GDPR, Social and 15 minutes of fame

Due to the recent changes in Snapchat I've been reflecting again on social media and how it affects everyone's lives, not only in Europe where I live, but around the world. I find it fascinating how the EU is handling data privacy - all countries for that matter are putting an enormous amount of energy in ensuring that citizens are protected. On that note around 15 years ago data protection wasn't as big a problem as it is today. Today with our fast paced accelerated world and the enormous amounts of data we share, it's becoming more and more relevant and important.

In the IT / Software business and companies storing personal data about their consumers, a lot of time has been, and continues to be consumed by 'being ready' and being compliant to the updates to the General Data Protection Regulation act (GDPR) as enforced by the European Union (EU). Wikipedia has a nice summary of what GDPR is: “The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU”

Data Protection and associated acts were already written up in 1995, however due to the enormous and fast paced changes that are occurring in our digital age, the most recent and in my opinion the biggest changes were added in April 2016 and will take effect in may 2018. This is actually a pretty short period considering all the work that needs to be done by all parties, both on the legislative side as well as by companies housing customer data, tracking customer data, analyzing customer data, providing customer data and so forth. It's my firm belief that GDPR will be a goldmine for legal companies across the globe. Having to adhere to all of GDPR’s regulations will lead to missing out; many organizations won’t be ready, many organizations have procedures in place that are overlooked, processes that haven’t changed yet. If 'the people' really step up and take advantage of GDPR’s protection, this will surely lead to courtrooms and settlements.

There are literally 1000's of articles on GDPR so I won't go into detail on all of GDPR's requirements to companies. I would like to zoom into the Data Subject Rights (I'm a data junkie) of GDPR. These are some of the customer facing regulations that companies will have to adhere to:

Breach Notification

• If a breach to customer data happens, a notification will need to happen within 72 hours after becoming aware of such breach. This means a lot of work for the PR department, sleepless nights to adhere to this short time window and come up with the appropriate message. The infamous Yahoo data breach to 500 million user accounts is a good example, it happened somewhere late 2014 and was shared with the common public in September 2016. With GDPR in effect by that date, Yahoo would have been sued hard.

Right to Access

• People of whom data is stored by a supplier / company, have to right to ask if their data is stored, why it is stored and where it is stored. In addition a supplier / company needs to be able to provide a copy of the personal data, at no cost, in digital format.

Right to be Forgotten

• This is a biggy. If this regulation by inception was the size of a mouse, once having to adhere to it and having to implement it in your organization and / or your software, trust me, the mouse has become bloody Godzilla. Especially for Cloud businesses. From https://www.eugdpr.org/key-changes.html "Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data."

Data Portability

• Once again, customers / prospects to a company will have the right to receive their personal data from any company that stores this personal data and has the ability to move it to another controller.

Privacy by Design

• This basically means your software, systems, processes, ANYTHING that deals with customer data needs to be designed with Privacy as an initial thought; not something to be added after the fact. It also enforces what's called Data Minimization (LinkedIn makes me change this into the American version with a Z, I hate red dotted lines under my text), which basically means that only data absolutely necessary for 'completion of duties' may be stored. This is interesting for those companies who rely on customer data to be as rich as possible, if not for now, then that data will be used in future scenarios. Marketing and Social Media anyone? It should also guarantee that people who have access to this data are those who need that access in order to 'perform their job'.

Data Protection Officers

• Let me highlight the key elements of the role of a Data Protection officer in an organization (as taken from https://www.eugdpr.org/key-changes.html once again) ;

1. Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
2. May be a staff member or an external service provider (mmm Interesting... There's work here!)
3. Contact details must be provided to the relevant DPA (Data Protection Authority - part of the EU General Data Protection regulation)
4. Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
5. Must report directly to the highest level of management
6. Must not carry out any other tasks that could result in a conflict of interest. (haha, try to enforce that.)

OK so now that we have the dry stuff out of the way, let's zoom in on Godzilla (remember I look at this from the data & software angle). The right to be forgotten. Sure there are procedures that organizations and software vendors can implement to erase data from their main data-warehouses, data-marts, operational and transactional systems, big data solutions and whatever storage they may use for customer data. But remember exports that happen of that data? Exports to flat files, exports to excel files for further analysis, sharing of data through marketing campaigns, web and web traffic data, (e)mailings and their history. The list goes on and on. All that data will need to be erased as well, but that can't be automated, as it could be stored anywhere. And how about the conflict of interest; what about Intelligence Organizations (FBI, CIA, Interpol etc.) that need access to just that personal data as well as transactional and location based information? If the data is truly erased when a consumer asks for it, will all data be erased? Will the data that is in the hands of government organizations also be erased? Can I call them to understand what data they have of me, and can I ask them to have that data erased as well?

I am positive that is not the case. It can't be, because our society now relies on data, day in, day out. Even under the hood of potential terrorism, data will continue to be analyzed and stored, because protection of the general public overrules the rights of the individual. In essence, even though I'm all for protecting the individual, I believe some of GDPR is a farce.

To add on to that, let's take a spin. Two words: 'Print Screen'. Print Screen has allowed anyone to take a screen grab of data displayed on their monitor, and this is almost as old as the invention of the Personal Computer. So even though organizations go through great lengths of adhering to and complying with regulations, this simple functionality would still allow for data to be stored and shared through any channel... Forever. (yes I'm aware there are technical ways of not allowing print screen to be used, but even then, there are ways to get to the data and store it. A simple camera would work just as well).

And now another spin; let's look at a new feature in SnapChat that my son and I spoke about just yesterday. He showed me a beautiful map in SnapChat, where he could see all of his friends who have this option turned on (SnapChat allows you to be a 'ghost' and not share your location). In order to share your location, you need to allow for it; Location Services needs to be activated on your phone, and you're able to share with anyone you choose when you use SnapChat (the feature only works if you actually use SnapChat.)

Based on location services, which is actually a combination of GPS, Cellular networks, WiFi and Bluetooth, and in this case the use of SnapChat in a certain location, users can bring up the Snap Map and see where their friends are or have most recently been active. Also this information will be deleted after a short period of time, close to the heart of Snap Chat's core approach. So let's bring in Print Screen again. Snap Chat notifies the other party once print screen is used on a snap that's send to someone, but that's after the fact. I know this is done on the basis of individual snaps shared between users, I'm not sure if there's a notification going out if a print screen is made of a Snap Map. (anyone?)

Initially I was quite amazed by this new capability in SnapChat, as sharing your whereabouts is something that's controversial at best. There have been many cases where this has taken a negative spin; stalking, use of this data in court rooms because of someone's whereabouts in the vicinity of a crime scene, problems in relationships ('You told me you went bowling, now I see you were blowing'). On top of that, this data is reliable but definitely not a 100%.

I bring this up to look at how new generations, and most likely not those involved in updates to GDPR, are actually dealing with Personal Data and Social Media and sharing their stories. (or did the EU involve Sponsor Users from younger generations to get their feedback and input on how they feel about the new regulations?) Remember that the millennials are the first generation to have been born into the digital age. They deal with social media and data sharing entirely different as compared to older generations.

The power of Social Networks is all about the human psyche; having the feeling to be listened to, to be important, to be social, to be liked. Having your 15 minutes of fame. If you want to lock down on some of these aspects, there's the well-known FOMO - Fear Of Missing Out. That's a force not to be underestimated, because people by nature want to be part of the group. No one wants to be left out. Everyone wants to be liked. So where we, as a society, parents & caretakers have to ensure the well-being of our children (think about all these sad situations where data is shared that should never have been shared, resulting in the worst of the worst), I think in many aspects our children have a far more advanced outlook on how they want to be part of their group. With innovations such as the Snap Map, kids quickly become intrigued by its possibilities and they will use it. So if we bring in the Right to be Forgotten once again, this will become a very interesting dialogue between those that try to enforce GDPR and those that have moved on.

My son and I had a long discussion about Social Media, the risks associated with over sharing, the fact that people are always listening in, and that all your moves are being tracked. Him and his friends are very much aware of this; they face the challenges and some of the bad situations every day. However, still many of them will continue to use Social Media and embrace the openness it brings to them. Social Media is a digital school yard. Whether their data is stored, their moves are tracked, they are monitored, whatever happens to their data, there’s a realization but also an apathy because everyone uses these channels and apps. This is where GDPR will help, albeit in many cases after the fact.

In many ways, I feel that as a society we try to enforce rules and regulations on a network that was meant to be open. It's a strange comparison maybe, but it's as if the EU is like a parent telling their children not to listen to Elvis because he moves his hips in a peculiar way. Laws and regulations always follow after innovation has happened. Once one aspect is locked down, new innovations will come up that will lead to new laws and regulations.

So, to summarize, is GDPR a ‘good’ thing? I would say yes. It’s there for the right intentions. As humans we all have the right to know, understand, and be in control of what happens to our information. Especially young people who may end up somewhere on the internet with content they wish they never shared, in the spur of the moment; they need to be helped. GDPR is trying to do just that. Give more power to the consumer. But is it waterproof? No, it is not. It will never be.

 As always, comments highly appreciated, especially if you don't agree with me!

Thanks

• Snap Map Image taken from https://www.gottabemobile.com/how-to-use-snapchats-snap-map/
• EU flag image taken from wikipedia.org
• All other photos are my own