OneTrust_Square Banner_300x250_DD_ROS_01_19
CS17_Banner_300x250-COPY
Radar_Webcon_Generali_300x250_ad_3.7.17Radar-01
Maximizing data value while complying with GDPR may not be impossible

Even though the General Data Protection Regulation will not be implemented until May 2018, businesses still have a lot to do before it comes into effect. A key question is whether it's possible for businesses to simultaneously comply with the regulation while ensuring they are maximizing the value of the data they have collected.

"What’s been realized is this convenience of data processing came with a cost of the fundamental rights of data subjects. If viewed in the right light, the GDPR provides an answer to that," said Anonos CEO Gary LaFever during a recent IAPP web conference. "Data protection by default enables us to respect, honor and protect the fundamental rights of data subjects, while actually opening up new business opportunities."

Data protection by default enables us to respect, honor and protect the fundamental rights of data subjects, while actually opening up new business opportunities. - Gary LaFever 

So how can businesses conduct their data processing in compliant, but innovative, ways? LaFever said people are realizing while they can comply with the GDPR, it does not mean they can continue to do business in the same way from an analytics perspective.

Joined by Hintze Law's and former Mircosoft Chief Privacy Counsel and Assistant General Counsel Mike Hintze, CIPM, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, FIP, and CNIL Director of Technology and Innovation Gwendal Le Grand, LaFever said the reason for the shift stems from a GDPR requirement to move toward data protection by default, a much more stringent form of privacy by design. 

"What data protection authorities believe is that complying with these principles, with the rules that are enshrined in our legal framework, that the key elements in creating and keeping the trust to develop a business model that is based on the processing of such data, this means an investment in privacy management solutions, and anonymization techniques is essential to ensure fair and protected competition between economic players," Le Grand explained 

LaFever argued companies also focus too much on the identity of the data subject.

"When you have an app on your phone that’s a map app and you launch it, why does the provider of that map app have to know who you are? They don’t," said LaFever. "They have a legitimate reason to if you are registered for the service, that doesn’t require knowing who you are. They have a very important need to know where you are, and where you want to go. You can just as easily service users of the map app without finding out who they are, and a different identifier can be set every time."

Anonymization, pseudonymization and de-identification are all effective techniques companies can use to comply with the GDPR, said Hintze. When comparing it to the 1995 Directive, the GDPR offers more nuance to the definition of personal data.

"I think that’s very important and a positive step forward," he said. "Under the 1995 Directive, it was almost sort of a binary, all or nothing, either it’s personal data or anonymous data. Under the GDPR, there are different gradations between those two that are recognized," he noted. "One thing that is important to look at is the definition of personal data, and that definition includes the concept of identified-versus-identifiable data. Data that is identified is able to be identified on its face, or there are some easy mechanisms to identify who that person is. Identifiable data is a much bigger bucket, where it may not be apparent on its face, but there is at least a theoretical way to re-identify the person behind that data." 

Under the 1995 Directive, it was almost sort of a binary, all or nothing, either it’s personal data or anonymous data. Under the GDPR, there are different gradations between those two that are recognized. - Mike Hintze

Le Grand added, "Anonymization is the key trigger for big data, because in the context of the GDPR ... the rules on personal data protection do not apply to anonymous data, which means anonymization is an alternative to data erasure once the purpose of the processing has been fulfilled."

The GDPR will certainly challenge many traditional approaches to privacy. In fact, older approaches may cause more harm than good, said LaFever. 

"Unfortunately, many privacy-enhancement techniques actually reduce the value of data, whether its k-anonymity, l-diversity or differential privacy. The way they go about protecting privacy is reducing the level of accuracy. There are other ways to protect privacy where you can still leverage privacy-enhancing techniques, but in a way that maximizes that value," said LaFever. "You end up with data protection by default, which actually allows you to retain up to 100 percent of the value, at the same time, you improve security and privacy, and it’s supports greater use and sharing of data."

The changes brought upon by the GDPR may cause frustration, but Hintze said complying with the regulation is not impossible.

"There have been a number of things that have been called out in the GDPR that will be required, and that includes appointing new personnel, ensuring your internal policies and external privacy statements are updated to meet the new requirements, developing new employee training, developing new, or updating existing procedures, practices, tools and technologies based on your own internal gap analysis of where you are now and where you need to get to ensure you are in a position to comply," said Hintze.

The GDPR is a strong harmonization tool for the EU, Le Grand pointed out, and will be assimilated into the laws of the member states easily.

Much of the data processing businesses are doing now will need to change. LaFever said companies cannot continue what they have been doing and expect to comply with the GDPR, but with new resources and techniques out there, companies have the potential to ensure they are ready to go by May 2018.

photo credit: Visual Content Data Breach via photopin (license)

Written By

Ryan Chiavetta

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»