Data Rights and Data Privacy: Is the US Next to Get GDPR-type Regulations? (Part 1)
With the expanded use, and high-profile abuses of personal data, the calls for stronger enforcement of data privacy rights get louder every day. In EMEA, these concerns resulted in the implementation of the European General Data Protection Regulation (GDPR) across the European Union (EU) on May 25, 2018. GDPR is a legal framework that is meant to protect the data rights of individuals within the EU by setting guidelines for the collection and processing of citizen’s personal information by any company, anywhere. The implications are huge, given the many uses of personal data for marketing, customer relationship management, business analytics, and many other purposes in the normal course of business. More importantly, with the new regulation in place, and fines starting to be accessed to companies doing business in Europe, is the writing on the wall for regulating personal data from US citizens? To answer that question, we need to take a closer look at data rights, why we need them and how GDPR addresses them.
What are Data Rights?
The European General Data Protection Regulation (GDPR) defines at some length (most specifically in Chapter 3) what it means by data rights, and discusses the operational ramifications for companies that come under its reach. In practical terms these come down to four main concepts that, as individuals, we would probably all assent to:
- The right to know what data is being collected about you, by whom and for what purpose
- The right to have the personal data kept about you minimized to what is essential
- The right to access that data and help correct errors in whatever is being collected
- The right for that data to be kept securely and to be informed of any data theft
There is also discussion of a “right to be forgotten”, extrapolated by some as a right to be anonymous, which to me, feels both impractical and somewhat antithetical to the idea of the very social system that would afford you any protections at all. If you are a participating member of a society, contributing and receiving benefits, it has always been true that you are not anonymous, and you are accountable for your actions. In today’s connected, data-driven world I think it is just totally unrealistic to imagine that you can force someone to remove all trace of you. You certainly have the right to attempt to do something anonymously, like writing a book under a pseudonym, and of course you can still attempt to do that in a digital world.
Why do we need these rights?
Ever since writing was invented organizations must have collected data about their customers, their members etc. Computer systems with extensive electronic records of data about people have been around for more than 60 years, so what has changed that we suddenly need Data Rights?
What has changed are the powerful ways that collected data can be used to affect our lives, and the volume of data that is being collected. In our online, connected world, data is generated by us all the time in every digital interaction, and a lot of the time we may have no awareness of it. In most cases this is a good thing that we need to keep us safe. Transactions can be verified, fraud can be detected, and criminal activity can be surveilled and prevented. But the very logs and traceability that can keep us safe can also be a source of personal exposure.
Even with regulations that limit scope by restricting personally identifiable information (PII) in any system or database, it is relatively easy for companies to gather data from many sources, including social media, and then correlate and associate information to build complete profiles of buying habits, movements, lifestyle, friendships and affiliations etc. You should have the right to know how people are trying to influence you and you can decide when these attempts are helpful to you and when you would rather they stopped.
As companies start implementing hyper-personalization techniques to target their products and services, ever more specifically, to the people that they think will buy them, the risks of identity exposure become even greater. It is not news that Identity Theft is becoming a growing problem and it will grow in proportion to the value of the data that companies have that is worth stealing. You should have the right to protect your identity and ensure that you are not losing control of your data to people who abuse it and in the worst cases, steal from you.
Lastly along with all the techniques of collecting and blending sources of data comes inaccuracy. You should have the right to be sure that what people are recording about you is the truth. Most inaccuracies are mistakes of data processing, but increasingly we are experiencing the phenomenon of deliberate falsification or “fake news”. You should have the right to contest and correct any errors especially if there is a deliberate attempt to change the truth.
Be sure to check back for part 2 where we cover how Europe is handling the regulations and what the outlook is for the future.
If you want to learn more, be sure to read our eBook on Data Quality-Driven GDPR.