The Rise in Data
In the past year we have created more data than what had previously been created through history. This is occurring at an exponential rate with an increase in volume generated by always on devices and the internet of things. With this comes increased attack vectors and risk for sensitive individual information to be compromised for an individual. It seems that we are desensitized to security breaches that happen all too regularly and affect millions of individuals per breach.
Global Data Protection Rights
To hold companies accountable for their actions and security measures to manage sensitive information around an individual, the GDPR (Global Data Protection Rights) legislation comes into effect with stringent individual data protection rights becoming law in May 2018. This legislation sets precent and introduces massive penalties for companies who manage data for European individuals and puts control of data consent in the hands of the individual. At a summary level the legislation provides articles and mandates across the following areas of consent and data management.
- Rights of the Data Subject
- Controller and Processor Relationships
- Breach mitigation and security controls
- Transfers of personal data to third countries or international organizations
- Privacy by Design certification and advisory
Role of the Individual
This legislation puts unprecedented controls in the hands of an individual. At any time they have the rights under this legislation to ask companies to delete all information tied to them, prove the execution of this removal of data, and provide reporting for any event which caused that individuals information to be shared to a third party and the complete chronological history of those exchanges.
Role of the Organization
With the rights of the individual in place, can companies actually prove that they have deleted their data across multiple systems? Do they have record of the controller and processor relationships for data exchange to third parties and the daisy chain of transference? Does the organization have controls in place to mitigate potential breaches of this information and privacy by design?
Any company not compliant with privacy by design, adherence to explicit consent to an individual's data, and those that have performed risk mitigation steps will be subject to a penalty of between 4 to 6 percent of their annual revenue. This regulation isn't in the same realm as say CAN-SPAM and the right to individual data for marketing which comes with a $1M dollar penalty, this regulation will set precedent of companies being penalized in the 8-9 figure range if not more.
Companies need to formulate strategies and implementation steps to immediately become compliant with this regulation as a default in the businesses. We partnered with Tieto, one of the largest Healthcare Infrastructure providers in the Nordics to create a blockchain solution around management of consent across their network of Hospitals, BioBanks, and Research facilities. Our solutions were centered around the management of an individuals consent relationship across these entities and logging each interaction with an individuals data and the identities of all involved. This created a longitudinal record for compliance along with the ability to power data exchange based on the consent relationships.
Download the Tieto Whitepaper for the importance of GDPR compliance and out work with them to craft a strategy around using the upcoming legislation as a mechanism for better data sharing and responsibility.
While not all companies need a networked solution such as Tieto's to manage an individuals data and consent, all companies regardless of being located in Europe need to create a strategy, plan, and implementation path to become compliant in this new era of individual control over their data.