Understandably, corporations are becoming increasingly concerned about the impact of the European Union (EU) General Data Protection Regulation (GDPR), which is set to go into effect in May 2018. According to the conventional wisdom in the mainstream media, the GDPR will establish a fundamentally new regulatory regime that will “lock up” data, bring about a chilling effect on economic expansion and dampen EU GDP growth.
But is that really the case? Participants at a recent GDPR Innovation Briefing in Europe tended to take the view that the GDPR would actually help – not hurt – the European economy. At the event, Wojciech Wiewiorowski, Assistant Supervisor at the European Data Protection Supervisor (EDPS); Martin Abrams, Executive Director & Chief Strategist for the Information Accountability Foundation (IAF); Hilary Wandall, General Counsel & Chief Data Governance Officer at TrustArc; and Gary LaFever, CEO at Anonos, weighed in on the key dimensions of the GDPR in terms of EU GDP growth.
The GDPR is not a fundamentally new way of looking at data
While the GDPR does shift the responsibility for data protection from individuals to corporations, it does not represent a fundamentally new way of looking at data. The goal is not to “lock up” data and keep corporations from using it. Rather, the goal of the GDPR is to make corporations better data stewards, fully aware of the responsibilities that they have for their data subjects (i.e. consumers).
This is very important from the perspective of economic efficiency and productivity. It will make corporations much more aware of data ecosystems within industries, and how the flow of data within that ecosystem poses both risks and rewards for customers. It will be incumbent upon corporations to ensure that the rewards far outweigh the risks, and that will force them to establish a more holistic way of looking at data. In fact, it’s possible to argue that companies will be more willing – not less willing – to embrace technology such as artificial intelligence if it can help them address privacy and data protection concerns.
“Thinking about data” is very different from “acting on data”
Within the regulatory world of data protection, there is an important distinction between “thinking about data” and “acting on data.” As Martin Abrams outlined at the GDPR Innovation briefing, the fact that “thinking with data” is generally not regulated has been a huge competitive advantage for the United States, and something that Europe should keep in mind.
“Thinking about data” refers to the ability to spot trends, establish correlations between data points and pull out the important stories that the data is telling. So the good news is that it appears that that any enforcement of the GDPR will focus more on how companies act on data, rather than how they think about data.
As experts such as Abrams have pointed out, this is more akin to the U.S. regulatory regime for data, which places few barriers on merely “thinking about data.” This has enormous implications for companies, because many of the innovations coming in fields such as machine learning and artificial intelligence (AI) are based more on “thinking about data” rather than “acting on data.” Thus, the impact on the growth trajectory of the Internet of Things and artificial intelligence (AI) may be much less than currently assumed.
Consumers want data protection AND innovation
Ultimately, the European GDPR is about protecting citizens and their data, and so it’s no surprise that the focus has to be on the consumer. And, from initial surveys and studies that have been done, consumers do not want a worse user experience in exchange for increased data security and data protection. In essence, consumers want to be assured that their data is safe, but they do not want companies to stop producing new technology innovations that will make their life easier. And they do not want to have to consent every time they use their technology devices.
As Hilary Wandall pointed out at the GDPR briefing, one of the best examples involves the new fitness trackers – such as the FitBit – that consumers wear on their wrists on a daily basis to keep track of their overall fitness level. The device is easy to wear and easy to use – and it is enormously popular. Consumers are satisfied with the status quo – they consent one time to have the devices monitor their health, and then the device works ambiently in the background for the entire day. They do not have to get a new consent every day, nor do they have to ask people around them for consent. The benefits (i.e. the ability to track and monitor one’s health) far outweigh the risks (i.e. the risk that some unscrupulous hacker will steal their health information from the cloud).
The GDPR will encourage technological solutions to data privacy concerns
It may sound counter-intuitive, but the GDPR may actually encourage more technological innovation, rather than less. This is due to the fact that companies will need to come up with technological solutions to data privacy concerns. This can have a positive effect on EU GDP.
As Hilary Wandall noted in her remarks to a GDPR Panel on Innovation, one of the best examples of technological innovation at work comes from the healthcare industry. Data is key to the outcome of clinical trials, as pharmaceutical companies look for new breakthrough drugs. It can take years to assemble enough data, and for that reason, pharmaceutical companies have looked long and hard for ways to use data they already have as part of new secondary research. How can they use patient data as part of new trials, when it is often difficult or impossible to track down and receive consent from the original patients?
The answer has to do with innovation. Pharmaceutical companies found a way to make the data anonymous – and once they did that, there was no longer the same legal or regulatory risk. It’s important to understand that anonymous data protects both the consumer (which should be the goal of any data protection law) and it also enables corporations to move forward with new product trials and new product launches (which is good for economic growth). It is, essentially, a win-win for everyone involved – especially because other industries have also embraced the concept of anonymized data to protect consumers.
Emphasis on technology-based data governance will drive EU GDP growth
In short, fears of the European GDPR may be greatly overblown. While the new regulation is complex and comes with onerous fines involved (4% of global turnover in a worst-case scenario), it does not represent a fundamentally new approach to data privacy and data protection. Rather, it pushes the responsibility for data protection from the individual to the corporation.
That, in turn, will force corporations to take a more holistic view of all the data they have and how it flows throughout the entire data ecosystem of their industry. And that emphasis on a technology-based data governance approach will encourage them to come up with new technological solutions to everyday privacy problems and concerns. That could end up being very good for economic growth and the future trajectory of EU GDP.
This article originally appeared in CPO Magazine. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
Pre-GDPR Pseudonymization versus GDPR Compliant Pseudonymization
How GDPR compliant pseudonymization requirements have evolved from prior standards: