Another day, another GDPR mail

The world didn’t stop turning on May 25 when the EU General Data Protection Regulation (GDPR) came into force, despite the mass panic among many companies, as if they had just seen an intercity speeding away from the platform. In the rush to avoid any pitfalls, some companies managed to sent out emails with contradictory content. Some decided not to send any information at all if customers did not accept their privacy policy, others threatened to churn out even more unwanted information by assuming that their customers had opted in without their explicit consent which is not what the GDPR set out to achieve.

Given that the GDPR requires that data subjects are informed how their data is used, these emails were hardly avoidable. The intercity analogy also fits in another sense – once it rushes through the station you can still see the lights for a short time and then everything goes back to normal. And this is exactly how many companies are reacting – sending emails, updating their privacy policy and then business as usual. This was not how the GDPR was intended. Although there is some scope for interpretation, the key idea behind the GDPR is absolutely essential in today’s world by ensuring that data controllers consider to what extent they really need to store data. As part of this process, it’s important to only gather as much data as is really necessary rather than collecting masses of redundant data, which only benefits hackers who sell data to the highest bidder.

And so we return to the discussion about the consequences of mishandling data. It doesn’t matter whether hackers steal and sell the information, a foreign nation state carries out a kind of illegal census or whether a company itself – like Cambridge Analytics – misappropriates data for an unintended purpose. The fact is that everything possible will be done sooner or later, including misuse of data. The most effective way to prevent this is to only store data which is really necessary or, as the second best option, to keep control over data and request deletion. Government representatives can continue to conjure up the image of crumbling factories – data economy is necessary, because as any number of reports each month shows state and private organizations are not willing or able to protect the data entrusted to them.

The GDPR may be cumbersome and go too far for many bloggers and small businesses, but it is a necessary inconvenience. User data is one of the most valuable resources for all market-leading companies. It is not without reason that Data Analytics and Big Data are trending growth topics in companies. Future business models are consistently data-centric, whether insurance policies, e-commerce pricing or shared mobility offers. That doesn't have to be a bad thing, but until now customers could decide for themselves whether or not to accept an offer. Those who have volunteered their data whether intentionally or unintentionally and can no longer control it, may have to take advantage of the offers they receive because they have no alternatives.

But to get back on track: In the past, data protection and information security were often treated separately, although they overlap. With the GDPR, which basically requires process optimization and documentation, there is the opportunity to combine both topics within an information management system (ISMS). Data protection is not the same as information security, but without information security there is no data protection. It's high time to bring both aspects together to benefit both data subjects and data controllers.