The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) stands for the regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Let me share in this post some thoughts about the GDPR and it's challenges :
- It's about consent: Companies need to have the consent of the customer for each specific use of its data. This consent can be withdrawn whenever the customer wants. If the companies obtain new data sources, their previous consent doesn't cover it.
- In case of a security breach, companies have to report, under 72 hours, the data involved, what happened, how quickly it was resolved and its implications and impact.
- The right to be "forgotten": Each individual has the right to ask for erasing all the data related to him or her.
- Justify the use of data: Regulators may ask questions about the use of data: why needed, why holding it so long, how was it validated, compliance with the customer's consent.
- Portability of the data: Customers may request all the data a company holds on them to be transferred to another company.
- Creation of a Data Protection Officer role within companies: DPO
- If the data is passed to an outsourcer or a partner, the companies responsibility concerns also the actions undertaken by this outsourcer or partner.
- Fines up to 4% of turnover, depending on cases.
IMHO, Up to date some of the requirements of the GDPR are still ambiguous, and need some clarifications before getting implemented :
- The scope of the data considered in the GDPR regulation
- I'm wondering if the GDPR gives the Regulators the authority to question the decision made by algorithms, and the models used for such decisions (such as scoring)
- In the case a customer asks for erasing its data, what data the companies may keep ? for instance, can they keep the data used to meet the legal obligation of the collection process?
Definitely, the GDPR regulation rises two opportunities :
- The first one is within Consulting business, to help companies have a safe drive into the GDPR compliance
- The second one is about Engineering challenges, to help companies build the right IT, enabling their DPO's to monitor, protect, report, erase and transfer the data with respect to the requirements of the regulations.