As Europe looks to introduce its new General Data Protection Regulations (GDPR) in 2018, the arguments for and against more regulation continue to build.
Whether you are a customer or vendor though, the GDPR promise to unify — and therefore simplify — the compliance requirements for data protection is a positive.
Are Regulations and Compliance Enough?
Of course, GDPR only applies to companies doing business within Europe, but it is a step in the right direction for the whole world. The current status quo leaves organizations to cobble together their own requirements, which for vendors and customers alike, are creating huge barriers to business innovation.
However, the trade-off between innovation from more sophisticated data analytics and the risk of litigation for non-compliance, remains ever-present. We all want the benefits that can accrue through appropriately targeted analytics, but at what cost?
The bigger question, though, is whether regulations and compliance can be enough to create the desired behaviors.
Looking Through the Ethics Lens
At a recent conference on data privacy in Sydney, Australia, ethics expert and executive director of the Ethics Centre Simon Longstaff, noted, “When technical mastery is divorced from ethical intent, you get tyranny.”
Longstaff encouraged companies to apply their own ‘ethics lens’ when developing new applications that might put personal privacy at risk.
At that same event, Data Governance Australia chairman Graeme Samuel suggested that legal compliance alone will not be sustainable in the long term, and that it will not only stifle innovation, but fail to deliver the best outcomes for consumers.
The unifying tenet of these arguments is that regulations will never keep up with the pace of technological development, so we need to look at other ways to govern the inappropriate use of personal data.
Perhaps that approach can be found in the market itself?
Just Saying No to Privacy Concerns
A recent Australian national privacy survey indicated that around 60 percent of respondents choose not to deal with organizations that create privacy concerns for them. And these privacy concerns aren’t just related to unlawful activities.
For example, inside the enterprise, the idea of tracking ‘digital footprints’ is not new. Yet, although email archives are typically the legal property of the enterprise, most organizations will avoid applications that make their employees feel that their privacy is being compromised.
Building Consumer Trust
Tech companies are also aware that their need to build trust with their customers goes way beyond their legal obligations. Google’s ‘Don’t be Evil’ code of conduct was an early acknowledgement of the potential power the company has over people’s lives.
On a smaller scale, when my company called itself SWOOP Analytics, one of our founders quickly identified the danger of that name being turned into ‘SNOOP Analytics’ instead.
Looking Beyond Compliance
As the GDPR rolls out, many services are becoming available to help both vendors and clients comply with the new rules. But as I have highlighted, compliance is not the end game.
In fact, it would be naïve to think that the opportunity won’t still exist for behavior that technically complies with GDPR regulations but is still unethical. Therefore, GDPR advice needs to go beyond compliance to address more fundamental aspects of what constitutes ethical behavior.
Scary Data Protection Risks
Nor is the line between ethical and non-ethical behavior black and white. In a recent discussion with a friend who sits on the boards of several publicly traded companies, she noted that they were continuously receiving presentations from IT security groups.
She reflected that the presenters did a great job of identifying data protection risks that could “scare the living daylights out of you.”
The 5 Tenets of Risk Management 101
The dilemma, then, is getting the balance right. Beyond the given of legal compliance, it comes down to risk management 101:
1. Identify the risks
For the consumers, enterprises and vendors alike, what are the worst things that could happen if personal data were to be lost? For example, someone finding out your gender might lead to some unwanted advertising. Losing access to financial information would, however, be potentially far more damaging.
2. Determine your vulnerability to the identified risks
Inside the enterprise, individuals will be required to provide personal details to their employers. For example, employers will need your banking details to pay you. Understanding the potential vulnerabilities in your employer’s systems, as well as those of your bank, is very important.
3. Assess the likelihood that these risks could materialize
Using the previous example, even if someone were to acquire your banking details, what is the likelihood that they would be able to do any material damage? Over time, consumers have become more relaxed about providing personal details on platforms like Facebook and LinkedIn as they start to assess their own cost/benefit trade-offs for doing so.
4. Identify what actions you can take to mediate identified risks
Social platforms now provide you with many options to manage your personal exposure. Interestingly, fewer than 50 percent of us ever bother to use them.
5. Prioritize and implement your risk mitigation actions
Whether you are an individual, vendor or enterprise, the best way to create the right balance for you between risk and reward will be to carefully prioritize your risk reduction strategies and tactics.