The European Union (EU) has implemented a formal regulation called General Data Protection Regulation (GDPR).

The regulation has been scheduled for enforcement on 25 May 2018. This applies to all EU countries AND applies to any organization outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.

The penalties for non-compliance are significant. Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater.

Before you back away from doing business in the EU, consider a few key points. With so many high profile breaches this sends a clear message "Privacy by Design" is the regulation.

In the United States we are bound to see more regulations in the future. Currently a single all encompassing U.S. federal regulation does not exist. States have adopted regulations to varying degrees.

With international cooperation it is hoped a "gold standard" could eventually emerge that would be universally accepted for data protection and privacy of individual data. Until then, here is a summary of what you need to keep in mind.

The Learning Curve

There has been some confusion in interpreting the regulation and the business entities that must comply with the EU GDPR. For those outside the EU, building a composite framework of GDPR into their own federal, state or provincial regulation adds to the complexity.

While GDPR carries a big enforcement club it has been recognized by IAPP (International Association of Privacy Professionals) President Isabelle Falque-Pierrotin:

• There will be a “learning curve” for everyone involved, including the regulators.
• Regulators recognize everyone will not have compliance complete by the enforcement date.
• It is critical to have begun GDPR policies and procedures.

Crafting the Approach to Internal Policies

From our perspective at the Digital Deli we would suggest (not legal advice) a few common sense approaches to implementation (primarily from a U.S. and Canadian perspective):

• Place yourself in the consumers position when crafting internal policies and procedures. As a consumer, what would you expect?
• Be sure to overlay your own federal, state/provincial regulations within your policies and procedures.
• Consider your own compliance blueprint as "a work in progress" or a "living document".
• Communicate with your employees and vendors so you may "continuously improve" your own posture.
• Carefully evaluate vendor targeted advertising engagements, especially where personally identifiable data is used by a third party on your behalf.
• Consider growing your audience by using your web site as the center of your universe to attract your audience organically.
• Unless you have unique business operations outside your own country, apply all data protection and privacy policies across the board.
• Take a stance that data protection and privacy is a critical part of your business – to gain consumer trust and market share to improve your bottom line.

Compliance Starts with a Secure Infrastructure

For all practical purposes it is really impossible to be in a compliant state in the digital age without having secure systems as a means of meeting the intent of regulations. In other words: compliance is impossible without secure systems.

"Only 16 percent of organizations report that the capabilities of traditional security tools are sufficient to manage security", according to a 2018 study by Crowd Research Partners. The study confirmed "the top three cloud security challenges include protecting against data loss and leakage (67%), threats to data privacy (61%), and breaches of confidentiality (53%)."

Of all the regulations in place (ie: CJIS, PCI, HIPAA, GDPR) a big takeaway in lay terms is: (1) you need to have a way to know you have been compromised and (2) you need to have a means to take the appropriate corrective action to mitigate the vulnerability or attack vector.

Once data breach reporting became compulsory regulators were shocked to find many of the highest profile cases did not know for months and sometimes years after the fact. It is safe to assume we are only seeing the tip of the iceberg.

• Poorly configured systems are the major cause of data breaches. Organizations across the globe have had their systems compromised and most of that personal data (including credit card numbers) appears to be for sale to the highest bidder on the dark web.
• Municipalities of all size capture, store and share a lot of personal data that can be compromised by hackers or internal (disgruntled) employees. Atlanta, a major U.S. city, had to revert to paper and pen in March 2018 because systems were compromised.

  Legal Minds and Think Tanks
might help clarify the role of GDPR associated with attacks on industrial control systems. If a manufacturing process introduced rogue firmware (ie: digital device) that leaked personal data would the company be liable for knowingly not disclosing that to regulators and the consumer? Could the organization be found negligent for not taking good faith steps to ensure privacy under GDPR?

Small Things Matter because Data is Currency

Dave Ehman, Centry Global in a podcast from Twit.TV hosted by Denise Howell and J. Michael Keyes brought up a good point when considering "how far does GDPR go." Dave posed the pizza shop delivery guy (sub-contractor) being given the name, address and phone of the customer.

I don't think any corner pizza outfit across North America has ever given that a second thought. But in the technology world it would be much easier to turn that into valuable data that could be used by a competitor or a marketing / advertising agency. Without a solid policy in place, ambiguity prevails not only on who owns the data, but how it may be used.

GDPR has quite a bit of common sense when it comes down to: providing consent explicitly and clearly; and having the right to be forgotten.

Are You Subject to the EU GDPR?

If you have any "data subjects" from the EU and one or both items below are true it will be compulsory to comply with the GDPR.

• Sell Products or Services.
• Collect Personal Data.

What Is Needed for Compliance?

• Data Classification Policy
• Intrusion Detection Policy
• Incident Response Policy
• GDPR Compliance Policy

Best Practices, Responsibility, Values, Courtesy, Regulatory Compliance

Marc Zuckerberg, CEO of Facebook has said "he is open to regulation" because it provides a (legal) framework to operate. Hundreds of well respected publications and influential people like Brian Acton and Elon Musk have made bold statements on the subject of social media data collection and how that information is monetized.

With most business and social interaction being done electronically it is a good time to take inventory over the data assets in your enterprise (small or big) and how that is used internally and externally.

• Is privacy and data protection a part of your culture?
• Does your vision statement make that loud and clear to employees?
• Are your customers and suppliers clear on your policies?

With the advent of monetizing "free digital services" (social, email, apps) it seems logical that, even if you did not read or understand the terms of service, that a user would know that display ads are a part of the deal. How data collection is used for targeted ads and a "better user experience" is probably less understood.

GDPR makes it clear organizations collecting data and receiving consent from a customer to use (internally or sell) that data can not bury "consent" in tiny fine print in the middle of a huge usage terms document.

  A Question for Legal Minds might be:
Can a user give "informed consent" for a "use case" or method that did not previously exist, or was not widely known at the time consent was given? Would the terms "any and all uses, in perpetuity" apply to all past, present and future data use?

User Data as Digital Currency | Your Digital ID

When cookies no longer worked a new scheme had to be devised. When digital ID's were developed many advertising agencies were giddy. For the most part, traditional advertising agencies were hardly as effective monetizing the capability as their newer counterparts. That is why most advertising dollars flow through what we think of as technology companies.

Today, user data is digital currency. There is little restriction in the United States on how digital ID's are used and data is sold. These "digital ID's" have gotten quite sophisticated by associating smartphone, tablet, desktop and TV. ISP's are currently permitted to sell user browsing history. It is why an ad can follow you all the way to the couch (all devices).

As government leaders gain new perspective on the subject we are likely to see regulations change in the United states and abroad. We are also likely to see new innovations. It seems like a very good time to reimagine advertising in the future, as we tighten policies and reevaluate best practices.

It would be our suggestion that organizations "prepare for tomorrow, today" by investing in your own brand (organic content). New innovation is only around the corner and you will be ready to monetize our TIM motto of Trust, Integrity and Momentum, in any regulatory framework.

Don't Forget the Pizza Delivery Guy

In the world of AI, Elon Musk and Stephen Hawking both advised caution. Just because you can, does not mean you should. We are at the crossroad where technology has little bounds. Let us explore the hypothetical higher tech pizza delivery sub-contractor. They grab the pies, press a button to optimize the GPS route and drive off.

To make extra money, the car is equipped with a mobile location based advertising screen on the roof. The algorithm can detect a delivery start from Pizza Supreme and where the deliveries were made. An ad network could offer a competitor a very lucrative targeted ad that says "Better Pizza at Gino's" on the car roof. The competitor could also place targeted ad's from Gino's on the family devices who order from Pizza Supreme. Just in time coupons could arrive magically from Gino's a few hours before Thursday night pizza.

Autonomous vehicle delivery could work in a similar manner. What if the pizza shop data was not directly used, but passive data collection via GPS was able to profile the personal habits for monetization? The question is still "who owns the data and how may it be used and where is the implied consent?"

  Legal Minds and Think Tanks
could shed more light on passive data collection in context with existing and proposed regulations. Perhaps even the Brookings Institute or the Electronic Frontier Foundation might weigh in on the subject of passive data collection and future regulations on privacy using AI.

Programmers, Business Process & Data Analysts

Explicit consent will require program execution to pause, confirm understanding and proceed so a user has "informed consent". You must also identify "data subject" attributes captured and how they are shared within the enterprise. To this end, an eloquent and simple method needs to be devised to press a button to compile that in one place for the user to see.

In addition, the "data subject" has the right to be forgotten. Obviously some items (financial transaction) will remain. Those records are covered by appropriate data security protocol and marked "solicitation permitted=no" and "forgotten=yes.

Pay closer attention to the user interface design. Consider using a graphic artist to create an "informed consent" layout (color, font, text) that is consistent with the brand, but unique.

Data protection and privacy coding will keep a lot of programmers busy.

Data protection and privacy coding will keep a lot of programmers busy. Agility and speed are admirable – precision and accuracy will always be remembered longer.

I have left you a note below based on my experience. Good luck coding and designing for next generation data security and privacy.

  Sponsorship Opportunity

Corporate, Philanthropic, Technology Partner, Government, Non-Profit, Business and Individual Sponsorship is always welcome from those who share our passion for humanity and our vision of crafting a bright future for our world.

Sponsor a podcast on data security and privacy. Banner ads and in podcast sponsor advertising are available by contacting  advertising [@] digitaldeli.us

  Document Reference

Access the  Opens in new windowEU GDPR Web Site.

Access the  Opens in new windowEU GDPR Resource Page for documents, videos and other links.

  Author Bio

John R. Grala, Digital Deli has designed and integrated data systems for compliance with U.S. Nuclear Regulatory Commission (NRC) standards, New York State Civil Service, New York Department of State Public Service Commission and the Long Term Care Executive Council of Central New York. You may access more information about John  here.

To make a comment on this podcast please send an email to: info [at] DigitalDeli.Biz with the subject header "GDPR" or refer to our  Contact Page. You may access information on technology at the  Digital Deli Pipeline

  Acknowledgement

 Opens in new windowThe Brookings Institution

 Opens in new windowElectronic Frontier Foundation

Isabelle Falque-Pierrotin, President  Opens in new windowInternational Association of Privacy Professionals (IAPP)

2018 Cloud Security Report from  Opens in new windowCrowd Research Partners.

Aaron Lancaster  Opens in new windowBakerHostetler

Dave Ehman  Opens in new windowCentry Global

Denise Howell, J. Michael Keyes via Leo Laporte's  Opens in new windowTWiT.TV

Jack Casazza  Opens in new windowIEEE Fellow

Brian Acton  Opens in new windowSignal Foundation

Elon Musk  Opens in new windowOpenAI, Tesla, SpaceX

Watson  Opens in new windowInternational Business Machines

Stephen Hawking  Opens in new windowTheoretical Physicist, Cosmologist

  A Note for Programmers, Business Process & Data Analysts

The advice received a few decades ago from Jack Casazza, a man referred to as the father of the electric power grid served me well. I had used advanced algorithms to introduce data never seen before. The data capability was flaunted lavishly. No one had ever peered that deeply into operational characteristics of grid operations.

When I heard he wanted to speak to me I was scared to death. Could he have detected a problem? It turned out that was not the case. After taking a deep breath, I thought he must want to compliment me! While he did toss a few accolades, I was wrong again.

He came to tell me I would not understand the significance of my efforts until I understood two things. The first was: there were trillions of dollars associated with the data being analyzed. The second was: by default my obligation was not solely to my client.

Then he told me about driving home on the New Jersey Turnpike. The lights of the New York skyline suddenly disappeared. He designed the system and knew the consequences.

Mr. Casazza told me it was precisely at that moment he realized that he worked for all the people of metro New York, New Jersey and Pennsylvania. He then announced I should broaden my shoulders since I really worked for 3.5 million people.

I would remind today's programmers their responsibility may extend to billions. Code with the highest degree of professional ethics and a code of conduct that would make your mother proud. You will be rewarded well.

Also, "Don't code solely for the regulation." Designing for the intention of data security and privacy will streamline future modifications, while allowing efficient management of data collected.

--John R. Grala--