The European Union’s General Data Protection Regulation, which focused on increasing protection for EU residents’ privacy and personal data, became enforceable in May 2018. Organisations worldwide have been working steadily towards tightening their systems for GDPR. And yet today, there is still much confusion and misinformation being communicated about data security and data privacy.
Over the past year, privacy and data protection importance increased dramatically. Data is the new currency. The insurance market – like so many others – is shifting towards embedding the Internet of Things (IoT) and the data coming from connected devices into the enterprise and organisation. Will this year be the year that new methods for expressing customer consent around edge computing of personal data become the norm? With this operating model it’s the customer’s phone or other device that becomes the core operating platform – for example a motor telematics device or a health insurance wearable device – located at the ‘edge’ or extremes of a much bigger network.
Certainly there are likely to be new models of data ownership and sharing based on the platform principle. Some examples here include data associations, data unions and data trusts. One thing is for certain, the ripples of GDPR, the discussion of data ownership and the whole privacy debate are being felt far beyond national borders and the EU external border.
Companies are rightly concerned that the products and services they deploy provide appropriate privacy protections. The latest Cisco Data Privacy Benchmark Study showed the extent to which GDPR readiness has slowed the onboarding process for new customers across a range of industries, which now stands at an average 3.9 weeks. Based on the survey of more than 3,200 global security and privacy professionals in 18 countries, 87% of companies say they’re experiencing delays in their sales cycle due to customers’ or prospects’ privacy concerns, up from 66% last year.
This change is likely due to the increased privacy awareness brought on by GDPR and the frequent data breaches in the news.
Those organizations that have invested in data privacy to meet GDPR are experiencing lower incidence of data breaches, less costly breaches and shorter delays in the sales cycle.
Interestingly GDPR readiness is leading to the realisation of multiple broader benefits from data management investments, which include greater agility and innovation resulting from having appropriate data controls, gaining competitive advantage, and improved operational efficiency from having data organised and catalogued.
It’s all about maximising the value of the data. And in the interconnected the world, the benefits and the stakes in being a good custodian of data are continually rising.
Prosecutions and enforcement actions will become more multilateral. For example, in one high profile case the data user was recently fined by the ICO in respect of UK residents affected, but also by the Dutch regulator in terms of the effect in their jurisdiction.
Noting the harmonisation purpose of the GDPR, we can expect that the value of fines issued in different countries will be somewhat proportional to the number of people affected in each country
There are going to be many more complaints to the regulators, and these will become increasingly sophisticated. For example, more people will question the legitimacy of certain kinds of personal data processing. Complaints about processing of personal data without specific notice of the processing will become more common.
Differential privacy and consumer consent processes
Then we come to the question of differential privacy and how a consumer will be able to give data consent in a dynamic and inter-connected IoT environment, such as a platform powering a home security system or connected car. How can a car maker be transparent about data they are receiving from vehicles (for example with dealers, repairers and insurance companies) when such disclosure can be deemed to contravene competition law in Europe? At LexisNexis Risk Solutions, this year we will be making some important announcements about this consumer disclosure process and data linking technologies.
Consider another example: a mobile hardware provider collects URL data if people opt in to providing this information to the company. But noise is added to the data at the device so that the provider can’t identify which URLs are actually visited by a specific user, only the overall set of popular URLs. Many companies are already incorporating notice and consent technology in their websites. They may need to amend the wording but the method is already established.
We’ve been seeing improvements to the legal design of services and the ascertainment of consent in practice. More companies are trying to get people to pay for free services and require subscription to premium services, in order to get away from a reliance on the value of personal data sharing. Overall we see that the subtleties of GDPR as expressed in the Data Protection Act 2018 have yet to be felt, but maybe during this year?