The privacy tsunami rolling across the Atlantic
By Chris Finan
Data privacy has gotten a lot of attention lately. Rightfully so. People want more control over how their data is used, and many data privacy regulators around the world have been listening. Companies are facing unprecedented pressure to secure and better manage the data they collect in accordance with their users’ preferences.
Last week’s retrograde action by the U.S. Congress to let American broadband providers monetize sensitive user data without permission is laughably inconsistent with current trends in data privacy and consumer expectations. Nonetheless, once signed into law, this license for unfettered use of personal data is likely to have very little impact on global companies. While the U.S. Congress might not care about privacy, 508 million potential European customers do. Foreign markets are increasingly dictating what standards American companies will have to meet for data privacy. One such example is the European Union’s recently passed General Data Protection Regulation (GDPR), which will empower individuals with much more control over how their data is used. This means U.S.-based multinationals will be affected by this paradigm shift in data privacy even if they already have privacy programs in place to address frameworks such as HIPAA or FTC requirements.
Under GDPR, the burden to prove proper data control will further shift to businesses. It will be incumbent upon companies to be able to show they are using data only in ways for which their users have explicitly, and affirmatively, consented. Enterprise risk and compliance teams will need to manage and track user consent with a higher degree of purpose specificity, and further, be able to dynamically adjust their data management practices to allow for more frequent changes in consent. Under these new mandates, users will not only be entitled to more nuanced preferences from the start, they will also be able to revoke consent for specific purposes as quickly as they granted it.
This two-dimensional expansion of data privacy requirements: providing more granular consent options, and needing to more thoroughly evidence usage in accordance with consent, is heading toward global companies like a tsunami. Non-compliance is not an option. Companies will face fines up to 4% of global revenue. To put this enormous regulatory “stick” in context, Apple could be slapped with an $8.6B fine if they do not adhere to the regulations, Facebook $1.1B, and even a “small” company like AirBnB could have to pay out $68M. GDPR, driven in large part by the massive fines it authorizes, is likely to compel the same degree of change in enterprise data management practices as Sarbanes-Oxley.
Are U.S. companies prepared? Quite simply, no. Current enterprise solutions cannot scale to address this new level of complexity. Most companies have broad, static consent policies that are implemented by security and risk teams through a combination of role-based access controls and basic data segmentation. This approach is already burdensome for enterprise teams to manage effectively and to adequately prove compliance. Asking those already overloaded personnel to handle more complexity invites compliance violations, reputational risk, and consumer mistrust.
Enterprise security and risk teams are at their limits. The demand signals for more dynamic, granular and provable data control could not be more clear. It is time for a new approach to verifiable data privacy: blockchain-based data access control.
While blockchain is best known as the technology behind Bitcoin and other cryptocurrencies, it also offers unique tracking and auditing benefits. At the heart of blockchain technology is the ability to accurately record and share real-time information internal and external to an organization. Companies looking to comply with privacy demands can use a blockchain to transparently record user consent, as well as who/what/where/when and even why data was accessed. While audit records currently exist, a blockchain can provide a continuous, mathematical proof of data access for employees, users and regulators to prove not only what did happen, but also what did not happen. For privacy conscious companies, investing in this technology now will make the transition to GDPR compliance and other data privacy regimes significantly easier in the long run.
Chris Finan is the CEO & Co-Founder of Manifold Technology. He previously led business development for Impermium before it was acquired by Google. Prior to moving to Silicon Valley, Chris served in the Obama Administration as the Director for Cybersecurity Legislation and Policy on the NSC staff in the White House.
