Updated: Dec 23, 2021
White Paper - GDPR and Data Privacy
Find the PDF version of this White Paper below.
Valerio Del Corno Luca Marengo Michelle Gutiérrez Ullmer
Table of Contents
An overview of GDPR and data security
Challenges for companies to adhere to GDPR today
Data ethical corporate strategy
Data ethical culture
Data ethical organization
The implementation of the EU General Data Protection Regulation on May 25th 2018 was the kickstarter to a whole new way of generating, storing and processing data around the world. Although mainly established for the European Union, the regulation extends way past its borders and is applied to any organization whose data use is remotely related to EU citizens.
Driven by digitalization, the increased volume of data created per second around the globe, and the ever-growing scandals around data breaches and misuse, GDPR could not have come at a better time. It provides individuals with the transparency and the companies with the accountability needed in order to ensure a sustainable way of handling information.
However, GDPR also implies great change for companies, not only when it comes to both their internal processes and external business, but also on a deeper organizational level. Data ethics has become much more than just a buzzword, but rather a value to live by to make both policy-makers and customers feel safe and satisfied.
1. An overview of GDPR and data security
The Cambridge English Dictionary defines data protection as the “laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission”. With data being the “fuel” of modern society, data protection will be the most important issue in the upcoming years. In 2020, 1.7MB of data was created every second by every person (Bulao, 2020). In the last two years alone, 90 per cent of the entire world’s data has been created (Marr, 2018), and this figure is projected to drastically increase in the future. Unfortunately, at the same time, the world has been experiencing an explosion in the number of. large-scale data breaches and hacks. One of the most resounding examples. happened in April 2019 when data of 540 million Facebook users were exposed (BBC, 2019). A second core problem of today’s data-driven society is data misuse. It occurs. when companies or other third parties collect or use customers' personal data for purposes that are outside the scope for the initial data gathering (ObserveIT, 2018).
To cope with these issues and the exponential evolution of technology, the EU created the toughest privacy and security law in the world: the General Data Protection. Regulation (GDPR). It entered into force on May 24, 2016, and from May 25, 2018 all organizations were required to comply with the new regulation (Proton Technologies AG, n.d.). The GDPR replaced the Data Protection Directive 95/46/ec, and harmonized national data protection laws across the European continent (Proton Technologies AG, n.d.). Any non-compliance with the regulation could have severe consequences for organizations. In the most serious cases, regulators could fine a company up to €17 million, or 4 percent of its annual turnover (Proton Technologies AG, n.d.). GDPR sets out important principles (Proton Technologies AG, n.d.): lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, security, accountability. Another important part of the GDPR is that it requires businesses to ensure that consumers can exercise their data privacy rights. The most important rights that this regulation provides to individuals are (Proton Technologies AG, n.d.) :
The right to be informed: consumers have to be always informed about what data is being collected, how it’s being used, how long it will be kept, and whether it will be shared with third parties (Art. 12,13 & 14);
The right of access: individuals can submit access requests asking organisations to provide within a month a copy of the personal data about the individual (Art. 12,15 & 46);
The right to rectification: if a data subject discovers that the information an organization holds on him/her is inaccurate or incomplete, he/she can request that it be updated (Art. 16);
Therighttoerasure(or“therighttobeforgotten”):Individualscanrequest organizations to have their data erased when the data is no longer necessary, the data was unlawfully processed or it no longer meets the lawful ground for which it was collected (Art. 17 & 19);
The right to restrict processing: individuals can request that organizations limit the way an organization uses personal data (Art. 18);
The right of data portability: Individuals are permitted to obtain and reuse their personal data for their own purposes across different services (Art. 20);
The right of object: Individuals can object to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority (Art. 21);
Rights related to automated decision making including profiling: Individuals are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed for specific cases of processing (Art. 22).
2. Challenges for companies to adhere to GDPR today
The implementation of the EU’s General Data Protection Regulation on May 25, 2018 put companies in Europe and abroad in a highly sensitive and unprecedented position. GDPR affects companies based in Europe, but also international companies with business activities in Europe and data processors for European companies (Mikkelsen et al., 2019). The introduction of GDPR goes far beyond its reinforcement in the European Union, since it is important for organizations to understand what compliance means and how to implement it (Sirur, Nurse and Webb, 2018, p. 1). Not only did companies have to quickly adapt their data gathering processes to the new regulations, but also rethink the broader perspectives when it comes to protecting data subjects’ rights and the compliance with assessments and auditing standards. Many companies took temporary measures such as manual processes and short-term controls to adhere with the new regulations. These however do not represent a viable option on a long run given the stipulated use of state-of-the-art technologies and the increasing volume of gathered data over time (Mikkelsen et al., 2019). According to an article from McKinsey (Mikkelsen et al., 2019), there are three main challenges awaiting. Security controls are crucial in order to prevent data security breaches within a company. IT controls such as encryption and anonymization can be put in place in order to hinder those, however, this area is expected to be one of the biggest expenses of GDPR implementation. The second key area is data management; companies must show full transparency when it comes to consent statements, fulfill data subjects’ requests to exercise their rights under GDPR, and report any known data breaches to the specific regulators within a limited period of time. Last but not least, the so far manual recording of data-gathering processes as per Article 30 of the GDPR can and should be substituted by at least partial automation to facilitate these tasks (Mikkelsen et al., 2019). While the “data gold rush” companies have been living in lately is supposed to help them gain valuable knowledge to open up new opportunities, it has rather taken a toll on customer relationships and loyalty. According to Bain & Company, there are three main areas organizations nowadays should focus on in order to get the most out of their data collection. First, they should invest in delighting their customers. This can be translated into refining the results gathered from data usage through proper analysis so as to get a long-term value out of it, rather than using data for short-term monetization. Second, companies should close the trust gap between them and their customers. While 81% of individuals say that they feel like having no power over their data, businesses must adhere and also prove to adhere to new regulations. Last but not least, they should take advantage of surrounding ecosystems. By partnering with other companies, data can be scaled up and scoped down to gain valuable and previously unknown insights (Brahm, Schwedel and Devlin, 2020). GDPR also tackles the issue of data ethics through the protection of people’s privacy, accountability and transparency (Risk & Compliance, n.d.). Data ethics refers to the value judgments businesses consider when generating and analysing data, as well as the impact and potential harm that the processes could cause to individuals. The adoption of data-driven innovations increase users’ perception of mistrust, and as such, companies must follow a holistic approach to incorporate good practice when it comes to data gathering techniques (Brennan and Cramme, 2018, p. 2-3). Given the growing use of machine learning algorithms, ethical concerns regarding data usage and processing, such as diversity or gender algorithmic bias, have been on the rise. In general, it is clear to state that companies heavily relying on the use and sale of data will be strongly impacted by the ethical questions surrounding data usage (Risk & Compliance, n.d.). Growing awareness and concerns from the consumer side regarding their privacy put a heavy weight on today’s companies. All in all, GDPR compliance is not only a plain legal requirement but rather the gateway to maintaining organizations’ reputation and responding to customer expectations (Mikkelsen et al., 2019).
3. Competitive advantage with GDPR compliance and data ethics
Modern economy is built on data. Enormous amounts of data are collected, processed, shared, and stored every single day. Traditional frameworks are insufficient to deal with data and new managerial tools are required to keep up with customers’ needs and legislation updates. With the advent of new regulations such as GDPR, data protection has now acquired new characteristics that go beyond simple cyber security measures. In this new scenario, digital trust plays a major role. Digital trust is hard to obtain and easy to lose, and therefore a valuable asset that companies can use as a competitive weapon (Tiell, O’Connor, 2016). Traditionally, companies were only focused on the CIA triad (confidentiality, integrity, availability) and this is still relevant. However, on top of that, companies need to develop a strategic framework that takes into account ethical aspects of data. “80% of executives report strong demand among knowledge workers for increased ethical controls for data” (Tiell, O’Connor, 2016). There are two main reasons why companies should closely follow ethical data concepts. On the one hand, GDPR requires companies to embed this new vision of data and it is an EU regulation. This means that it becomes immediately enforceable as law in all member states simultaneously (Steiner, Twigg-Flesner, Woods, 2006). On the other hand, data ethics represents a great business opportunity for companies. It can be used as a framework for gaining competitive advantage. This last concept suggests that companies should not shy away from compliance, but they should look for it, pursue it, and go beyond it. Consumers are increasingly concerned with data collection and have less trust in companies (Van Eecke, Mckean, Lebeau-Marianna, 2018). Recent research has shown that even though companies see the consent of final users as a competitive weapon, they are instead very conservative in the collection of data and in the communication of such action (Rose, Lawrence, Baltassis, Lang, 2016). The gap between individuals' expectations of being informed and companies' fear of asking and using such data is represented in the table below and could be leveraged as competitive advantage by companies (Van Eecke, Mckean, Lebeau-Marianna, 2018).
This communication gap should be closed by transparent communication and creation of trust with data ethics. The followings are 5 key data ethics principles (Tiell, O’Connor, 2016):
People are the highest priority: data protection is not conceived as a tool to protect the companies from legal issues. It is deployed to protect people and it is part of the overall culture.
Always comply: GDPR is a great starting point. Use it as a framework and comply with it in all aspects. After this, go beyond it and incorporate data protection in the overall organization of the company.
Collect, process and store only what is necessary: there is a tendency to overtreat data. This poses a tremendous risk on companies as they become more likely to be the target of a cyber-attack. It is necessary to deal just with the data that is needed in order to have a more agile organization and gain more digital trust.
Communication: this should not be only performed in order to comply with the law but also to build a good customer relationship. As shown before, customers are willing to share their data as long as they are properly informed. Informed consent should be clear and intuitive.
Ethical governance of data: data ethics requires an organizational shift towards a more sustainable data organization. This includes culture, organization, and long-term strategy. Data ethics is conceived as a crucial strategic asset that touches every aspect of the company.
There are already companies that value this vision and that use data ethics as a competitive tool. For example, Everledger uses blockchain technology to meet all data ethics requirements; this allowed them to gain an advantage and build digital trust with customers (Tiell, O’Connor, 2016). Data ethics, as a competitive asset, has to encompass three main areas of a company: strategy, culture, and organization. In order to do so, companies need to assess their current situation with data protection in each of these three areas with new frameworks. Particular attention should be put on communication. Communication is composed of many factors but one is particularly crucial under GDPR for companies: the informed consent. GDPR requires companies to ask for active action by customers in order to have their consent for data use. It is important to know that not all customers are fully aware of their data. An example of lack of communication and poor digital literacy is Google (Scott, Lynch, 2016); it was not clear for customers how Google used (or not used) the content of customer emails to provide targeted ads. Communication under data ethics is intended as a continuous process that goes beyond the initial informed consent. Thus, communication is not complete if customers do not understand what the informed consent states and if they are not aware of future updates. Companies can use tools such as the online platform developed by Carnegie Mellon’s Cylab Usable Privacy and Security Laboratory. Their websites allow people to “decode” the informed consent and translate it in common language terms (Scott, Lynch, 2016).
4. Strategic framework
Targeting primarily start-ups, small and medium sized enterprises with often little expertise in data protection, as well as limited resources for data strategy, we are providing a strategic framework that leverages GDPR compliance and builds competitive advantage through ethical data management (Hasselbalch, Tranberg, 2016). Since business organizations operating under GDPR are forced to allocate resources into regulatory compliance, our framework proposes to leverage the investment as a new source for long term value creation. We suggest a framework for ethical data management across three pillars, strategy, organization, and culture, for which individual scorecards are developed.
a) Data ethical corporate strategy
Since 2016 already, a trend of increasing investments in companies with data ethics can be observed (Kingsmill, Cavoukian). Ethical data management should be at the core of the corporate strategy, aligned with company vision and mission (Janiszewska-Kiewra, Podlesny, Soller, 2020) and enable better risk-management, decision making, and support the business model, while creating trust, loyalty and a positive effect on brand image through transparent communication of data usage (Kingsmill, Cavoukian). “83 percent of executives agree that trust is the cornerstone of the digital economy” (Tiell, O’Connor, 2016). Transparent communication around responsible data management and privacy protection increase customers’ acceptance of personal data usage (Kingsmill, Cavoukian).
b) Data ethical culture
To appear as a data ethical organisation to the outside, data responsibility and sustainability need to be embraced by every individual inside the organization. People are at the core of corporate culture and transformation. Employees in a data ethical organisation need a common understanding of data and data ethical management practices. A data ethical culture requires top management to embed data ethical values in order to roll out cultural change across the entire organization. A data ethical code of conduct elevates internal transparency and accountability for data. With adapted expectation management and communication, ethical data use will become part of a transparent, data ethical culture. To support the cultural change towards a data ethical culture, a cross-functional data ethics board could enable faster change. The data ethics board would set standards, discuss opportunities, risks, approve critical decisions from a data ethical perspective (Janiszewska-Kiewra, Podlesny, Soller, 2020).
c) Data ethical organization
A data ethical organization enables effective data management. Every stakeholder within an organization is aware of their data responsibilities, ownership, data related hierarchies and data related decision making processes. A common data value chain, starting with informed consent to removal of data, needs to be set up and followed throughout all business operations (Tiell, O’Connor, 2016).
To conclude, data ethics plays a major role in nowadays digital society. It goes beyond simple compliance and allows companies to close the gap between customers' demand for information and supply of information. This is possible only if data ethics is used as a concept in all major areas of companies: strategy, organization, and culture. If companies are able to implement data ethics concepts and proactively meet data privacy regulations, they will not only avoid tremendous costs in class-action lawsuits, damages on brand value, loss of consumer trust and loyalty (Scott, Lynch, 2016), but additionally have a long term strategic advantage in their industry of reference. Customers need and want clear communication over how their data is used. Companies can exploit this demand by embedding the very nature of this demand in their strategic vision and by supplying it. In order to create value through data ethics, companies must adopt new frameworks in order to assess their aforementioned areas and provide crystal clear communication to both their employees and customers.
BBC. (2019). Data on 540 million Facebook users exposed. [online]. BBC. Available at: https://www.bbc.com/news/technology-47812470 Brahm, C., Schwedel, A. and Devlin, T., 2020. Are You Ready For The New Era Of Consumer Data?. [online] Bain & Company. Available at: https://www.bain.com/insights/are-you-ready-for-the-new-era-of-consumer-data/ [Accessed 1 November 2020]. Brennan, C. and Cramme, O. (2018). Beyond Data Protection: Shaping the Ethical Use of Data in the UK. [online] INLINE. Available at: https://www.inlinepolicy.com/hubfs/eBooks/Beyond%20Data%20Protection,%20October%202018.pdf?ut m_campaign=Beyond%20data%20protection&utm_source=Data%20Protection%20link&utm_medium =Link. Bulao, J. (2020). How much data is created every day in 2020?. Available at: https://techjury.net/blog/how-much-data-is-created-every-day/#gref Hasselbalch, G., Tranberg, P. (2016). Data Ethics - The New Competitive Advantage. [online] Available at: https://techcrunch.com/2016/11/12/data-ethics-the-new-competitive-advantage/ [Accessed 28 Oct. 2020]. Janiszewska-Kiewra, E., Podlesny, J., Soller, H. (2020) Ethical data usage in an era of digital technology and regulation | McKinsey. [online] Available at: https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/tech-forward/ethical-d ata-usage-in-an-era-of-digital-technology-and-regulation [Accessed 31 Oct. 2020]. Kingsmill, S., Cavoukian, A. Privacy by Design, Setting a new standard for privacy certification | Deloitte. [online] Available at: https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-b rochure.PDF [Accessed 28 Oct. 2020]. Marr, B. (2018). How much data do we create every day? The mind-blowing stats everyone should read. [online]. Forbes. Available at: https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-th e-mind-blowing-stats-everyone-should-read/?sh=5704421e60ba Mikkelsen, D., Soller, H., Strandell-Jansson, M. and Wahlers, M. (2019). GDPR compliance challenges since May 2018 | McKinsey. [online] www.mckinsey.com. Available at: https://www.mckinsey.com/business-functions/risk/our-insights/gdpr-compliance-after-may-2018-a- continuing-challenge. Proton Technologies AG. (n.d.). Complete guide to GDPR compliance. [online]. Available at: https://gdpr.eu Risk & Compliance. (n.d.). DATA, ETHICS AND THE GDPR. [online] Available at: https://riskandcompliancemagazine.com/data-ethics-and-the-gdpr [Accessed 29 Oct. 2020]. 11
Rose, J., Lawrence, A., Baltassis, E. and Lang, F., (2016). Bridging The Trust Gap: Why Companies Are Poised To Fail With Big Data. | BCG (The Boston Consulting Group) [online]. Available at: https://www.bcg.com/en-es/publications/2016/big-data-technology-digital-bridging-trust-gap-com panies-poised-fail [Accessed 31 October 2020]. Scott, D. and Lynch, H., (2016) Informed Consent And Data In Motion | Accenture. [online] Available at: https://www.accenture.com/_acnmedia/PDF-30/Accenture-Informed-Consent-Data-Motion.pdf [Accessed 31 October 2020]. Sirur, S., Nurse, J. and Webb, H. (2018). Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR). [online] pp.1–8. Available at: https://arxiv.org/pdf/1808.07338.pdf [Accessed 26 Oct. 2020]. Steiner, J., Twigg-Flesner, C. and Woods, L., (2006) EU Law. 9th ed. Oxford: Oxford University Press, pp.56-60. Team ObserveIT. (2018). 5 examples of data & information misuses. [online]. OberseIT. Available at: https://www.observeit.com/blog/importance-data-misuse-prevention-and-detection/ Tiell, S., O’Connor, L. (2016). Building Digital Trust: The Role of Data Ethics in the Digital Age | Accenture. [online] Available at: https://www.accenture.com/_acnmedia/PDF-22/Accenture-Data-Ethics-POV-WEB.pdf#zoom=50 [Accessed 31 Oct. 2020]. Van Eecke, P., Mckean, R., Lebeau-Marianna, D. and Dauzier, J., (2018) Leveraging GDPR To Become A Trusted Data Steward | BCG (The Boston Consulting Group). [online] Available at: https://image-src.bcg.com/Images/BCG-Leveraging-GDPR-Become-Trusted-Data-Steward-Mar-2018 -r_tcm9-186754.pdf [Accessed 31 October 2020].