The new EU Data Protection Act (GDPR) has been in force since May 25th, 2016, but is in effect as of May 25th, 2018. As stated by the EU Commission, this law is the biggest change in personal data protection in the past 20 years and has objectives that go far beyond just protecting privacy.

The Law

Here are the essential changes that GDPR brings in relations to the present regulations:

1. The fine for deliberate violation of the law: 4% of a company’s global turnover, is high enough to be taken seriously by any major multinational. For one German automobile manufacturer, the fine could amount to more than EUR 150 million.
2. Extra-Territorial Application: Under the old personal data protection law, only companies with headquarters in the EU were affected. From now on any company around the globe who stores and/or processes personal information of citizens of the European Union falls under the law. As a result, large auditing and consulting firms are finding it hard to meet global demand for resources and know-how.
3. Rights and Obligations:
   • The right to be “forgotten”: gives the individual the right to request and obtain the deletion of all the information a company holds about that person, except for the information subject to legal provisions.
   • The Notification Obligation: Any violation or unauthorized use of proprietary data should be notified immediately to both the controlling authority and the affected person.
   • The right of access (copy, modify, and delete data): the processing entity (the company that holds and processes the data) is required to provide within 30 days to any individual requesting it, all data that it holds on that person, as well as the purpose for which the data has been used by the processing entity or any third party to which this data may have been transferred to by the processing entity throughout time. Also, the law provides for the individual, the right to a partial or total change or deletion (the right to be forgotten) of the stored data.
   • The obligation to designate a Data Protection Officer: While companies had so far been required to report to the controlling authority personal data processing activities, as well as data security breaches, they are now obliged to internalize these operations under the supervision of an appointed DPO. This role should be taken by a dedicated person, especially in the case of companies whose business involves the continuous processing of personal data.

Challenges when applying the new regulation

Companies, especially large multinationals, are facing serious challenges when implementing the new regulations. The first problem is cataloging the data from a multitude of sources: databases, emails, documents on common or personal hard drives, non-digitised documents, etc. Which of this information is relevant from the new law’s point of view? Those who know the various systems cannot decide on the relevance of the data and those who can decide on the relevance of the data do not know the underlying information systems. Typically, a GDPR project involves dozens of people from all departments who gather and process information about individuals from outside or inside the company, such as Sales, After-Sales, Marketing, Customer Service, Customer Relations and HR (employees have the same rights in relation to data protection as any other individual). Anyone who submitted their resume, for example, is now entitled to delete and modify the information contained in that resume. 

The strict requirement of completeness is the one that creates the greatest difficulties. If a subject asks for a copy of all data ever stored about him or her by, say, the Telephone Company and from the copy obtained a single piece of information is missing, which the subject can prove to have had communicated at some point, the Telephone Company is liable of sanctions and fines.

In the case of car manufacturers, for example, the control authority has determined that any information related to a VIN (Vehicle Identification Number) is potentially personal. In the databases of a car manufacturer, everything is linked to a VIN, from the robot adding a single item on the production line to the GPS data of the driver’s daily route.

No one can guarantee total compliance with all the requirements of the new law, so companies must deal with high risks of being fined even after successful GDPR implementation. Various software developers – I recently saw a presentation of the OpenText solution – have begun with the zeal of gold diggers, to create various crawlers that promise to tap all of these data sources and automatically identify, using Artificial Intelligence, the contained personal information. The accuracy of these tools in identifying relevant data is very low. Only personal information such as name, address and few other fields will be identified, leaving the iceberg base (GPS information, profile-ing data, health-related information etc.) untouched. Also, they will not be able to identify the purpose for which the information provided is processed, which is expressly required by the new law.

From the Project Manager’s point of view, we are dealing with a nearly impossible mission. Whatever resources we have, we can assume that we will not be able to provide all the data referred to by new law, so we are bound to the following two options:

1. Applying the principle by which 20% of the effort produces 80% of the results, we must constantly prioritize everything: the systems we analyze, the information in those systems that we can make available in a timely manner and in an intelligible way. In general, we must know what to dispose of and when.
2. Develop compensatory measures, external to the project itself, such as defense strategies in court, asking the control authority for advice, splitting the reporting process into phases to gain time, estimating and allocating budgets for unavoidable fines, etc.

The Economy of Data

What is in stake which justifies these implementation costs and the amount of the potential fines? Why is it imperative and urgent to regulate the circulation of personal data?

1. Information as commodity

The Economist rightfully compares Big Data, which, in its core is personal information (the unclear distinction between the two, remains to be analyzed separately), with oil as a commodity in the last century. Information and its interpretation are the most important raw materials for the speedy growth of any company in the world economy today, and the trend still has the potential to accelerate.

The ways in which the correlative interpretation of personal information can be transformed into profit is rapidly diversifying: targeted advertising, customized products, and services, more or less subtle manipulation based on psychological profiling. Our smartphones know how much we run weekly and how our hearts beat, the car knows where we are going, Facebook knows who our friends are, what we like about them and what they like about us, soon intelligent homes will know exactly what we throw away and if a woman’s voice was heard on date X in our bedroom. And Google knows everything about us. Companies that do not use this data to advance their business, already have an important competitive disadvantage. The process of digitization that has been taking place for a few years in small firms as well as in the largest concerns aims at adapting internal production, communication and R & D processes to these data flows and creating the capacity to exploit this new resource.

While “refining” information becomes more and more sophisticated, its collection at source, i.e. from us, remains not transparent, unregulated and unfair, given the lack of compensation in relation to the value of the information gathered.

Let’s take the common example of cookies: there is a recent (in the EU) obligation to display a disclaimer that informs the visitor about the use of these small, but skillful data collectors, requesting the explicit consent for its use. Once registered with email and name, cookies begin to collect data about our behavior and preferences. The overwhelming majority of sites are merely informing us of the use of cookies, omitting to specify what information they collect, the purpose for which this information is processed, and to whom else it might be transferred, or sold. Sites that offer proper information about their cookies, such as The Guardian are an exception:

Source: The Guardian

We do in fact have the possibility to refuse cookies or, if we have some technical background, we can delete them at any time from our hard drives. But the information is already collected, processed and eventually distributed to third parties, we lose all control. This almost total loss of individual control over personal information is in flagrant contradiction with the right to private space. It is precisely this contradiction that is addressed by the new GDPR law, granting the individual control over the possession and use of his personal data, through the right to be forgotten and the right to access.

In my opinion, the fact that companies are making profits on this new commodity, the source of which is the individual, his personality, behavior and habits, is not sufficiently regulated. Access to this resource must not be free, such as access to solar energy, because personal information is not freely available to everyone. Until a monetization method is found, the surrender of control for this raw material to its source is a necessary first step.

2.  The value of information

International Data Corporation (idc.com) estimates for 2017 the global revenues from Big Data trading and analysis to $150.8 billion, predicting $210 billion for 2020 and an average annual growth rate of 11.9%, compared with an average of 3% across the economy, with only between 15 and 20% of the available information volume being actually used.

3. Issues of the merging Data Economy

Currently, this new “fast-growing” industry is affected by the following issues, for which the new GDPR law is a small but fairly targeted move.

a. The monopoly

The ability to collect and analyze data is concentrated in the hands of a few well-known players such as Google, Facebook, Amazon & co., plus the established IT giants: IBM, Microsoft, Oracle, SAP, with each having its own specific domains, AI, and analysis methodology. Smaller players matter as to be worth swallowing, on a trend of consolidating monopolies.

Here are some recent transactions that have the above-mentioned effect:

Source: The Economist

The issue of these monopolies and the lack of regulation of the data market has become so obvious in the recent case of Cambridge Analytica.

b. Monetization

The value of many companies in the market is based on the size and quality of the information base they hold, for example: Uber’s estimated value of $85 billion is not based primarily on the company’s ability to produce profit by selling its services, but on the value of the largest customer database in the world, along with travel history, payment data, and interaction with drivers. Although the overall market value of the aggregated information can be determined, its value at the source is impossible to estimate, since this information is obtained free of charge, and attempts to find a formula for calculating its value have failed so far. At this year’s World Economic Forum, the idea of setting up personal information accounts, much like normal bank accounts, was largely debated. The main difficulty in finding this formula is determining the relevance of a particular piece of information in a given context, without taking into account its possible connections. It’s like determining the importance of a single piece in an infinite puzzle. For example, specific information stored on my health care card is much more valuable if I’m over 60 and suffer from chronic diseases than if I’m a healthy 20 years old student. The few known examples of personal data monetization reveal the challenge in finding a generally valid model.

• A university in Italy has determined that her students are willing to give one-time access to their smartphone data for $2.72.
• The Company Datacoup offers their customers $8 per month for access to their social media feed and bank account statements.
• The Dutch student Shawn Buckles, earned $480 by auctioning his personal data, including E-Mail and his internet browser history.

b. Artificial Intelligence

Perhaps the greatest factor for both, growth and unpredictability, is artificial intelligence. While 3-4 years ago, personal information was being used primarily to drive advertising and sales to personalize products and services, the involvement of AI in analyzing and interpreting data in the last couple of years has turned into a game changer. The amount of data available for real-time processing, interconnection, and analysis, has outstripped the processing ability of linear algorithms by far. The ability of artificial intelligence to develop its own algorithms through learning has become indispensable. Practically, without the development of robots in almost any field, there are rapid competitive disadvantages in businesses of any size. The main effect is that virtually any piece of information, through the involvement of AI, which connects it to millions of other, individually irrelevant, pieces of information, can obtain relevant, useful and profitable results.

The Chinese online giant Alibaba has developed and implemented a “cooperation” system between wind generators in a wind farm. Each wind generator “senses” the airflow produced by its neighbors, analyses their operating parameters and detects a potential malfunction before its occurrence, adjusting its own operation to help its neighbors.

Gradually, man will lose control over the logic of interpreting the information used by artificial intelligence and thus lose the ability to validate the results of its analysis. In other words, we will soon become totally dependent on AI for “translating” and interpreting the information that defines the world around us.

For each one of us

Our data is money, a lot of money, in the hands of others, obtaining it from us for nothing. Now we can and we must at least control the dissemination of this data, we now have an instrument to sanction companies that are using our information beyond explicitly granted rights and purposes. This instrument is GDPR.

As a result of the dissemination of information, we are confronted every day with various results of data analysis and interpretation, done by more or less up-to-date algorithms, by more or less inventive bots. Some skepsis is welcome, the good old human intelligence, ennobled by intuition, could lead us to different results.