I recently got a chance to sit down with Dr. Ann Cavoukian, Distinguished Expert-in-Residence – Privacy by Design Centre of Excellence at Ryerson University, as part of my CanInnovate podcast. Dr. Cavoukian gave us the low-down on the European Union (EU) General Data Protection Regulation (GDPR) that came into effect May 25th, 2018 and what it means from a global perspective.
In addition to GDPR, she discuses Privacy Enhancing Technologies (PET), International Council on Global Privacy and Security by Design, and even how Steve Jobs avoided being tracked! She’s just a fountain of knowledge – here's an overview of the conversation:
Cambridge Analytica Scandal
Here is a great article from Forbes Magazine, Cambridge Analytica: The Turning Point in the Crisis About Big Data. The Forbes Article really provides a great understanding of the implications and data collection, how data is used, data security and protection and purging is going to change how businesses understand consumers.
Between GDPR that is coming into effect on May 25th, 2018 Cambridge Analytica scandal and the regular daily occurrence of data security breaches, there's a real opportunity for consumers to better understand their rights and ownership of their personal information.
GDPR: A Game Changer
As a result, consumers are more and more concerned about their privacy. Dr. Ann Cavoukian shares with us that over 92% of consumers are worried about their privacy and their lack of control. GDPR is going to change that and eventually become an international standard, it’s just starting with the EU.
GDPR raises privacy dramatically and includes the privacy by design framework, which in 2010 became the international standard and has since been translated into 39 languages. Dr. Ann Cavoukian, developed the Privacy by Design framework, that seeks to proactively embed privacy into the design specifications for technology infrastructure and business practices.
Currently, GDPR is only for the EU and their 28 member countries. However, any business that currently has dealings with any consumers in the EU, needs to adhere to the GDPR guidelines and be compliant by May 25th, 2018. Let’s be clear, we all do or want to do business with the EU. Any customer or potential customer information for any of the EU countries, need to be compliant with GDPR.
In fact, Dr. Ann Cavoukian, mentions that even though Canadian privacy legislation has always been fairly strong, however, in order to be adequate and more consistent with GDPR, Canadian legislation will need to be updated. GDPR has definitely set the stage for best practices, in which other countries will most likely follow suit.
What is GDPR
“The EU GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy.”
First of all, GDPR puts consumers in the driver’s seat. Check out their website here.
One of the big changes is how consumers provide consent. The rules are more around providing positive consent (Opt-In) instead of being provided an option to Opt-Out. It’s a very proactive, intentional customer-centric privacy design. In order for consumers to opt-in to providing organizations with data, they will require full transparency of how their personal data elements will be utilized. Personal information is referred to as any identifying attributes that can lead me back to the consumer. This includes items such as phone number, email address, IP addresses, cookies, etc..
As a result, GDPR is going to have a massive implication in numerous areas from Artificial Intelligence (AI), Big Data, Marketers, IT, Records Management, Security and the list goes on. In fact, Dr. Ann Cavoukian shares with us that 60% of businesses are not ready for the GDPR rules to come into effect. Yikes!
In fact, GDPR is a good thing and could provide a new competitive advantage. Consumers are asking for increased transparency. If done correctly, it could help increase customer loyalty, retention and brand affinity. I noticed that quite a few businesses have been updating their privacy policies in anticipation of May 25th, 2018 deadline. I’ve received a few emails regarding these updates. However, they are still not in customer-centric nor user-friendly terminology. It makes a little hard to understand, unless you’re a lawyer.
With only 40% of businesses ready to go and with only three weeks to go before compliance date hits of May 25th, 2018 (at the time of this interview), we can expect GDPR to make examples of those that are non-compliant.
The penalties are severe for not being compliant, 4% of your global revenues! Google, Amazon, Alibaba, Facebook, and others could be facing millions in fines if they aren’t ready for GDPR. I’m sure they are ready as they have had a few years to get ready for GDPR:)
Steps to Take
Dr. Ann Cavoukian shares that we need to be crystal clear on what data we are using, the purpose, and provide the full context of how we intend to use this information. This includes permission to use their name and email address for a mailing list that distributes a weekly newsletter. We can’t just provide people with freebies and subscribe them to a newsletter.
First, identify all the data sources across your organization. Where do all the consumer information sit? Which department has what? This includes clients and potential clients in our mailing list.
Create a data map of all the data elements and what the intended use is for. Develop a consumer friendly data lexicon of how their personal information will be utilized. Use examples, so that consumers can understand the context and language that is simple and easy to understand.
In fact, I often advise my consulting clients, to keep the terminology very simple. A simple tip is to test it out on your mother. If my mom understands what I wrote, it’s golden! The mom-test.
Another tip is to try to segment which consumers are based in the EU. This will enable you to quickly prioritize, develop a communication strategy to obtain their permission to use their information.
Finally, organizations need to provide adequate paper trail to show the level of due diligence conducted to gather positive consent. Keep records to show proof of work and store it with internal control.
Tools & Resources
Lastly, I did manage to ask Dr. Ann Cavoukian for recommendations of tools to help businesses successfully transition to compliance. She gave us a suite of them with some great advice. Her biggest piece of advice is to follow the Privacy by Design –Seven Foundational Steps to show that there is intent to be compliant to the GDPR.
Here is a list of some other great resources to help you with compliance. Feel free to add additional resources in the comments below.
About the Author
Sapna Malhotra brings more than two decades of domestic and international management consulting experience in sales and business operations in the technology, financial services, and telecommunications industries. She has significant experience in leading large-scale business and IT transformation programs to deliver consistent end-user experience in demanding and fast paced environments. Sapna is known for her constant industry curiosity and new and emerging technologies that will enable different industries to be on the forefront of this digital revolution. In June 2016, she started the Women Digital Network (WDN) in Canada with over 400 members and growing. Its focus is to enable digital literacy and mindset.
She has also started CanInnovate podcast focusing on Canadian innovators that are changing the game. She truly believes that education and awareness is instrumental in overcoming any obstacles and perception challenges both globally and locally. She is a globally recognized Certified Management Consultant (CMC), and Chartered Professional Accountant (CPA). She also holds certificate in Change Management Leadership, Lean Six Sigma accreditation and DevOps & UX Design foundation certifications. You can find Sapna walking / hiking & exploring new areas, trying to win the world’s greatest aunt award, discovering new brunch places, and inventing new recipes. Contact her at: Sapna@Digiruptor.IO
This blog was first published here.