GDPR ‘Murica!
Just over a year ago, an alarm of emails, posts and projects arose in Europe surrounding the General Data Protection Regulation, also known with the acronym, GDPR. It was as if someone had poked the sleeping bear of IT and woke it and boy, was it grumpy.
Suddenly EU technologists were learning all about advanced system security, how to encrypt and mask data, multi-tier authentication, along with creating procedures when a user requested to be forgotten. Projects and money were being allocated to take on this demand that considering its initiative was passed back in 2014, you’d think would have been earlier than a year ago, but hey, procrastination isn’t just for us ADHDr’s.
Now GDPR is everywhere you look in American news, in articles and blogs with the May 25th, 2018 EU deadline quickly approaching. The realization that we’re more connected than we’ve ever realized globally and that we’re held accountable to GDPR has many scrambling to be “GDPR complaint”. Far beyond anyone saying, let’s make America great again, we have to recognize the regulations of our European customers.
As relational databases are the most common location for data in businesses today, the DBA, developer and application support are going to feel the most pressure of this looming deadline. It’s also a law that is legally binding to any company doing business with customers in the EU and must be adhered to.
So what are the main areas of concern for database technology concerning GDPR?
Security breaches of electronic data increased over 40% in just the last year. This is expected to increase and with the introduction of the cloud, advanced security methods must be embraced by everyone. Per the GDPR, a security breach is”:
the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, access to, personal data transmitted, stored, or otherwise processed.
The EU is taking an unprecedented step in what it identifies as personal data, too, which includes much of the data outside of what we commonly identify as data used for identity theft.
Companies that do business with any country that is part of the EU will be held accountable, so there isn’t a choice in compliance because your company only has customers in one or two countries. This includes companies that use a third party that use data from the EU, as well. There is a six degrees of separation that makes a high percentage of companies liable to require compliance.
There are specific rights to every EU citizen as part of GDPR:
- The right to be informed
- The right to access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- The right to not be part of automated profiling or decisions based on data
As a citizen of the EU, you have the right to know how your data is being used. It must be clearly disclosed, i.e. with full transparency. You have the right to access your own data and to view how it’s being used. I’m unsure what format or interface that will be offered, but I’m foreseeing something similar to credit reporting, but it will be individual data reporting. Also, similar to credit reporting, if the data that’s out there is incorrect, you’ll have the ability to request it be corrected if it’s incorrect or incomplete.
If you decide you want to be forgotten, you have the right to request your data be removed. The company must provide a valid reason for storing the data in the first place, but if they can’t provide any, then it must be deleted. Even if they do get to store it, you can also request for it not to be processed, especially if the data is incomplete or incorrect. You’ll have the opportunity to require a company to wait to process until time a data completion request is finalized, ensuring that incomplete or incorrect data doesn’t progress through other systems.
Just like with medical data, due to HIPAA, you can make requests of your data and ask that it be used in another system for credit and banking. This could cut down on unnecessary copies and may build the initiative for a personal ID, outside of a person’s Social Security Number that is both inefficient and leaves us more open to identify theft.
You can object to your data being added to companies, such as marketing campaigns, which could cut down on spam calls, marketing mailings, etc. Think about the amount of trees that could be saved with that second one.
The next is in the best interest in the future of machine learning and AI- You have the right to remove your data from any automated decision or profiling performed on your data. This could have serious impact to automated advertising through machine learning and for those that are considering breaking this rule, I’d reconsider. Any organization that breaches any of these could suffer fines up to 20 million euros or 4% of your global turnover. That’s even more money in the US, so don’t take this lightly.
So, whatever you do, if you haven’t started working on your GDPR initiative, start. You’re behind and there’s a lot to cover in a short 4 months to gain compliance.