This is not “yet another” article spooking you with the eye popping “Fines of up to 4% of revenue or 20 million Euros for failure to meet GDPR regulations.”
There are plenty of webinars, self-styled GDPR analysts and experts who are drumming up the fear of the upcoming looming GDPR May deadline. Granted, some may be motivated to educate, but a bulk are hoping to monetize the spend that goes into data classification, encryption, key management and the like. Which is fair if you are a business who is looking for a compelling event to monetize but I believe we are selling ourselves short as a technology community. There is a higher moral ground that we need to strive for. That higher bar that I refer to is a different expansion of the GDPR acronym – Genuine Data Protection Renaissance.
Before you fall off your chair let me explain. The main tenets of GDPR – data portability, breach notification, data protection by design and default, data/storage minimization, opt-in consent, right-to-erasure, appropriate technical measures, evidence of compliance – are amazing codification of laws that every service provider and vendor on this planet – that may or may not be impacted by the regulatory framework itself – would do well to make an integral part of their DNA and offering – for their existence and their customers’ well-being. Sound like fiction? Let me explain.
1. Data portability
With the cost of storage plummeting, sensors everywhere and the need to understand your customer “deeply” – collection of data is becoming the norm (see #3 where I talk about this issue). But along with this collection, if there is a consequential & moral decision that all this data needs to be portable that can be handed over to me – the end customer – on demand, imagine “what a wonderful world it would be.”
2. Data protection by design and default
Again, every piece of data that is collected needs to be, by definition, secured. Period. That becomes the design criteria for every product, architecture and service. I can sleep soundly at night.
3. Data/storage minimization
I have heard this phrase at least a hundred times just in 2018 across vendors and service providers. “We collect data because we can, we will decide later what to do with it”. #Stop. Just because you can doesn’t mean you should. And this tenet codifies that. Stop instrumenting me all the time.
4. Opt-in consent
If I did not explicitly say “I do,” it means I said, “I do not.” Because by default I always say “No.” And that does not mean that you – Mr. Provider – paralyze me with a 60-page EULA that I have no option but say “I do” without knowing what I am saying yes to. There is a better way. Let me know what data you are collecting, why and how I can revoke that consent any time. #Easy
5. Right to erasure
The digital exhaust that I leave behind continually is something that I am blissfully unaware of so if you can provide me with an “easy” button that I can hit any time and all my bits are erased for eternity, I will breathe a lot easier and trust you a whole lot more.
6. Appropriate technical measures
This is all you. Not just adhering to a regulatory framework but going above and beyond a “box-check.” Now that is truly raising the bar. Appropriate technical and ethical measures. #Wow
7. Evidence of compliance
If you did all the above, then this is a piece of cake. Log everything, provide a forensic trail. But there is a catch. Frequently, this is an escape hatch. It is so much less arduous if you just did enough to show that you did a ‘best effort’ so even if a data breach happens we do not get fined. That is subversive, escapist and downright immoral. And organizations that turn this attitude on its head and truly make this a no-brainer because they did #1–#6 right will eventually win.
So, there you have it. A genuine renaissance for data protection. Not just for EU but for humanity.