One of the most seismic events in information security last year was undoubtedly the entry into force of the EU’s General Data Protection Regulation (GDPR), perhaps the most radical shift in data protection thinking since people started to require secret passwords to access a person’s account. The GDPR hysteria has settled down somewhat since May, but it has become clear that the Regulation represents a wider shift in approach to data protection and consumer privacy, and things will not end here.
Two days before the Regulations came into force the UK Data Protection Act 2018, which incorporated amongst other things the provisions of the GDPR into UK law, received Royal Assent. Within a couple months, the California State Legislature had passed their own, similar Act. In addition, the EU is currently mulling an ePrivacy Regulation that would replace the previous ePrivacy Directive (the so-called ‘cookie law’) and will likely come into effect at some point this year.
If you and your company wait for the next law or regulation to force your hand, you will be forever playing catch-up. Instead, it’s important to get to grips with the modern approach to data protection, summed up in the GDPR as ‘privacy by design’. Designing your future products with this principle in mind will keep you ahead of the game when future legislation is introduced, as well as helping to establish a new industry standard.
Until recently, personal data have been treated rather cavalierly. Information could be gathered from users without their knowledge and consent and incredibly successful business models have sprung up around exploiting the acquired data. Information protection, in light of this, limited its scope to the protection of this data, but not to its acquisition. This is where the fundamental change in view has occurred—personal data is now considered as something belonging to the consumer in question, only to be taken with their informed consent and treated in such a way that allows them to retain overall control of it throughout its lifetime.
An easy way to get your head around this new approach is to consider a customer or user’s personal data as being the same as a customer or user’s money. Just as being stung by hidden costs can turn customers away, and just as misrepresenting what a customer is paying for can land a company in legal trouble, hidden data acquisition and using data for purposes other than those that the customer consented to are similarly unappreciated. Just as a customer expects a receipt for their purchase, and can request a refund or cancel a recurring payment at any time (any contractual obligations notwithstanding), a data subject must be able to view their data held by your company and be able to request its deletion, or to amend which data they allow you to collect at a later date.
When designing future products and services, you must ask yourself whether your design accommodates this contemporary approach to personal data. If it does, then you will likely find compliance with current and future data protection legislation a simple affair, and you will be setting an example to your partners and competitors.