Data privacy isn’t a linear equation…..
“For every complex problem, there’s a solution that is simple, neat, and wrong.” H.L. Mencken
Data privacy, much like digital strategy, is a complex problem that defies simple solutions. As CA Technologies’ Paul Ferron reminds us, the idea of purchasing software packages to insure GDPR compliance is as illusory as it is expensive.[i] Restructuring the data processes is a necessary step, but like all efforts at business process improvement, the ideal process always proves more convincing on paper than in reality. Developing a legal shield against potential infractions is useful but produces little if any business value for either you or your customers. GDPR compliance will never be worth anything more than the quality of the training you offer your employees and customers on digital strategy. Let’s take a few moments to understand some of the challenges and pitfalls of compliance today, and why GDPR training must address the larger picture of how your organization can capitalize upon its digital investments.
In theory, the singular objective of GDPR is protecting consumer privacy. In reality, the 263 page document that summarizes the implementation of GDPR comprises a hodgepodge of advice, regulations, and constraints.[ii] Implement the text to the letter will likely prove confusing, if not self-defeating. Consider the provisions for mandatory Data Protection Impact Assessments (DPIAs). Even if this requirement is applicable to only new data processes, accurately responding to breach infractions is mandatory for processes regardless of their date of origin. On a different level, you must comply with any European citizen request to delete their personal data, even if doing so requires keeping a record of who made the request and why. Before buying into any packaged GDPR “solution”, it would be well worth your time to have a data strategist study the implications of how the legislation will impact the way you do business.
The complex reality of the digital economy tests the legislator’s ability to provide clear and universal guidelines. The practice of digital aggregation is a case in point. Article 4 of the GDPR makes the distinction between the responsibilities of data controllers, who determine the purposes and means of the processing of personal data, and data processors, who process personal data on behalf of the controller. As the recent example of the Trump Organization, Facebook, and Cambridge Analytica demonstrates, the reality of digital practice defies such simple classifications. Who is legally responsible when third parties plug seemingly innocuous feeds into APIs in ways that affect privacy of digital citizens?
The evolution of digital technologies has already put the logic of GDPR to the test. Blockchain technologies provide a case in point. These digital ledgers are rapidly gaining a large footprint in a variety of applications ranging from banking to the automotive industry, from the health sciences to the health sciences to the electoral process. The GDPR legislation was designed on the assumption that organization’s have centralized services who physically control access rights to the user data, which is exactly what blockchain algorithms avoid. Suggesting that employees or customers have the right to demand the removal of their personal data in the blockchain is largely wishful thinking, for the technologies have little of any scope for removing bits of information in the chain on an on-demand basis.[iii]
Finally, the goal of protecting the privacy of digital citizens is more difficult to protect than that of simply autonomizing individual data. The goals of data science aren’t dependent upon the widespread availability of personal data, but upon elucidating and enriching the metadata on relationships between groups of individuals, objects, and organizations. Recent developments in voice recognition provide a telling example.[iv] If the organization’s goal is to understand the cognitive perceptions of employee or consumer profiles, the current state of research into “emotional” footprints permit an organization to reach its goals without holding any personal data.
As an organizational decision-maker, the success of your investments in GDPR won’t depend upon blindly following the rules. Neither technology nor process will enable you to align your GDPR compliance with the operational goals of your digital platforms, designs, and vision. Taking the high road to GDPR requires training your management on how compliance can provide a workable roadmap for organization growth and customer trust in the months to come.
Sign up for the BAI/7wData one-day MasterClass “The High Road to GDPR”. The practice of business analytics is the heart and soul of the Business Analytics Institute. In our Summer School in Bayonne, as well as in our Master Classes in Europe, the Business Analytics Institute focuses on digital economics, data-driven decision making, machine learning, and visual communications will put analytics to work for you and your organization.
Lee Schlenker is a Professor at ESC Pau, and a Principal in the Business Analytics Institute http://baieurope.com. His LinkedIn profile can be viewed at www.linkedin.com/in/leeschlenker. You can follow us on Twitter at https://twitter.com/DSign4Analytics
[iii] Meyer, D. (2018), Blockchain Technology is on a Collision Course with EC Privacy Law