It's easy to forget the Internet was built to share information across a global network, not keep it private. Sharing has become an essential part of life and that's not going to change any time soon. Whenever we have something to share, in any format, there are a multitude of ways, tools, and modes to do that. Even stuff there was no intention of ever sharing somehow ends up out there. So, there's pros and cons to all of this sharing.
Meanwhile, data brokers, regular old companies, slick startups, and criminals continue to refine ways of exploiting our data for profit. Up until now, there's been no limit to what companies can do, outside of their own, internal moral compass, which often enough doesn't exist at all. Regulation like the General Data Protection Regulation (GDPR) is an effort to advocate for the protection of our rights as individuals to privacy and security of our data.
This is a good thing for a couple of important reasons. Primarily because here, in the United States, there is less going on in the context of government regulation and/or any kind of accountability for companies who collect and use individuals' personal information as part of their business model. The GDPR is a pioneering effort to create an equitable balance between business and the individual that will no doubt shape how the rest of the world operates in these contexts. Second, we need some sort of regulation, especially in light of even just some of the high-profile events that we've experienced so far just this year alone that compromise these rights of individuals to security and privacy:
Apollo, the data aggregator and analytics service, just exposed more than 212M records
Under Armour exposed 150M users' personal information via MyFitnessPal
Panera accidentally made 37M customer records publicly available on the Internet
Ticketfly exposed 27M people's names and personal contact info
Sacramento Bee exposed almost 20M California voters' records
Also, dozens of breaches of small and mid-sized healthcare companies that have put Personal Health Information (PHI) at risk
And plenty of cases of individual employees selling company info to make some money on the side.
These things happen every day to companies that aren't prepared to respond to such unplanned events. Whether you like it or not, regulation like the GDPR brings privacy and security to the forefront of many conversations that have otherwise ignored them. Privacy and security are team sports and require business and consumers, alike, all of us to participate in order for the game to be successful. There is no "other world" because we all share the same fate when it comes to sharing, respecting, and protecting our personal information.
Policy seems to be the only way to enforce accountability to ensure that these values take hold and are sustainable by commerce and also the law, which is why GDPR is specific about what kinds of data is worth protecting:
Biographical information or current living situation, date of birth, SSN, phone number(s), and email address(es)
Looks, appearance and behavior, including eye color, weight, and character traits
Workplace data and information about education, including salary, tax information, and student number
Private and subjective data, including religion, political opinions, and geo-tracking data
Health, sickness and genetics, including medical history, genetic data, and information about sick leave
With that in mind, we owe it to ourselves to have some basic fluency here. Here's a friendly outline of key tenets everyone should get familiar with:
Consent – We have the right to be informed in “clear and plain language" about how our information is collected. We can withdraw our consent at any time.
Correction – We now have the right to ensure the information being collected about us is at least accurate.
Portability – We have the right to transfer our personal data from one electronic processing system to another. This gives us some power to choose which companies we trust with our data and to move it as those perceptions and preferences change. They will change.
Erasure – We have the right to withdraw our consent and ask for our personal data to be deleted. Full stop.
Access – We have the right to know what information about us is being collected and how it’s being used.
These sound wonderful, however, like many individuals, there are a lot of companies that are still illiterate about all of this. They need education, too.
Goals for the Second Year
Companies need to begin to build a better understanding of where this data exists within their infrastructure for everyone, not only people who live in the EU. They need to know where that data lives, who has access to it, how it's processed, who else it might be transmitted to, how to give it to you when you request it, and how to delete it when you request that it be deleted.
How can they do this? One of the most friendly ways to do this is by building diagrams. This exercise is useful to help visualize how data flows into an organization, where it ends up, how it's used, who knows it's there, and where it is most vulnerable. This helps organizations accomplish other important things, too, like designing disaster recovery tactics, incident response plans, and overall resilience. Efforts involved in building a better understanding of how an organization works and how it is most vulnerable pays for itself in a crisis when unplanned events will compromise productivity, reputations, and bottom lines.
GDPR has varying levels of complexity, also, depending on the type of business it is and the context for collecting information. Regulated industries always have more complexity because there's more at stake, while smaller, more niche businesses are subject to a different level of scrutiny.
Whatever level of complexity your organization is responsible for, it's worth making sure that the processes for managing data is designed with thoughtful intention. These processes need to make sense and be friendly enough to ensure that people will honor and do them. Make sure keeping data safe isn't too difficult or complex. Help your team understand the value of these processes through including them in their design. Get their input while designing training. Ask them to help train others at least a couple time a year. Review these processes, training materials, and related, internal policies at least annually to make sure they're still relevant and valuable to the collective.
Protecting our information is a team sport. We all share the same fate.