What is this European Union law?
It sounds so innocent – the General Data Protection Regulation, or GDPR. It goes into effect on May 25, 2018.
The basic intent of this law is to put control of the use of personal data into the hands of the person. In the words of the EU:
“Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens”.
The law is the EU response to privacy and personal data misuse concerns that have become more prevalent in recent years.
What’s the guts of it?
The main features of the new law are:
The GDPR requires businesses and organisations to get specific consent for the use of someone’s personal data, and simple methods to someone to revoke their consent. Consent agreements need to be in simple to understand language.
Right to Access
People have the right to request access to the person information someone else holds on them. The holder must supply this information without charge.
Organisations that fail to comply with GDPR can face fines of up to 4% of their annual turnover.
Here’s a really nice short summary of what GDPR is about and what it means.
What is happening?
As the day of reckoning nears, predictable things are happening. Lawyers and IT consultants are scaremongering and cashing in. Some are calling this the biggest consultancy racket since Y2K.
But something else very interesting and perhaps a little less predictable is happening. Some companies are taking the decision to completely delete all personal information that they hold – on purpose. They are sizing up the risks that they face in holding and managing that data, and are deciding that it is better for their business not to hold that data at all.
It is starting with the predictable areas like newsletter mailing lists, but I believe that this trend will quickly spread to all personal information that an organisation holds – including information about its own employees.
What are the implications of this?
The implications of this trend are massive and will quickly ripple beyond the EU. Businesses may no longer be able to rely on having a full database of information on their own people under their full and unfettered control. It may not happen in weeks or months, but you can say with some certainty that this day is coming.
Those that think that this is a ‘European thing’ that won’t affect them will quickly find that they are. Data management practices in software that they use every day will almost certainly change to accommodate the needs of customers in the EU – so they will wind up using those practices as well. Businesses that have worldwide operations will not want to have an ‘EU way’ of managing data and a ‘rest of the world’ way – they will gravitate to a practice they can use everywhere.
HR and line managers may not be happy about this, but their corporate risk managers and Boards will increasingly not want to expose their companies to the business risks of holding any personal information. They will be desperate to outsource that risk to someone else. So we are all going to need to learn new ways of managing people. We may not be able to rely on sending surveys and performance reviews to ‘everyone in our database’ for too much longer.
How can you outsource this risk?
How do you outsource the risk of holding personal information about people, when you need that information to do business? Who can you outsource that risk to?
I believe that the only way to outsource that risk it to put control of personal information completely in the hands of the person themselves. But is that feasible?
It is ironic that a problem that was largely created by misuse of technology may have the potential to be solved by – newer technology.
Personal control of personal information may be the ‘killer application’ for blockchain technology.
A blockchain is basically a distributed secure database. Because there is no central pool of data, it offers the best potential to ‘outsource risk’ of holding a pool of personal data. The personal data could be held by each person, and the person gives permission for others to access it. There is no central database to ‘hack’ – so there would be less data management risk for a business that needs to use that data.
This technology could elegantly solve the problem of managing access to personal information, by putting the individual fully in charge of access to their information. Once access is granted, the company (or other authorised user of the person’s data) could then use the blockchain database much more like a traditional centralised database.
What does it all mean?
It means that the power in the personal data relationship will swing more and more towards the individual, and further away from their employers or other businesses they deal with.
Businesses may find that they have to pay their employees more in order to access their personal information. At a minimum the days of ‘implied permission’ are going away fast, so businesses will need to build access to personal information more explicitly into their hiring and on-boarding practices. They will also need to build practices for situations when employees want to revoke their permission for their employers to access their personal information.
It will be chaotic and inconsistent for a while – these changes will not happen overnight, and technology alone will not solve everything. But what good technology can support is making the cost of establishing trust between parties as low as possible. Of all technologies out there right now, blockchain appears to be the strongest for that purpose.
At Belong our goal is to make people’s lives better through unlocking the potential and value of their passions.
We also believe in the potential of blockchain. We are building it into our products, and we want to help businesses and individuals solve these looming trust problems.
We believe that everyone has a range of skills that can be grown. We also believe everyone has the ability to create value for others. We believe that people should be fairly compensated for creating value for others.
Our products and protocols let individuals, organisations and businesses measure and reward people’s ability to create value for others.