across all silos, giving your organisation the best chance of creating a new working culture around personal data.
Do get in touch if you want to talk about what you should be doing about the GDPR within your organisation.