The General Data Protection Regulation (GDPR) is a transformative shift in privacy. In many respects, it signals a move away from a policy-based data governance approach to a technology-based approach that can enforce data protection policies for personal data. How can we achieve this and what’s the solution for managing compliance?
Traditional privacy programs rely on written rules that are incapable of preventing unauthorized data use before it occurs. But as the GDPR significantly expands the rights of data subjects, it requires organizations to implement technologies and solutions capable of enforcing policies by leveraging technology that can prevent misuse before it can transpire for certain data use cases. In some circumstances, the regulation may require pseudonymisation1 to defeat unauthorized data linkages and data protection by default2 to protect data on a per use basis by limiting access to authorized data.
How Will the GDPR Affect You?
- Broad Application: The GDPR is the biggest regulatory change in data protection in several decades, and it applies to almost all organizations operating internationally – no physical presence or EU sourced revenues are required – all that is required is the processing of a single data record of a data subject residing in the Union, regardless of where an organization is located.
- Substantial Risks for Non-Compliance: Failure to comply with the GDPR exposes organizations to significant liability and exposure including fines of up to 20 Million Euros or 4% of global gross revenues, class action lawsuits, joint and several liability among data controllers/processors, and adverse public perceptions.
- Cannot Use Existing Legal Bases: In many instances, the GDPR prohibits organizations from performing data processing activities that they have relied upon for years – including personalization, analytics, machine learning, and sharing data with third parties. To lawfully continue such processing, alternate legal bases may be required necessitating new technical capabilities not supported by security and privacy technologies developed prior to the regulation.
- Cannot Use Existing Consent Frameworks: Data uses made possible by the advanced state of technology (e.g., personalization, customization, analytics, artificial intelligence, and machine learning) often render consent as a legal basis impractical since new uses and opportunities do not arise until more in-depth analysis is completed.3 In many instances, consent cannot encompass the iterative nature of these digital advances.
- Lost Insight and Intelligence: Many organizations will miss out on insights made possible by advanced technology if they rely on complying with GDPR requirements using consent alone.
The GDPR Solution – Controlled Linkable Data
- The state of the art in data protection4 – Controlled Linkable Data5 – has advanced to where it enables organizations to accomplish desired data processing objectives in compliance with the GDPR to unlock data.
- This new state of the art – Controlled Linkable Data – enables the “dialing-up” or “dialing-down” of the linkability (identifiability) of data to support legal data uses in compliance with the GDPR.
- The Controlled Linkable Data solution extends beyond GDPR compliance to enable controls necessary for secondary uses of data underlying the new global digital economy.