GDPR Countdown – Six Weeks to Go

By this point, you’ve probably figured out that we’re nerds. It was inevitable, really. For us, that’s a good thing, because it means that our obsession with data, information, strategy, and law come together in a coherent bundle of geeky energy that we can put to use for our clients. It also means that we can, occasionally, take a step back to think about the broader implications of what we do, and that’s often prompted by a “oh that’s interesting” moment.

My most recent “oh that’s interesting” moment was reading a document from CNIL, the French Data Protection Authority. In French, the word “data” is données, which, it occurred to me, was almost exactly like the word donné, which means “given” or “granted to. So, like any normal person, I started thinking about etymology and Latin and how words form. Virtually every version of the word in European-based language revolves around that same concept “this piece of information is what was given.” It comes from Latin, where datum means “having been given.” Then I fell into a Wikipedia rabbit hole about the dative case and PIE roots and ended up going to the fridge for (just one) slice of pie. As I did, it occurred to me that there were two good lessons here.

Don’t Miss the Obvious

The first lesson is that, for a guy who looks at, writes, and says the word “data” dozens of times a day, I never considered what the word really meant, and had simply taken it as a given. (Get it?) Data just meant information, and more specifically, electronically stored information. And indeed, that is one important form of what data is, an especially relevant form as we prepare for the GDPR. But by never really considering what “data” meant, I was committing the classic mistake of missing what was right in front of me.

That small point has a big impact, especially when it comes to thinking about data security and compliance. If you aren’t taking a step back to think about the fundamentals of what the data you have means, you’re missing a great opportunity to get a different perspective. A new, thoughtful perspective is one of the most valuable assets you can find, and it’s worth much more when it comes without the cost of an “oops” moment. A unique or revised point of view is a tool for business success, and science demonstrates that diversity, in all its forms, is good for us.

Don’t miss the obvious.

Sometimes it’s that change in how you look at an issue that allows you to recognize what should have been apparent all along. For me, it was a reminder that there is always another layer to consider, and another aspect that’s worth incorporating into how I think.  But a particular change in thinking about data is also important, especially for American companies, because our view on data and compliance are vastly different than those in Europe. That brought me to a second slice of pie and a second lesson:

Remember that the Data is About Someone

Once you understand that all data is “given,” it begs the question “who gave it?” It is very easy, in the midst of a data inventory or audit to think of the data as almost having created itself, or that it is a depersonalized piece of information that comes “from the internet.” But that’s not correct, of course – an individual person is the ultimate source of all of the information. Data itself, as mere information, has no rights, and our approach to the ethics of its use are going to depend substantially on choice. But there are risks and benefits to depersonalizing, as opposed to humanizing, data.

The depersonalized approach is something like the standard view in the United States. Data, unless otherwise required by law, is basically useable for any lawful purpose. You can’t fabricate it and you can’t lie about what you do with it, but as long as you got the data through legal means, it’s yours to make use of. This structure has more or less facilitated the growth of Big Data, mass analytics, and algorithms so sophisticated they somehow know that I prefer Jimmy Cliff’s version of “I Can See Clearly Now” to the more popular Johnny Nash one. The data in the depersonalized approach can be dissected in all its forms and endlessly repurposed, creating new forms of value and new methods for reaching customers and growing business. The depersonalized approach is also a source of great stress for those same customers, and has caught the attention of government.

The humanized approach, by contrast, forces companies to recognize that a data subject is a person with autonomy and rights. In Europe, data subjects have a fundamental right to their privacy, and that is why understanding the humanized approach to data is so essential. If you don’t understand that the GDPR is really about a different perspective on data, you’re going to have a vastly more difficult time complying. For the EU and for Data Protection Authorities, data is an extension of an individual, another aspect to their personhood. Yes, you may have voluntarily given your data to a company to use, but that data will always belong to you because it is part of who you are.

There are risks and benefits to depersonalizing, as opposed to humanizing, data.

This is the approach regulators take, and so it’s essential to understand it, because taking a “check the box” approach to GDPR isn’t necessarily going to be enough. Think about what Vera Jourova said about Facebook on Twitter earlier this week: “We will observe with great interest how the letter – and the spirit – of the law are applied.”  An American observer could  be forgiven for saying “Wait, what?” Complying with the letter of the law is one thing, but what’s the spirit of the GDPR? Well, now you have your answer: the humanized approach.

With that in mind, and by the time I finished my fourth slice of pie, I began to see opportunities for US companies, and not just risk. It’s clear that simply following pre-GDPR methods and practices won’t suffice any longer, and that we need to change our minds and change our approach to how we handle data. If nothing else, the torrent of data breach announcements each week should prove that. But you also can’t try to run a business as if you were a regulator, because regulators aren’t in business. Each company needs to find, to paraphrase Viviane Reding, a third way.

That third way, between the value of data and the rights of the data subject, is a delicate balancing act. It requires an ongoing focus on how your business gathers and uses data, and how it interacts with the people who provide it. Your company’s third way will never match anyone else’s, because just as each datum is totally unique and data is universal, each business is trying to achieve success in its own way.

In the six weeks remaining until May 25th, take the time to begin charting your own third way.

Leave a Reply