Safeguarding data with GDPR

We live in a time where we are producing and consuming more data than ever before, from your browsing habits to the delay on that part you ordered last week, from the last person you connected with on LinkedIn to your phone’s location 4 hours ago. These large swathes of data can be leveraged in all kinds of ways both extremely beneficial and malicious. As such it is of the utmost importance that your data, and by extension you, are protected.?

To give individuals greater protection of their data and more agency in the handling of that data, in 2016 the EU adopted the General Data Protection Regulation or GDPR for short, replacing the 1995 Data Protection Directive. Despite being adopted in April of 2016, the regulation only became enforceable in May of 2018 to give companies time to prepare themselves for the necessary changes. The regulation applies not just to companies within the EU collecting/processing data on EU citizens but to anyone who wishes to collect data on any EU citizen. Whilst the UK has left the EU, we still retain the law in a similar form, the UK GDPR.?

Fundamentally the GDPR exists to give individuals more rights when it comes to their data. For instance, personal data absolutely cannot be processed unless certain criteria, such as the subject giving consent, fulfilling a contract with that subject, or if the data is for a project in the public interest. Amendments have been made to clarify that the process for withdrawing consent (such as rejecting cookies on a website) must be no harder than the process of opting in, as many companies would make that process arduous enough that it heavily limited the number of people opting out. Additionally, there is the right to erasure, in which people can now request the erasure of data related to them within 30 days.??

Furthermore, pseudonymisation is a required process for the storing of data, so that without using additional information the subject of stored personal data cannot be identified. Encryption is one solution to this and the GDPR mandates that decryption keys be stored separately to the pseudonymised dataset. Tokenisation, the process of replacing sensitive data with a non-sensitive substitute, is another solution with low computational cost. While pseudonymised data still contains personal data (albeit locked behind additional data), and such is still bound to GDPR, tokenised data no longer contains personal data, and as such does not GDPR regulation.??

With penalties ranging up to either 4% of the annual worldwide turnover of a business or ￡17.5 million (whichever is greater), there is great incentive to stay in line with them, and according to a report by Deloitte UK in 2018 92% of companies believe they can operate within the bounds of the GDPR in the long run. Overall reception of the regulation has been positive worldwide, and even Mark Zuckerberg CEO of Meta praised it in a 2019 blogpost published by the Washington Post, however in the days leading up to this post there had been threats from Meta to pull Instagram and Facebook from European markets over legal issues stemming from data storage of EU citizens. At the time of implementation some services also simply blocked out EU users, citing that the costs to accommodate them would be great, but with the GDPR inspiring many, other data privacy laws across the world it may only be a matter of time before their stance is flipped.?

GDPR provides robust legal rights for individuals, and the legislative power to uphold these rights against previously unchecked malevolent organisations. This will provide the governance framework to give individuals confidence that the use of their data is being safeguarded. This can only benefit?Project Data Analytics, particularly as a broader array of data sources are being interrogated to generate insights that were previously unobtainable. In the long run this will?only accelerate progress in the industry.?

?