Back in 2014, WIRED magazine wrote that “data is the new oil of the digital economy.” And for the past three years, that has become a dominant refrain within the business world. In 2017, for example, The Economist wrote that “the world’s most valuable resource is no longer oil, but data.” No wonder, then, that corporations across Europe are starting to have very real concerns about the forthcoming European General Data Protection Regulation (GDPR), which will go into effect in May 2018.
In an attempt to address those concerns, a recent GDPR Innovation Briefing in Brussels brought together some leading thinkers on data privacy and data protection. At the event, Wojciech Wiewiorowski, Assistant Supervisor at the European Data Protection Supervisor (EDPS); Martin Abrams, Executive Director & Chief Strategist for the Information Accountability Foundation (IAF); Hilary Wandall, General Counsel & Chief Data Governance Officer at TrustArc; and Gary LaFever, CEO at Anonos, weighed in on the key concerns and misconceptions about the GDPR.
Is GDPR a data embargo on the digital economy?
If you accept the notion that data, indeed, is the new oil of the digital economy, then the new GDPR is the equivalent of an oil embargo. In a worst-case scenario, suggest pundits, it will choke off economic growth and cause the collapse of entire industries, just as an oil embargo of any nation would choke off future economic growth. In fields such as e-commerce, artificial intelligence, and healthcare, this data embargo would be potentially catastrophic.
There’s just one problem with that rather forced analogy – data, unlike oil, is not a finite resource. Prior to the 1970s, data was a finite, static resource, and something that could be housed on a mainframe computer in a vast computing center. Consumers would give their consent for corporations to use that data, and it would be incumbent upon corporations to protect that data on massive mainframes.
But, as speakers at the GDPR Innovation Panel noted again and again, something has fundamentally changed in the way that we think about data, use data, observe data and collect data. Nobody would dispute the fact that the sheer amount of data is growing every day on an exponential basis. Think about how much data your smartphone collects on an everyday basis. Then think about the sheer size of the Internet of Things, which is collecting more data than most companies know what to do with. It’s easy to see that data – unlike oil – is not a finite resource.
And that’s why the GDPR is not going to slow down the digital economy. The genie, as it were, is out of the bottle. Consumers don’t want to stop using their smartphones, their apps and their technological gadgets. They don’t want to stop ordering items online via e-commerce sites. And they certainly don’t want their favorite social networks to shut down due to the GDPR.
Think outside the checkbox
This suggests that the GDPR will shift the emphasis from a policy-based approach to data governance to a technology-based approach to data governance. In terms of innovation and economic growth, this is potentially a very exciting development because it will force companies to shift away from a purely consent-based form of compliance. For most corporations, data privacy today consists only of a single box that consumers must check before using their services – and that has made them think of data as a compliance issue rather than an innovation issue.
No wonder, as was pointed out at the GDPR Innovation Panel event, 61% of corporations within the EU have not moved beyond just a rudimentary analysis of how to respond to the GDPR. They are viewing this as purely a compliance issue, and thus, as a net drag on their earnings.
In fact, suggested some experts at this recent panel discussion on GDPR and innovation, some corporations might actually view the cost of non-compliance (i.e. getting hit with a fine) as being less burdensome than the cost of compliance (i.e. staffing up with some very expensively paid lawyers).
As Hilary Wandall pointed out at the GDPR briefing, “A number of organizations… are still just too early in the process of analyzing their data and how their data are actually being managed within their organizations. They are still at that phase of the evaluation as opposed to really thinking about maximizing the kinds of data analyses that they will need to do going forward with the GDPR.”
Technology is the cause, the effect and the solution
Ultimately, technology is the cause, the effect and the solution when it comes to data privacy and data protection. This is a very important point to keep in mind. The proliferation of new ways to collect, analyze and use data is the result of technology. And so any solution to the problem of how to protect that data will also involve technology.
Martin Abrams pointed out that, “In terms of the movement of data, the fact is that the obligations that come with data will continually have to move with the data and we have to figure out better technology ways for those obligations to move with the data.”
Gary LaFever also touched on the ways that technology must be involved in any data privacy solution, “It sounds like technology is the cause, the effect, and also the solution on how we can continue to use data, control those flows, and get the benefit of that data while still respecting the fundamental rights of the individual.”
To understand how and why technology can be both the problem and the solution, consider the everyday toaster that’s in your kitchen right now. As a consumer, you expect to wake up every day and turn a piece of bread into a piece of toast without incurring any risks. You also expect plenty of buttons, dials and options to ensure that you can control the intensity of the toaster, and to create the perfect outcome. Some days, you may want to toast a bagel, other days, a muffin. And only on a few rare days do you think about the risks involved, such as a potential fire breaking out in your kitchen.
This “fire prevention in a toaster” analogy is one that data privacy experts are now using to guide companies in their use of data. Companies need to build in enough protections to prevent fires and to prevent consumers from burning their hands. But they need to make the process as user-friendly and convenient as possible. In short, regulation didn’t kill the toaster industry, and there’s no reason why it will kill the data industry.
Still not convinced? Then think of the transportation ecosystem, suggested Wojciech Wiewiorowski. The ecosystem involves a vast network of roads and highways. You can think of this as the data superhighway. And then there are all the vehicles that must use this ecosystem – you can think of this as the products and services that are reliant on data to work effectively. Somehow, there has to be a brilliant compromise to make the system as easy and safe to use as possible.
As Wiewiorowski underscored, “The road code is created in order to facilitate the way that we transport things and transport people. But, of course, it somehow limits the ways that we try to invent solutions. This is the kind of price that we pay for a civilized way for the flow of personal data in the world. So that goal is as important as the protection of data itself.”
As a result, there are plenty of traffic regulations to govern the roads and highways, and there are plenty of auto regulations to govern the production of vehicles capable of using those roads and highways. While there is certainly some risk involved (i.e. a highway mishap between two vehicles), nobody is calling for the abandonment of the highway system and the end of the production of autos.
GDPR will drive greater growth of the digital economy, not less
For that reason, it’s hard to see how the GDPR is going to slow down the digital economy. The pace of technological innovation is so great that it continues to create new paradigms that people could not have even imagined a few years ago. For example, consider the fact that, until a few years ago, all data was stored on physical devices. Now data is stored “in the cloud” where it can be accessed by many people at one time.
It’s this type of enormous technological innovation that we can expect moving forward. Yes, the first steps towards adjusting to life under the GDPR in 2018 will be difficult. But once corporations stop thinking of it as a compliance issue, and start thinking of it as a technology issue, it will become clear that the digital economy is going to proceed full steam ahead. The technological implications of the GDPR will drive greater growth of the digital economy, not less.
This article originally appeared in CPO Magazine. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
Pre-GDPR Pseudonymization versus GDPR Compliant Pseudonymization
How GDPR compliant pseudonymization requirements have evolved from prior standards: