All those emails on privacy mean nothing
If you’re like me, you’ve no doubt received hundreds of emails in recent weeks from organisations around the world wanting to update you on their privacy policies. They were all rushing to meet a deadline of Friday 25 May. While for most people they were just more emails for the trash, there was, nonetheless, an important reason behind them.
Friday 25 May was a watershed date. For most people around the world it seemed a day pretty much like every other. Except if you live in the European Union (EU) and tried to visit the websites of the Los Angeles Times, the Chicago Tribune or The New York Daily News. Instead of their landing pages, you’d have seen the message: “Unfortunately, our website is currently unavailable in most European countries.”
This wasn’t a server error or a problem with undersea cables. This was a conscious decision to cut off a half billion-strong consumer market as the lesser of two evils. Big call.
The denial of service by the media websites and the emails you received hinted at the magnitude of the change coming for people and organisations, not just in the EU but across the entire world from May 25. As of that date, the General Data Protection Regulation (GDPR) came into effect in 28 European countries.
This important economic block, which is home to 500-million consumers and citizens, now boasts the most robust data regulation in the world. While it’s triggered a fundamental shift in how personal data is collected, managed, stored and used, few organisations have grasped the enormity of the impending changes to the way they need to operate, and to how consumers and citizens can now control and access their own data.
In brief, GDPR means that any organisation, whether it’s Amazon, Google, a government, a small online retailer, school, hospital, football club and so on, must be completely transparent about how it uses personal data it collects. Consumers and citizens must give explicit permission for their data to be used or shared in any way, and organisations with more than 250 employees must hire a data officer.
This doesn’t just apply in the EU. Our transnational world means that even, for instance, a stamp-collecting club in Wagga Wagga with members in the EU must comply. Failure to do so means a substantial fine: €10 million or 2% of global revenue – whichever is higher.
Dig a little deeper, however, and the true impact of GDPR begins to emerge.
Any company, regardless of where it’s based but which has consumers in Europe must now literally monitor, secure, manage and organise every single piece of sensitive data they hold, and in unprecedented detail. The same applies to any EU member state government. Organisations must now be able to identify and track individual pieces of data. They have to be able to identify who has accessed that data, where it’s been accessed, as well as when and how. And they have to respond to any consumer or citizen who wants to know how their data has been used in the past, or who wants their entire record expunged as part of the right to be forgotten. The organisational infrastructure needed to do all this is, in a word, huge.
So not surprising then that some large US organisations, like the LA Times, the Tribune and the NY Daily News, have already decided that blocking users is the lesser of two evils – the other being complying with GDPR. This won’t help them, though, because they still have historical data on EU citizens, and must toe the line. And longer term, their business models rely on being able to monetise the data they hold.
The world of data has become so inextricably complicated that it is impossible to unravel where true ownership of data lies, and accordingly, who gets to claim ownership and privacy rights.
Take, for instance, a basic online transaction: A consumer in Townsville in Queensland Australia buys a spare part for her car online from Italy using an Australian bank-issued credit card on the VISA platform. The buyer, the Italian vendor, the Australian bank, and VISA aren’t the only parties to this transaction. There are multiple banks involved in transnational e-commerce; there is the hosting platform for the vendor’s website; the buyer’s email provider; the satellite services that transmit the transaction data; and various other parties. This simple demonstration reveals that every piece of data comprises contributions from multiple parties in many jurisdictions.
It also indicates that implementing a consumer’s right to be forgotten is a tangled web.
Identifying the ‘owner’ of data is a challenge yet to be tested by the authorities tasked with enforcing the new data privacy regime. It will be further complicated by having to abide by the GDPR as well as the relevant data regimes in each country where the various transaction elements occurred. It almost goes without saying that there could be significant differences between them. And we haven’t even touched on the emergence of non-jurisdictional transactions facilitated by blockchain and settled with cryptocurrencies.
In Australia, the advent of the open banking regime in July 2019 poses another raft of headaches, as bank customers will be entitled to greater access to and control over their data. In the next year, the banks – already grappling with a host of reputational, trust and operational issues – must implement a seamless process to facilitate open banking, accommodate GDPR, and have their arms around every country’s data regime in order to provide skeptical customers with full confidence in their data governance strategy.
It won’t stop at the banks. We already know that energy and telecommunications are next, and the ‘open data’ trend is likely to continue until it covers every aspect of the public and private sectors in Australia.
Don’t underestimate the size and impact of what lies ahead. It’s against this convoluted background that I contend that the last-minute rush to send out privacy emails is just a box-ticking exercise. It certainly doesn’t address the root of the issue, which is the security and sovereignty of data.
Why’s this the case? It’s because complex systems (including manual, human and complex technological processes) that have developed over many decades weren’t designed with privacy at their core, except in very rare instances.
One privacy email I received last week came from Mozilla, the creator of the Firefox browser. This paragraph in particular caught my eye:
“…unlike other organisations, Mozilla has always stood for and practiced data privacy principles that are at the heart of privacy laws like the GDPR. It feels like the rest of the world is catching up to where we’ve been all along.”
Mozilla appears to be among the few companies that had the foresight to bake data security into their entire business and operational model from the start, instead of applying a band-aid overlay that requires vast and expensive monitoring and reporting systems.
Another company that took that approach is IXUP.
IXUP saw the new world data order coming several years ago, and came up with a simple, elegant solution that accommodates the rights of consumers and citizens regarding their personal information while also meeting the needs of organisations to monetise data.
Our patented software platform rests on the two pillars of the sovereignty and security of data. Consumers have confidence in the fact that organisations using IXUP don’t need to share their personal data in order to collaborate with other parties. Furthermore, they have the assurance that each element of that data is locked down with unique encryption, creating multiple layers of security.
With data secure from the outset and never, ever sharing it, the need for all the other belts and braces becomes redundant. Suddenly, complying with GDPR and other data security and privacy regimes becomes easy, simple and cost-effective. Organisations that tried to bring together disparate technology solutions to share their data just can’t provide enough band-aids to overcome the privacy exposures their systems create.
That’s why IXUP’s technology is different. Secure data. Trusted collaboration. By design and from Day One.
Contact us to take your first step towards unlocking the true value of your data with IXUP’s secure data collaboration platform.
By Tim Ebbeck, IXUP Executive Chairman