GDPR is a new regulation which will
affect any organisation, regardless where they are based, that processes
personal data from EU residents. It calls for greater transparency &
increased accountability on these organisations and is grabbing the headlines
as GDPR imposes large sanctions for those found to be in violation. With
maximum fines of 4% of global revenue or 20 million euros (whichever is
greater) and even stopping organisations from processing data altogether, which
could be far more damaging for some.
This new regulation also gives enhanced
rights to EU citizens to make requests:
about what personal data is being used and why, to stop processing their
data, to move it to another company and even delete it forever.
If you haven't heard of GDPR yet just
google it and you will see a ton of info, I've included some links at the end
of this blog that I’ve found useful in my research. You will certainly be
hearing more about GDPR as the 25th May approaches which is merely the starting
line rather than the finish line.
It will certainly be an interesting
time for many companies including IoT as although most may think that the
connected devices are not collecting personal information, under the GDPR
Internet Protocol (IP) and Media Access Control (MAC) addresses are now classed
as Personal Information if they can be used to identify an individual person. [Hint: your smart phone has both].
And that’s what the GDPR is all about
getting companies to really think about what personal data they have, what they
really need to process and how long they need to keep it for. Think about the
data relationships you have today with all the organisations you have shared
your personal information with. It spans multiple areas from your personal life
to your work place. This is not just your name, email address and date of
birth, it's your banking and credit card details, medical records, right down
to your religious, political and even sexual preferences, anything that can be
used to identify you as a person.
The challenge for most companies now
is understanding what personal data they have among the many disparate data
sources inside and outside of their organisation, and ensuring the correct
policies & procedures, training and technology are all in place to protect,
manage and monitor that data in accordance to the GDPR on the run up to the
25th May and beyond as it becomes the new normal.
The reputable and forward-thinking
organisations will take an open and transparent approach. In the Analytics
economy, leaders will be better data custodians, building the next level of
trust, gaining the proper consent so that they can use the personal data they
need to provide the product or service. And individuals will be open to share
if they see value. For example, I am ok sharing my location with Google I trust
their security measures and they show me where the nearest shot of coffee is on
the way while guiding me to the cinema where the new Han Solo movie is showing.
In 1984 Rockwell released "Somebody's watching
and sung "I've got no privacy" now when it comes to our personal data
at least things are changing and they are changing for the better.
The European Commission's official page on Data Protection:
Find your local Data Protection Authority (DPA):
Nice easy way to read and navigate the complete GDPR
Well written guide in plain English explaining the GDPR from the ICO (UK's DPA)