Kai Dwyer, CEO of Vallum and core participant within the Insurance Working Group for InsurTechNZ, shares his commentary on the GDPR regulation changes which recently came into effect.
Who isn’t familiar with the iconic Mission Impossible series? Where the mission instructions are so secret that the receiver cannot be trusted to destroy them, so instead an ingenious and technologically advanced self-destruct mechanism is embedded in the message.
In other words, Privacy by Design.
Do we need this concept to apply in our privacy and data management today? I’m betting yes. After all, who isn’t just a little bit disturbed by the sinister use of private Facebook information by Cambridge Analytica, whose actions arguably changed the course of history?
If nothing else, the Cambridge Analytica story confirms to us that our behaviour and brand will be judged in the court of public opinion. Doing what customers expect should determine our data management processes, not the regulatory hurdles that are in place.
With respect to data, we have just passed an important milestone. On May 25th the European Union’s (EU) General Data Protection Regulation (GDPR) came into force, setting a new benchmark for privacy by formalising data privacy standards across the EU.
GDPR lays down unambiguous rules of engagement between businesses and their customers, to allow for a prosperous digital economy, without concern for spamming, or (worst case scenario) identity theft. The rules will be strictly enforced with penalties that will make any CEO’s eyes water.
What’s more, even though New Zealand companies are technically not bound by EU regulations, GDPR will have implications for many more New Zealand ventures than many might expect.
There’s exhaustive information available on the subject. Even so, it’s worth highlighting the core principles which should prevail and be adhered to, irrespective of geography.
GDPR fundamentally states that personal information should be gathered lawfully and transparently. The data must be relevant to the purpose for which it’s collected, and this purpose should be clearly explained to the customer. The data, once held, cannot be transferred to another use by the same company. GDPR not only places limits on data collection and storage, it also imposes strict rules on how this storage is to be secured, and onerous obligations in respect of data breaches.
The new rules don’t exclude data profiling. Today, most of us can see the value of personal data being gathered to shape experiences we want. But individuals have a reasonable expectation of respect and privacy. When data users gather personal information for a specific, single purpose, they should not hoard, harvest or trade that information without explaining their intentions and seeking permission.
So, once the data profile is established to fulfil the product and service need, GDPR provides consumers with the “right to be forgotten”, where their redundant data is discarded and/ or anonymised. In other words, processes should incorporate a kind of “self-destruct” by design once the product or service transaction has been fulfilled.
Privacy by Design. After all, isn’t that what we all want… secretly!