Vast amounts of ink (more realistically, Internet blog spaces) have been spilled on the subject of the brave new world of GDPR. If it all sounds to you like a burgeoning recipe for bureaucracy and “red tape,” you’re probably right.
But concurrently, the raging debate over privacy is bigger than GDPR and codifying rules. And at its core, much of the debate is fundamentally about pressure-testing ethics in the digital age, as our new whitepaper makes clear.
(One thing is for sure: There’s a future of work for lawyers in interpreting the ramifications of privacy legislation. You'll find few finer minds on this subject than Harvard Law professor Jonathan Zittrain, a longtime friend of the Center for the Future of Work).
But when you get right down to it, and as companies go forward, what do your REALLY need to know about GDPR, and how to swallow the PII "pill" of Personally Identifiable Information? Count the following as the critical components of GDPR that companies will need to focus on today, tomorrow and in the future:
- The algebra of personal data counts. PII is central to GDPR, including name, e-mail address, physical address, etc. Companies must provide a rationale for their use of PII data. It’ll be a no-no to cover one use of PII with that of another. (Using logic like “Professor Kogan seemed nice, and we want to help colleges know stuff about psychology, right?” in service of political psychographics simply will not fly in the age of GDPR.)
- Context counts. This includes device IDs, browser cookies, location data and movements through time and space (like step counts). Like an algebraic equation, some of these data fragments, put back together, can re-establish PII and link it with sensitive information. This is where lawyers and privacy officers will need to wield the power of process review, advice, counsel and action.
- Access counts. Who gets the data? Who manages it? How close are they to the CEO? Like a lean startup, what’s the “minimum viable dataset” needed to accomplish a given process? Are the people using customers’ data vacuuming up every last data point they can, even if they’re not using it? All that seemingly superfluous data could be simply sitting around, and worse, not being paid attention to. That can be a huge risk. (And get ready for more questions about metadata ... .)
- Forgetting counts. A central tenet of GDPR is “the right to be forgotten” – this is essentially the mechanism to give your Code Halo a delete button. Customers should have a complete 360-degree view of their information and full control of it.
- Regulators count. Statutorily, some data is more equal than others. Institutions (e.g., bank regulators issuing sanctions) can mandate information disclosure. Doing so may butt heads with new digital innovations, like blockchain. For audits, the past can’t be forgotten (with or without blockchain, and certainly with GDPR).
- Portability counts. This is about letting a customer download and take their data with them. If your organization has a solid business analytics engine storing customer data (e.g., messages, questions, answers, trades, likes, personal history, etc.), it should be able to copy the files and send them back, completely and transparently.
GDPR may represent the stuff of your red-tape nightmares. But the fact is, all companies will need to master the new algebra of personally-identifiable information mandated by GDPR to win in the future of work.
So stop thinking of GDPR as your enemy. An absence of trust will lead to anti-trust, so love it or hate it, GDPR is your new best friend. Your customers, your stakeholders, your shareholders, your stock price and your retirement account – to say nothing of the digital economy – are counting on it.
The new whitepaper from the Center for the Future of Work is entitled: “Every Move You Make: Privacy in the Age of the Algorithm”. It can be downloaded at: www.cognizant.com/futureofwork.