“[…] one recurring question people have had is why I thought the GDPR regulation, which only applies in Europe, would have a broad international impact, since “things are so different in the US”.
There are two main dynamics at play:
First, the same issues that led the European Union to create the GDPR impact all societies. There are countless people in America and elsewhere who have lost all confidence in the Internet giants to protect their data or their interests. This has already given rise to social sentiment that is motivating political leaders to get on the right side of history – introducing data privacy legislation. And in the discussion around what this will be, the GDPR has set the bar and established expectations that make it easy to lead campaigns describing what bad legislation is missing.
Second, all sentient beings within the internet companies understand the fundamental nature of the internet: it is world-wide and cannot be bifurcated. Building reliable, defensible services that behave differently in Europe and North America is a no-win proposition. Technology companies have lobbied for international harmonization of regulations for many years. Over time practicality will push those who choose to bifurcate and ignore the internet’s fundamental nature back to this principle.” Kim Cameron – Identityblog.com
Kim Cameron makes several good points in his talk. And, in Canada, the former Privacy Commissioner, Dr. Ann Cavoukian, who now runs Privacy by Design Centre of Excellence at Ryerson used the 7 foundational principles of Kim Cameron, and has expanded on them:
- Proactive not Reactive: preventative not remedial
- Privacy is the default setting
- Privacy embedded into the design
- Full-functionality: positive-sum, not zero-sum
- End-to-end security: full lifecycle protection
- Visibility and transparency: keep it open
- Respect for user privacy: keep it user centric
In Canada, we have PIPEDA, it is based heavily on the EU Data Protection Directive of 1995. Currently, with the introduction of GDPR, and the new ePrivacy bill, which is in addition to GDPR. This provides a stronger baseline for privacy across the EU and the world. Canada has adopted many of the points of GDPR into PIPEDA, with still more to come in the new version. However, Canada has severely reduced the fines, giving its legislation almost no real teeth. However, the principles stand.
Generally? Not well.
Organizations, in the past, have received a user’s private details in order for the user to have the ability to initiate, perform and / or conclude transactions (regardless of the nature) on a particular site. Many users have simply indicated their agreement to the use of their data, without actually reading any of it, which is, admittedly, part of the problem. Since many don’t actually read the agreements. As a result, to show how few people actually read the EULA some companies put hidden clauses into the various EULA’s and some are great! Others make it really interesting. The point is many people don’t actually read these things.
There are some notable exceptions to user-privacy. Apple is one. It takes user-privacy very seriously, and Tim Cook highly praised the GDPR legislation. It truly is, one of the few organizations that take individual privacy seriously.
“Apple’s Tim Cook [...] makes it absolutely clear that Apple sees the GDPR as a fundamental technology building-block and fully understands that the EU has effectively pushed the digital reset button world-wide – and that this is hugely positive.” Identityblog.com
Effectively, GDPR puts organizations wishing to do business in the EU on notice. You must comply with the legislation or face massive fines. This means that organizations are 100% responsible for how they use the data provided them. And, the provider has the right to audit and inspect what organizations do with the data. This holds the organization to task.
This is where things like biometrics come into play. As well, the user must have control over the information provided and how it is used. It is their information, after all. Let’s back up a little and discuss what identity is and is not, for the purposes of a baseline understanding.
What is Identity?
Simply put our identity is made up of a variety of factors: family, nationality, ethnicity, religion, philosophy, occupation etc. Since our identity is critical for us to function across the entire ecosystem of interactions we have hourly, daily, weekly, annually and ultimately across our entire lifespan anything that potentially impacts this negatively can create a problem for an individuals’ identity, and interactions. Humans have always looked at ways to verify identity and carry on transactions in as safe a manner as possible. These concepts aren’t new. In fact, some can be traced back millennia. Fingerprints on documents as a means of signature were used during both the Qin and Han Dynasties (221 BC - 220 AD) on contracts. Similar things were done in the 17th,18th and 19th centuries for contracts and documents, in other parts of the world. Fingerprints were first used by various police forces as early as 1901. Essentially, the idea of biometrics is not new. What is new, is the ‘how’.
How are we looking at Biometrics?
What is included in the modern biometrics?
Fingerprints, voice, retinal scans, facial recognition*, gait analysis or some combination thereof. All of these are very good options. However, with the advent of neural networks, fingerprints can be hacked relatively easily. Retinal scans are harder, as are voice scans. For high-tech systems a gait analysis can be used as well, since we all have a slight difference in how we walk. Effectively pairing physiological and behavioural metrics of an individual to the information in a database. This can be used for a variety of things, a national ID card, driving license, health card, passports etc. Overall biometrics can be used to replace encryption keys, passwords or codes for digital authentication and identification. *Facial recognition works very well, but it does have issues with non-Caucasian individuals. Since many of the developers tend to be white males, they use themselves as testers for face recognition and this can create a problem for non-white users.
Is it completely bullet proof? No. India’s Aadhaar biometric ID program is a prime example. It has failed to protect privacy to any real extent. But that is a failure on the part of the planners and designers, as well as an inability or desire to really follow GDPR to any extent. There are many organizations and governments that are looking at privacy protection. Many of them are looking at it from the idea of ID cards (national or corporate). There are number of companies that are in the space, but few are looking at it from the perspective of GDPR compliance.
GDPR- Compliance and Non-Compliance.
GDPR is an excellent privacy tool and will change the landscape of how individual ID’s are managed. However, and this is critical, ensuring 100% compliance with GDPR is not as simple and straightforward as many would like to think. There are steps that must be taken and there is no such thing as mostly compliant. An organization is either compliant or not. Non-compliance is expensive, the minimum fine is $10MM USD or 2% of global revenue, whichever is greater. This tops out at $20MM or 4% of global revenue, again, whichever is greater. For some companies this could be billions of dollars.
Companies now also need to have a Data Protection Officer (DPO). Something our organization offers as a service in Canada and the EU, as well as providing technology for protection of data, both user and corporate. Combine the DPO with our technology and you have complete compliance with GDPR. As well as solid technology for data privacy and protection.
Benefits of Compliance
Let’s face it, historically organizations have never really been too concerned about user data, and how they have been using it. To be fair, many organizations have been excellent at protecting user data, and its use of the data. However, over the last number of years, breaches have become more prevalent and more severe. This puts the onus on the corporation to protect the data that it has under its custodianship. Under GDPR it is quite clear what the organization needs to do to comply. The issue is that with any new legislation it is initially like the wild west, organizations will feel out what they can and can’t do, accepting the fines, understanding that it is a bit of a necessary evil. Microsoft, for example, was fined USD 100MM, which frankly a parking ticket to them, and after that they said they would work with the EU to help them (Microsoft) become more aware of the GDPR requirements [insert cynical comment here].
That said, what are the potential benefits of invoking GDPR as an organization? It seems to be mainly, 5 benefits.
- Trust / Loyalty
- Creating a culture of Data security
- Marketing Return on Investment
- Better Data Management
Let’s look at these individually:
Trust / Loyalty
Many consumers have lost faith in organizations abilities to safeguard the data that is under their custodianship. GDPR can help regain the users trust and loyalty.
Creating a culture of Data security
Moving forward with the idea of Trust and Loyalty, comes a new internal culture that sees the benefit, both long term and short term of better data security. Creating a culture that respects data security creates a culture that customers and clients respect. Again, we come back to trust and loyalty.
Marketing, Return on Investment (ROI)
One of the most critical factors of GDPR is the opt-in policy, as well as the user’s knowledgeable consent on how their data is used (users can audit this information once a year, free, no questions). This means that organizations are recognized as true custodians not owners of the data.
Better Data Management
Compliance means understanding what information you have, how it is collected, how it is stored and how it is managed. Again, ultimately, enforcing the idea that you are not owners of the data, but custodians holding the data on behalf of the consumer or client.
Ignorance of cybersecurity, in this day is no longer an option. Data privacy and security should be an organizations top priority. This means finding the weak spots and closing them. This means maintaining a greater level of vigilance over the data that is on the servers and knowing how secure those servers are.
Ultimately, the overarching factor in all these points is TRUST! With a greater degree of trust, customers and clients will feel more secure about providing more information to your organization.
How we can help?
Privid can help in a variety of ways. We offer services of DPO’s, as well as ensuring systems wide compliance. We offer education services to your employees on how to create a culture that understands and values data security. We also offer the interfaces that comply with GDPR and provide a level of comfort and security to your customers, clients and employees. To learn more, feel free to contact me directly:
+416.579.4595 North America