As
the European Union’s General Data Protection Regulation (GDPR) enforcement date
of 25May2018 approaches, a practical exercise for privacy pros and their
implementation teams could be to begin thinking of the “R” in GDPR as standing
for “Reality”, (as opposed to “Regulation”).
This writer offers the following thoughts and observations on some
realities of operationalizing GDPR, as seen through a technical, “real world”
lens.
First
and foremost, the reality is that the GDPR is here to stay. Consider that Recital 1, Sentence 1 of the
GDPR reads: “The protection of natural
persons in relation to the processing of personal data is a fundamental right.” The EU government has set a high standard
for citizens’ personal data protection, and it is EU law, today. As a population, EU data subjects (users) now
have the fundamental right to compliant data protection visually and
continually wherever and whenever their personal information is moved or
touched by enterprises (data controllers and processors). The scope of protection extends to personal
information activity involving desktops, laptops, tablets, smartphones, apps,
wearables, IoT devices, apps, and in-person venues.
Since
the GDPR became EU law 15 months ago, a great deal has been written and
discussed about how the Regulation will affect large and small enterprises
trading in Europe, yet very little attention has been given to exactly how
operationalized GDPR will look and function when it daily serves real citizens
in the real world. As implementation
teams and IT staffs prepare for actual GDPR “rubber-on-the-road”
implementation, a Privacy by Design approach is helpful.
In
concept, GDPR is all about enterprise and user engaging together to protect and
manage user’s personal information responsibly, promoting positive-sum personal
privacy and building mutual trust. In
practice, this activity will most often take the form of a proactive software-supported
dialogue between the parties at each
real-world encounter, or user touchpoint. In real world operation, both enterprise and
user need to participate in turn as clear details about policy and legal basis
are presented, as appropriate consent is informed, negotiated, and gathered,
and as individual user rights are proffered, and optionally exercised.
A
practical, GDPR-compliant touchpoint
dialogue will incorporate the following default functional elements:
· Software infrastructure
meeting the standards set forth within GDPR Article 12, to proactively present
clear and plain language notice as the enterprise talks to the user in a
dialogue explaining policy and options.
· Software infrastructure meeting the standards
set forth within Articles 5, 6, 7, 8, 13, 14, & 22 to disclose the legal basis
for collection, then initiate and manage the negotiation and gathering of
appropriate affirmative consent, affirmation of legitimate interest, etc., as
the user responds to the enterprise, and opts accordingly.
· Software infrastructure meeting the standards
set forth within Articles 13, 14, 15, 16, 17, & 18 covering the disclosure
and fulfillment of individual rights, as the enterprise proffers optional
processing rights to the user, then acts accordingly, directed by user response.
· Software infrastructure
to log, track, and report discrete touchpoint dialogue events as they occur,
supporting downstream user, DPO, and DPA dashboard reporting.
Prebuilt,
prototype touchpoint dialogues and related installation toolsets are available
today to facilitate privacy office and IT integration. Click here to schedule a comprehensive, remote demo.
A final reality is that the European Union’s GDPR initiative has inspired transformative data protection activity beyond the bounds of Europe. A substantial number of countries around the globe appear to be planning and implementing privacy standards and laws patterned upon and congruent with the spirit of GDPR. The EU’s pending ePrivacy Regulation covering confidential communications will likely rely heavily on GDPR principles as a foundation. In this writer’s opinion, the privacy world is steadily moving towards a GDPR privacy standard. Now is the time for privacy pros, GDPR implementation teams, and IT staff to focus on real-world implementation.
Dale Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com
