calendar tag arrow download print
Skip to content

Privacy company: EU advances data dialogue

article
18 January 2018
Decent Digitisation Blog Europe Big data
Image

The EU’s General Data Protection Regulation will become effective on 25 May 2018. It offers companies a significant opportunity to make privacy central to their organisation.

By Iris Huis in ‘t Veld and Arnold Roosendaal of Privacy Company, a team of consultants who help businesses and governments comply with privacy rules.

Reading time: 3 minutes | Be sure to read the other articles in the Decent Digitisation series

The European Union has given us an important tool for creating the digital society that we desire: the General Data Protection Regulation (GDPR). Prior EU privacy legislation dates from 1995. In a society in which more data is available now than ever before, that legislation no longer adequately protects our right to privacy. The GDPR will go into effect on 25 May.

What will the GDPR do?

The GDPR will bring about three major changes:

  1. privacy supervisory authorities will be authorised to impose stiff fines;
  2. there will be more rules for organisations that process personal data, and
  3. citizens and consumers will have more and stronger rights.

What are the objections to the GDPR?

Legislation is only one of many ways to influence the shape of society. Bottom-up initiatives can also make a difference. Privacy legislation is also often perceived as time-consuming and intimidating. That is in fact true: companies will have to set aside time to amend their practices to comply with the GDPR, which is more than 200 pages long. And a fine of up to 20 million euros is not to be sneezed at.

Illustrations Max Kisman
Illustrations Max Kisman

The GDPR is a stepping stone for ethical discussions

Even so, this new EU law deserves more praise. The GDPR has already raised the bar for ethical discussions about privacy. We notice that organisations are using the GDPR as a stepping stone for a serious dialogue about data. They are more likely now to ask themselves who their clients are, what they expect, and how their products and services can meet those expectations.

No more ‘Computer says no’

The GDPR will extend the rights of citizens and consumers. For example, someone who is significantly disadvantaged by automated decision-making can now question and fight that decision. ‘Computer says no’ is no longer an acceptable outcome, in other words.

This means that organisations must be more transparent in their use of artificial intelligence; they must be able to explain in clear and comprehensible terms how their algorithm works and how they reach their decisions. They must also introduce procedures that allow the decision-making process to be repeated without using the algorithm and with human intervention. So if a government agency refuses to pay out a benefit based on an algorithm, the relevant citizen can now force the agency to repeat the review processes without resorting to the algorithm.

A mouthful: data protection impact assessments

When an organisation begins processing a new set of personal data, it will be obliged in some cases to conduct a – wait for it – ‘data protection impact assessment’. That will be the case if crime data are being processed, for example, or if public spaces are being monitored. The procedure consists of a risk assessment and a list of risk mitigation measures.

The risk assessment itself is extremely valuable. In our practice, we also often see organisations assessing ethical factors and societal risks along with the necessary legal risks.

‘Privacy by design’ will become standard

The GDPR will not only change procedures, then, but also, and most importantly, the mindset of organisations. They are already taking on board the principle of ‘privacy by design’: designing products and services in a way that anticipates privacy-related problems. For example, they can minimise data collection from the very start, choose to anonymise or ‘pseudononymise’ personal data, and invest in encryption and other data security measures.

Privacy by design could become an all-encompassing design philosophy, with programmers learning to consider ethical frameworks and with public values underpinning design choices.

The commercial market will help

All this will lead not only to corporate social responsibility; products and services that reflect public values will also cause the market to pick up. People are increasingly insisting on privacy-friendly products and services. For example, chat apps that use end-to-end encryption, such as Signal, are growing in popularity and more and more people are turning their backs on Google and using alternative search engines. A concern for public values also gives companies a competitive advantage, in other words.

The arrival of the GDPR gives us every reason to grasp these opportunities. The successful 21st-century organisation is an organisation that prioritises the interests of society and public values.

By Iris Huis in ‘t Veld and Arnold Roosendaal of Privacy Company, a team of consultants who help businesses and governments comply with privacy rules.

Read more

Be sure to read the other articles in the Decent Digitisation series, and the related reports: