If LastPass is correct, I have accounts with over 470 different organizations. Each one of these organizations has some amount of personal data on me such as name, address, phone number and perhaps other information depending upon the site.
What expectations are there around the privacy of that data? More importantly, who owns that data? Who controls the data?
The answer should be simple – you own/control the data – but reality is sometimes a very different beast.
When you sign up for a web site you agree to a lot of terms and conditions. Sometimes these terms and conditions are short and simple to understand and sometimes they extend for pages and pages. A “Terms and Conditions” Template Generator ended up being 4 pages long. I’ve seen then as short as a single page and as long as 20 pages.
One of the fundamental pieces of the Terms and Conditions should be what the site can do with your data and what your rights are with regard to the data. Not the companies rights, but yours. All too infrequently, however, it is about what the site can do with your data: what they can do with it internally and who they can sell it to.
A few years back, when my youngest was born, we entered for a chance to win $1000 scholarship for her. We were told that the information was confidential, that it wouldn’t be used for anything outside of the draw. Apparently we filled out the form incorrectly because a few months later my six month old data was “pre-approved” for a $3000 Visa card. You see, we put my daughters name where mine should have been and vice versa. We realized this after the fact, but didn’t do anything about it. Needless to say the headquarters of Scholastic Books received a very strongly worded email minutes after we opened up the “pre-approval”.
Sixteen years ago we weren’t online as much. Our life wasn’t comprised of digital 1’s and 0’s. We didn’t “like” the status changes of our friends. (Do you “like” when they get separated?)
All of this revolves around control. Control of the data and how it is used. GDPR is all about giving the person control over their own data. People need to explicitly grant authorization to use their data. Explicit access.
And one of the key points of GDPR is “Privacy by Design”.
Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Minimizing access to the data. There’s no talk about how a Non-Disclosure Agreement needs to place, only talk about limiting access. An NDA is punishment for doing something while the GDPR is trying to prevent that something from even happening. Prevention as opposed to retaliation.
I, personally, like the idea that an organization needs my approval to do something with my data. The Globe and Mail had an editorial by Huda Idrees, founder and CEO of Dot Health. They summed it up quite well.
Data privacy is about control. Not control by the government or private industry giants – but by the owners of the data. The key to data privacy is control by the people.
Is data, control about data, the defining aspect of the current period of digital transformation? Are we at the cusp of an era that will embody personal ownership or will we fall prey to the teeth of finance?