- Email: [email protected]
Data in the post-GDPR world
FEATURE
Data in the post-GDPR world Akber Datoo
Akber Datoo, D2 Legal Technology Data is without doubt the ‘new oil’ – the currency that now underpins the digital economy. But in the wake of the Cambridge Analytica and Facebook misuse scandal, the concept of data monetisation is rightly under serious scrutiny. As we enter a new era of data privacy, from the recently implemented EU General Data Protection Regulation (GDPR) to rapidly growing awareness of the way personal data is harvested and mined, organisations can no longer adopt a cavalier attitude to customer data. Let’s be very clear: personal data has huge value. The Digital Single Market in the EU is set to be an essential enabler in the evolution of products and services across Europe over the coming years. But this value is intrinsically linked to excellent data governance and an accurate understanding of its purpose and value to the organisation. At the same time, GDPR compliance is the foundation for a confident exploration of data assets without fear.
Keeping personal data personal If the build-up to the GDPR deadline and recent implementation wasn’t focusing organisations’ attention on the new era of data privacy and protection, the evolving Cambridge Analytica and Facebook story has demonstrated the very real business implications of data usage failure or misuse. From devastating reputational damage to the estimated $60bn lost by Facebook in the immediate wake of the data scandal, regulators could not have had a better, more timely example of the implications of the mismanagement of personal data and compromised data privacy. In many ways, any information misuse completely reinforces the underpinning premise of GDPR: personal data is just that – personal – and to enable organisations to continue to monetise data and to explore the digital economy, stringent and effective models September 2018
for data protection must be enforced. Individuals must be aware of a company’s personal data usage plans and they must give consent or have the right to opt out, if consent is the basis on which their data is held. Terms and conditions cannot be confusing or run to multiple pages of legalese. The entire process has to be both transparent and clear. And while there continues to be a great deal of focus on the punitive fines associated with GDPR non-compliance, it is far more important to flip the debate on its head. GDPR compliance enables organisations to legitimately and lawfully work within the constructs and confines of the regulation; it enables companies to leverage information to support new product launches or service innovation without worrying if consents have been sought and given every step of the way. With compliance, a company has less to fear from the devastation of reputational damage created by information misuse. GDPR has been in force for some months, so companies should have woken up to the fact that it is not just a legal requirement that can be met through a technology fix alone but affects every way a business processes and controls data. GDPR compliance is as much about how people use data and the processes in place to control that use, as it is the technology required to monitor and report that usage. GDPR compliance requires a holistic people, process and systems perspective.
The GDPR deadline left many organisations panicking. Impact assessments and remediation work was completed at the last minute – or not at all – and firms should have been well advanced along executing their GDPR action roadmap. Data assets should have been mapped, business context diagrams created and data flows defined. Essential processes should now be in place to respond to the fundamental requirements of GDPR, including consent and the right to be forgotten, while firms should also have an eye on the potential requirements of the yet-to-be-agreed ePrivacy regulation that affects electronic communication.
After the deadline If you saw the headlines that hit the media post-GDPR implementation, then you will have noticed that the way some organisations reacted to the GDPR was not only rash but, most importantly, not future-proof. The main reason for these hasty decisions seems to be that organisations were not ready for GDPR implementation. Taking the Chicago Times and LA Times as examples, these news sites likely realised that they were not compliant and panicked, simply putting a sticking plaster in the place they assumed would best shield them from exposure – removing access to their websites for EU residents. But the question is, have they put the sticking plaster in the right place? These organisations have assumed that, by not offering their services to EU residents, the GDPR no longer applies to them. Of course, there is the possibility for US companies to explore Privacy Computer Fraud & Security
17
FEATURE Shield certification, but this takes time and any organisation seeking such certification has to meet specific criteria. The key question remains: does this approach even successfully circumvent the applicability of the GDPR? The answer depends in great part on what these organisations are doing with the data of their readers behind the scenes. As part of their strategy of making their services unavailable to EU residents, are they also deleting the data of old EU account holders or other users that they hold? If they are not, they will not be compliant with the GDPR. And what about advertising – have they adjusted their marketing processes to ensure they do not advertise the newspaper itself to EU residents, and do not permit EU residents to place advertisements on their news site and even in the paper version of the newspaper? Have they stopped any ongoing distribution of their papers’ print version in the EU? The adoption of this exclusionary approach could be damaging to organisa-
tions that assume they have resolved their non-compliance problem in this manner, without having done the full analysis. The GDPR is meant to incentivise companies to facilitate individuals’ ability to control how their data is processed – it should not be pushing companies to make hasty decisions that will be detrimental to their business operations. In reality, GDPR is not that much more onerous than the existing Data Protection Act, although it has significantly more teeth. But with individual awareness regarding the value of personal data rising by the day, achieving robust GDPR compliance is an absolute necessity for any organisation planning to use this data. And, let’s be honest – this data has become fundamental to corporate policy. From defining new products to launching new services, in an always-on, digital-first world an inability to leverage digital data will be massively constraining. No one knows for sure how the digital economy will evolve. But consent to
access or intermediate in this new datadriven ecosystem will be a fundamental requirement for any of these digital services to succeed – and data usage confidence is essential. The power and potential of the digital market will compel organisations to be GDPR compliant: without that essential data governance foundation, a company will be unable to achieve product and service innovation, or at least, not without fear of potentially devastating reputational damage.
About the author Akber Datoo is founder and managing partner of D2 Legal Technology LLP (D2LT), a legal data consulting firm, dedicated to the capital markets space. With over 16 years’ experience of derivatives and a blend of both technology and legal perspectives, Datoo works with financial institutions to create legal risk frameworks to ensure regulatory compliance and business optimisation.
How can adblocking play a significant role in an SME’s defence strategy?
Ben Williams
Ben Williams, Adblock Plus The advancement of technology today has turned the Internet into an open arena where individuals and organisations can spread information in ways that have never been possible before. While this has brought an enormous variety of opportunities for everyone to explore, it has also turned the Internet into an unpredictable ‘Wild West’ where only a few are held accountable. Cyber-threats such as phishing scams, fraud and malvertising are just some of the issues that have become increasingly relevant to organisations’ safety. According to a report by the UK Government’s Department for Culture, Media & Sport, nearly half of all the small and medium-size businesses in the UK identified a cybersecurity breach or attack in 2017.1 Despite this, over a third (35%) of 18
Computer Fraud & Security
small businesses still consider these threats a low priority. While larger organisations often have the appropriate funding and resources available to them to invest in and protect their systems and operations, it is typically small businesses that lack
the right resources and budgets to do the same. And while larger businesses hold more data and valuable information, it could be argued that small businesses are more vulnerable and are therefore easier to target. Paying attention to cyberthreats should be a key concern for organisations of any size but unfortunately often, a lack of funding, understanding and the mindset of ‘it won’t happen to us’ is putting these small businesses at risk. September 2018
Data in the post-GDPR world Akber Datoo
Akber Datoo, D2 Legal Technology Data is without doubt the ‘new oil’ – the currency that now underpins the digital economy. But in the wake of the Cambridge Analytica and Facebook misuse scandal, the concept of data monetisation is rightly under serious scrutiny. As we enter a new era of data privacy, from the recently implemented EU General Data Protection Regulation (GDPR) to rapidly growing awareness of the way personal data is harvested and mined, organisations can no longer adopt a cavalier attitude to customer data. Let’s be very clear: personal data has huge value. The Digital Single Market in the EU is set to be an essential enabler in the evolution of products and services across Europe over the coming years. But this value is intrinsically linked to excellent data governance and an accurate understanding of its purpose and value to the organisation. At the same time, GDPR compliance is the foundation for a confident exploration of data assets without fear.
Keeping personal data personal If the build-up to the GDPR deadline and recent implementation wasn’t focusing organisations’ attention on the new era of data privacy and protection, the evolving Cambridge Analytica and Facebook story has demonstrated the very real business implications of data usage failure or misuse. From devastating reputational damage to the estimated $60bn lost by Facebook in the immediate wake of the data scandal, regulators could not have had a better, more timely example of the implications of the mismanagement of personal data and compromised data privacy. In many ways, any information misuse completely reinforces the underpinning premise of GDPR: personal data is just that – personal – and to enable organisations to continue to monetise data and to explore the digital economy, stringent and effective models September 2018
for data protection must be enforced. Individuals must be aware of a company’s personal data usage plans and they must give consent or have the right to opt out, if consent is the basis on which their data is held. Terms and conditions cannot be confusing or run to multiple pages of legalese. The entire process has to be both transparent and clear. And while there continues to be a great deal of focus on the punitive fines associated with GDPR non-compliance, it is far more important to flip the debate on its head. GDPR compliance enables organisations to legitimately and lawfully work within the constructs and confines of the regulation; it enables companies to leverage information to support new product launches or service innovation without worrying if consents have been sought and given every step of the way. With compliance, a company has less to fear from the devastation of reputational damage created by information misuse. GDPR has been in force for some months, so companies should have woken up to the fact that it is not just a legal requirement that can be met through a technology fix alone but affects every way a business processes and controls data. GDPR compliance is as much about how people use data and the processes in place to control that use, as it is the technology required to monitor and report that usage. GDPR compliance requires a holistic people, process and systems perspective.
The GDPR deadline left many organisations panicking. Impact assessments and remediation work was completed at the last minute – or not at all – and firms should have been well advanced along executing their GDPR action roadmap. Data assets should have been mapped, business context diagrams created and data flows defined. Essential processes should now be in place to respond to the fundamental requirements of GDPR, including consent and the right to be forgotten, while firms should also have an eye on the potential requirements of the yet-to-be-agreed ePrivacy regulation that affects electronic communication.
After the deadline If you saw the headlines that hit the media post-GDPR implementation, then you will have noticed that the way some organisations reacted to the GDPR was not only rash but, most importantly, not future-proof. The main reason for these hasty decisions seems to be that organisations were not ready for GDPR implementation. Taking the Chicago Times and LA Times as examples, these news sites likely realised that they were not compliant and panicked, simply putting a sticking plaster in the place they assumed would best shield them from exposure – removing access to their websites for EU residents. But the question is, have they put the sticking plaster in the right place? These organisations have assumed that, by not offering their services to EU residents, the GDPR no longer applies to them. Of course, there is the possibility for US companies to explore Privacy Computer Fraud & Security
17
FEATURE Shield certification, but this takes time and any organisation seeking such certification has to meet specific criteria. The key question remains: does this approach even successfully circumvent the applicability of the GDPR? The answer depends in great part on what these organisations are doing with the data of their readers behind the scenes. As part of their strategy of making their services unavailable to EU residents, are they also deleting the data of old EU account holders or other users that they hold? If they are not, they will not be compliant with the GDPR. And what about advertising – have they adjusted their marketing processes to ensure they do not advertise the newspaper itself to EU residents, and do not permit EU residents to place advertisements on their news site and even in the paper version of the newspaper? Have they stopped any ongoing distribution of their papers’ print version in the EU? The adoption of this exclusionary approach could be damaging to organisa-
tions that assume they have resolved their non-compliance problem in this manner, without having done the full analysis. The GDPR is meant to incentivise companies to facilitate individuals’ ability to control how their data is processed – it should not be pushing companies to make hasty decisions that will be detrimental to their business operations. In reality, GDPR is not that much more onerous than the existing Data Protection Act, although it has significantly more teeth. But with individual awareness regarding the value of personal data rising by the day, achieving robust GDPR compliance is an absolute necessity for any organisation planning to use this data. And, let’s be honest – this data has become fundamental to corporate policy. From defining new products to launching new services, in an always-on, digital-first world an inability to leverage digital data will be massively constraining. No one knows for sure how the digital economy will evolve. But consent to
access or intermediate in this new datadriven ecosystem will be a fundamental requirement for any of these digital services to succeed – and data usage confidence is essential. The power and potential of the digital market will compel organisations to be GDPR compliant: without that essential data governance foundation, a company will be unable to achieve product and service innovation, or at least, not without fear of potentially devastating reputational damage.
About the author Akber Datoo is founder and managing partner of D2 Legal Technology LLP (D2LT), a legal data consulting firm, dedicated to the capital markets space. With over 16 years’ experience of derivatives and a blend of both technology and legal perspectives, Datoo works with financial institutions to create legal risk frameworks to ensure regulatory compliance and business optimisation.
How can adblocking play a significant role in an SME’s defence strategy?
Ben Williams
Ben Williams, Adblock Plus The advancement of technology today has turned the Internet into an open arena where individuals and organisations can spread information in ways that have never been possible before. While this has brought an enormous variety of opportunities for everyone to explore, it has also turned the Internet into an unpredictable ‘Wild West’ where only a few are held accountable. Cyber-threats such as phishing scams, fraud and malvertising are just some of the issues that have become increasingly relevant to organisations’ safety. According to a report by the UK Government’s Department for Culture, Media & Sport, nearly half of all the small and medium-size businesses in the UK identified a cybersecurity breach or attack in 2017.1 Despite this, over a third (35%) of 18
Computer Fraud & Security
small businesses still consider these threats a low priority. While larger organisations often have the appropriate funding and resources available to them to invest in and protect their systems and operations, it is typically small businesses that lack
the right resources and budgets to do the same. And while larger businesses hold more data and valuable information, it could be argued that small businesses are more vulnerable and are therefore easier to target. Paying attention to cyberthreats should be a key concern for organisations of any size but unfortunately often, a lack of funding, understanding and the mindset of ‘it won’t happen to us’ is putting these small businesses at risk. September 2018