Last updated on May 10th, 2018 at 03:36 pm
This is a joint byline written by Cliff Gibson, Director, DBR Data and Michael Hiskey, Head of Strategy, Semarchy.
You have the right to remain silent. Everything you do with your data may be used against you.
That will be the case starting 25 May, when the General Data Protection Regulation (GDPR) comes into effect. Although GDPR gives EU citizens the biggest data privacy rights in history, including the “right to be forgotten,” it could also open the door for data to become a weapon of mass destruction.
Of course, in a world where big data helps rig elections, medical data is badly bungled, fake social media accounts are use to steal PII, and AI is always one step away from going awry, it may seem that we’re already there.
But, when it comes to misused data, the line between accident and intention can be blurry. When people connect to unsecure public WiFi that exposes their bank account password, who is at fault? When organisations deploy bots to gain a competitive advantage, are they crossing ethical or legal lines?
The bottom line is that, in today’s ultra-competitive, ultra-connected data-driven world, where a thousand noisy opinions can be worth more than a single fact, manipulating data through or around regulations is a high-tech wire where bad actors can win the day.
For instance, in the Life Sciences industry, many PMCBA (Prescription Medicines Code of Practice Authority) complaints made are from competitors. The motivations are age-old—individuals have always tried to sabotage companies to impress bosses, reach sales targets, or exercise grudges—but combination of technology and new regulations make complaining easy as ever.
And if you think it’s easy to lodge a complaint from your smartphone while sitting in the audience as a competitor presents its new product, wait until Machine Learning algorithms train themselves to automate—and anonymise—the process.
So, what has this got to do with GDPR?
Having studied the 99 detailed, nuanced, yet not-fully-fleshed-out Articles that comprise GDPR, we can easily imagine how the regulations could be the next ambulance chasers’ dream:
“Has [your company name here] lost your data? Contact [unscrupulous company here] today to make a no-win, no-fee claim!”
Had GDPR been live in 2013, that could have been an effective sales pitch to the dozens of soon-to-be disgruntled HMV ex-employees who watched their co-worker live-tweet mass firings from the official company account.
Ex-employees know all about their ex-company’s systems, where it kept its data and whether it engaged in data practices that may not be fully compliant. Now they’ll be able to flood their former organisations with Subject Access Requests, which must be fully granted, free of charge.
Or the ex-employees and their current companies could run an undetectable script that creates fake Facebook, LinkedIn, and Twitter accounts coordinates the requests—costing them nothing and you everything.
Ultimately, they are endless ways that individuals and organisations can weaponise honestly collected data and good-intentioned regulations. But there’s only one sure-fire way to protect yourself: having the appropriate processes, governance, and systems to get a Single View of Person across your organisation.
Appropriate measures start with having the relevant Privacy Policies in place, ensuring that you are transparent with how you process PII. To generate a meaningful Privacy Policy, you’ll need a full understanding of what data you process and who has access. What systems do you use? Which third parties do you share data with? And—since GDPR demands it—who is your controllers, your processor, and your Data Protection Officer (DPO)?
Obtaining this Single View of Person means understanding, for instance, that if you have an employee who is also a customer, you don’t have their data duplicated in your HR and CRM. To make this happen on the backend, you need auditable Operational and Technical assessments, supports Privacy by Design, Data Protection Impact Assessments, and you need an intelligent data hub that combines all your data sources, removing duplication, enforcing retention policies, improving data quality and even supporting a Personal Portal for users to log on and see their data in real time.
In our brave new regulatory world, it’s the only way to demonstrate control, build trust, nurture long, loyal relationships—and keep bad actors away from good information.