The debate on data protection and the new European General Data Protection Regulation (GDPR) is currently hot. Every week a new data leak is detected. And let's be honest: this is only the tip of the iceberg. Such cases are the reason for the legislator, to overreact and setting very strict directives.
From a business point of view, it is particularly painful that the GDPR prescribes the deletion of data. This is especially the case today when data is seen as the new gold, a core element of the new legislation that is completely at odds with technical and economic developments. However, this cannot be stopped.
We at andrion ag, therefore, rely on a simple, target-oriented and pragmatic approach in order to comply with the law with few resources. Common sense and specific knowledge allow us to quickly develop suitable concepts that can be implemented promptly. In addition, we have developed a compliance strategy with which GDPR conformity can be achieved in stages.
Data is not an end in itself
Improved data protection is important and urgently needed. From a business perspective, it is essential to understand what personal data and other business information is necessary to achieve these goals. One must also consider which personal data is still required after the conclusion of a business transaction. After all, most processes that take place after a transaction has been concluded - i.e. "mining gold" from existing data - are usually independent of personal data. Or if so, then only by individuals such as age, gender, place of residence, etc. Such personal data, which is necessary for the further success of the company, must be kept and protected!
And this is exactly where we in andrion are bothered by the current demand to simply delete all personal data. Because more than 95% of the applications are meaningful and useful services and not data collectors per se. So, our approach is clearly focused on retaining all business-critical data and taking measures to protect it.
The first thing to bear in mind is that there are over 10,000 people with the name Zimmermann in the public Swiss telephone directory. There are still 232 of them with the first name Martin. My name alone is neither identifying nor worth protecting. Only in combination with various other attributes can an unambiguous assignment take place. But even my name including the address is not worth protecting. It is already in the public phone book.
Only when sensitive data is linked to the identified persons does it become tricky. Be it ethnic or health data, religious or criminal data. Or simply pictures and likes on social media platforms that reveal something about my preferences. This combination is dangerous from a privacy point of view and is becoming more and more strictly regulated.
Data is not just data
By looking at the topic from another perspective, things change a lot: If one has extensive business data without person-identifying characteristics, they can still be used to generate turnover-bringing business purposes, without violating however the data security. And this is exactly where we as andrion come into play. We strongly advise our customers against simply giving IT the order to delete the data, because then all data is irrevocably lost. And we also advise them to obtain legal advice, but not to rely solely on it. Because lawyers primarily implement what they believe they read in the GDPR and are sometimes too cautious in case of doubt.
Rather, we work together with the client to analyse his current data inventory and derive his potential future data requirements from it. Because in most cases the core business is not the evaluation of personal data (profiling), but these are not relevant and can be deleted as soon as the order has been processed. Therefore, we recommend our customers to keep the business data including the absolutely necessary personal data, but to delete the remaining, not necessarily personal data. The perspective on these data can be very different from industry to industry and company to company with regard to their possible business use. If, for example, a construction company wants to make evaluations of orders per region, the postal code is very important and must be kept.
Ensure control over data
This analysis of business data is not a one-off activity but should be a recurring activity that ensures that you have control over all available data at all times. Should" must become "want", because only then has the organization understood what data protection is.
Working with our customers, therefore, leads to an increased awareness of all kinds of data in the company. Through our work, the customer understands in detail what data are really required to achieve the goals. This leads to the fact that the handling of data becomes more and more a matter of course and the sensitivity for their protection grows into the DNA of the company.
The strategic approach pays off
For data analysis, we also follow our own andrion compliance strategy. The core is a staggered approach, weighted according to the important requirements of the GDPR. This Compliance Strategy also allows us to react quickly if initial court hearings indicate unexpectedly sharp implementation. Through our projects, we are in constant contact with various European data protection authorities and specialist lawyers, so that we can "test" and improve our compliance strategy on an ongoing basis.
Consistent implementation of this strategy will quickly result in very high compliance with the GDPR. The core of the GDPR is to understand which personal data is collected and processed for which purpose and to obtain the customer's consent for data processing. This consent arises indirectly through the conclusion of a contract, e.g. the sale of goods, or through the active obtaining of consent, e.g. using cookies on web pages. The call centre business or any form of social media are most likely to be at risk; on the other hand, current business practices are already quite well protected against the sometimes draconian penalties provided for by the new GDPR with our strategy and the measures derived from it.
What brings me to my final point is that if a lawsuit is filed, a plaintiff will be required. And the plaintiff can only sue for damage that has arisen. Since it can be assumed that this damage is usually rather deep, the number of possible court cases is drastically reduced. The fine itself is imposed and collected by the state. However, the state has no interest in damaging its economy. As a result, fines of up to 4% of global turnover may only be imposed for repeated, very grossly negligent or even intentional fault. This is not a free pass to ignore data protection and the new GDPR, but rather a concrete call to manage your data actively, consistently and pragmatically.