News, insights and resources for data protection, privacy and cyber security leaders

The GDPR Locks Up Your Data. What’s the Solution?

The General Data Protection Regulation (GDPR) is a transformative shift in privacy. In many respects, it signals a move away from a policy-based data governance approach to a technology-based approach that can enforce data protection policies for personal data. How can we achieve this and what’s the solution for managing compliance?

Traditional privacy programs rely on written rules that are incapable of preventing unauthorized data use before it occurs. But as the GDPR significantly expands the rights of data subjects, it requires organizations to implement technologies and solutions capable of enforcing policies by leveraging technology that can prevent misuse before it can transpire for certain data use cases. In some circumstances, the regulation may require pseudonymisation1 to defeat unauthorized data linkages and data protection by default2 to protect data on a per use basis by limiting access to authorized data.

 

How Will the GDPR Affect You?

  • Broad Application: The GDPR is the biggest regulatory change in data protection in several decades, and it applies to almost all organizations operating internationally – no physical presence or EU sourced revenues are required – all that is required is the processing of a single data record of a data subject residing in the Union, regardless of where an organization is located.
  • Substantial Risks for Non-Compliance: Failure to comply with the GDPR exposes organizations to significant liability and exposure including fines of up to 20 Million Euros or 4% of global gross revenues, class action lawsuits, joint and several liability among data controllers/processors, and adverse public perceptions.
  • Cannot Use Existing Legal Bases: In many instances, the GDPR prohibits organizations from performing data processing activities that they have relied upon for years – including personalization, analytics, machine learning, and sharing data with third parties. To lawfully continue such processing, alternate legal bases may be required necessitating new technical capabilities not supported by security and privacy technologies developed prior to the regulation.
  • Cannot Use Existing Consent Frameworks: Data uses made possible by the advanced state of technology (e.g., personalization, customization, analytics, artificial intelligence, and machine learning) often render consent as a legal basis impractical since new uses and opportunities do not arise until more in-depth analysis is completed.3 In many instances, consent cannot encompass the iterative nature of these digital advances.
  • Lost Insight and Intelligence: Many organizations will miss out on insights made possible by advanced technology if they rely on complying with GDPR requirements using consent alone.

 

The GDPR Solution – Controlled Linkable Data

  • The state of the art in data protection4Controlled Linkable Data5 – has advanced to where it enables organizations to accomplish desired data processing objectives in compliance with the GDPR to unlock data.
  • This new state of the art – Controlled Linkable Data – enables the “dialing-up” or “dialing-down” of the linkability (identifiability) of data to support legal data uses in compliance with the GDPR.
  • The Controlled Linkable Data solution extends beyond GDPR compliance to enable controls necessary for secondary uses of data underlying the new global digital economy.

Gary LaFever

CEO at Anonos
Gary LaFever is Chief Executive Officer at Anonos. Anonos’ first-of-its kind BigPrivacy technology uniquely supports the transformative shift in data protection from policy-only approaches to a technology-based approach that granularly enforces data protection policies as now required under the GDPR and other evolving data protection regimes. Gary was formerly a partner at the top-rated international law firm of Hogan Lovells.

Latest posts by Gary LaFever

    Leave A Reply

    Your email address will not be published.

    2 Comments
    1. DJ White says

      Interesting article, but it grossly mistates the law in many instances. For example the first section regarding applicability of the GDPR states that “all that is required is a single data record of an EU resident.”. This is incorrect and a massive overstatement. That an EU citizen travels to a non-member country and provides a single record with pii to a local merchant as part of a transaction does not then subject that merchant to the GDPR. The merchant needs to either also be established in the EU and collecting the data in the context of those activities, or specifically be marketing to or monitoring the behaviors of EU data subjects. This is but one example of misstatements of the law. That said, the technology seems useful and interesting, where actually needed.

      1. Gary LaFever says

        DJ,

        Thanks you for the comment. You correctly point out that in trying to make the article more “conversational,” I used language that was imprecise.

        The article has been modified to address your comment.

        Thanks again!

        – Gary

    Subscribe and Get 50% Off 6-Hour Workshop Video

    PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

    Thanks for subscribing!

    Pin It on Pinterest

    Share This