Get All Access for $5/mo

The New EU General Data Protection Regulation: Big Data Protection Gets Personal The stage for profound repercussions to digital privacy is set. Here's how it affects you:

By Dimitri Sirota

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

The adoption by the European Parliament of the General Data Protection Regulation (GDPR) sets the stage for profound repercussions to digital privacy on both sides of the Atlantic. The GDPR is a prominent example of new wave of global privacy regulations that is forcing business to rethink how they collect, manage and govern access to personal data. And unlike past generations of legislation, GDPR provides organizations ample motivation to perform; failure to comply could result in penalties as high as 4% of global revenue.

The regulation's broader intention is to galvanize a new, integrated approach to data protection that drives transparency and puts privacy on an equal footing with information security. Transparency is not just an operational requirement — it also means that organizations will have to maintain intelligence into their use of private data, ensure usage compliance as well as regularly verify their data protection and privacy policies.

Getting Past Good Intentions

Many organizations have already initiated governance programs to manage how data about their customers and consumers is processed and accessed in anticipation of more stringent data privacy and data residency requirements (especially with advent of Privacy Shield and the demise of Safe Harbor). The implicit assumption in the GDPR provisions is that these incremental efforts won't be sufficient. Doing your best with the current approach will not be enough.
Instead, GDPR exacts very specific requirements around how personal data is collected and processed. Rather than accumulate data with the expectation that at some point in the future it will help to drive insights into revenue generation opportunities or uncover potential operational efficiencies, the GDPR is structured on the assumption that organizations will know beforehand why they are collecting customer and consumer data.

At a point when many organizations have taken advantage of new technologies to amass literally petabytes of data about customer and consumer behavior, the GDPR mandates that organizations only process and collect the data needed to support a service. This requires new levels of understanding for what data is collected, where it resides and how it is consumed by applications and data scientists.

It also places greater focus on consent. The Regulation described a "purpose limitation', which stipulates that "Only personal data necessary for each specific purpose of processing are processed". In the language of the Regulation, any other operations on the data that are not consistent with the initial justification for collecting the data is referred to as an "incompatible purpose', unless the data controller can show there is a legitimate interest. The GDPR stipulates
informed consent to collection of personal data, with the requirement for either "a statement or a clear affirmative action" — an emphatic shift away from the implied consent model.

Further complicating matters for privacy, compliance and risk officers is that all the new rules and requirements apply to a more rigorous definition of what is personal data. It has long been common practice for organizations to "de-identify" data before it is analyzed. However the threshold for successfully removing direct or indirect identifiers in data has in recent years proven to more challenging as researchers have shown an ability to re-identify previously assumed anonymous data. For this reason, under the new GDPR regime it will be critical for organizations to not only classify what is personal data accurately but also score the degree of identifiability to control how different data is shared and analyzed.

Operationalizing Privacy

It's not entirely alarmist to speculate that the GDPR will force organizations to re-engineer their privacy practices for Big Data. Certainly, new technology and processes will be necessary to manage privacy and monitor compliance for GDPR before it becomes binding in two years' time. Given the significant penalties for failing to do so however, the EU likely has the necessary stick to change corporate practices around privacy.

What is clear with the passage of GDPR is that organizations will now need to prioritize privacy like they previously did security. Modern business is built on personalized service. But with personalization comes an equal responsibility to ensure and document privacy protection. GDPR is a clarion call to business that personalization without privacy is not just bad, it's illegal. Operationalizing privacy from data discovery through data governance will require new thinking around Big (personal) Data.

Dimitri Sirota

CEO & Co-founder BigID

Dimitri Sirota is a 10+ year privacy expert and identity veteran. He is currently the CEO & Co-founder of the first enterprise privacy management platform, BigID –and wears many hats as an established serial entrepreneur, investor, mentor and strategist. He previously founded two enterprises software companies focused on security (eTunnels) and API management (Layer 7 Technologies), which was sold to CA Technologies in 2013.
News and Trends

Building the Future: How AI and Real Estate are Joining Forces for Smarter Investments

In 2024, the Indian real estate market size is estimated to be USD 518.5 billion and is expected to reach USD 856 billion by 2029, at a CAGR of 8.71 per cent. Real estate is the most preferred asset class for investment for over 59 per cent of Indians

Business News

If Your Bank Is Calling, Don't Answer. It's Probably a Scam.

Scammers are getting sophisticated, from AI voices and videos to spoofing caller IDs. Here's how to spot them.

Starting a Business

From Side Gig to 6-Figure Success — How I Built a Thriving Home-Based Business as a Busy Family Man

I've made over $17,000,000 for clients worldwide and brought in multiple six figures for myself, all while barely leaving my kitchen.

Leadership

She Saw the AI Revolution Coming — and Created a Company to Help People Use It Easily. Now It's Worth Half a Billion Dollars.

Lin Qiao's company Fireworks AI lets customers build generative AI products with simple prompts.

Franchise

Expanding Your Franchise Overseas Can Make You Millions — Or Tank Your Profits If You Don't Consider These Risks.

Deciding to expand your franchise concept internationally is a challenging one. Doing so can provide growth opportunities far beyond those in your current home market. But doing so before you're ready can create undue stress on your system. International expansion requires a full investment of time and resources to do it right; it is a serious commitment that reburies hard work, supported by a well-thought-out and well-executed game plan.