We are rapidly coming up to the last Christmas before the GDPR regulations come into force, but it’s safe to assume, as possibly the world’s most prolific reviewer of personal information, Santa has already taken steps to ensure that his naughty and nice lists are properly stored and secured.
Hopefully you will already know a lot about this legislation by this point given the rapidly approaching deadline, but we thought we’d take a look at some of the less understood risks associated with the new laws.
So… for starters…
Data breaches will get even scarier
While the massive fines associated with GDPR breaches are very scary, many of us have been reassured by statements from regulators that they don’t intend these fines to be the norm(1), especially immediately after the regulations launch.
However, while the regulations are intended to protect the public’s privacy against over-zealous surveillance by advertisers, they also protect user data from being released in the kind of massive data breaches that this last year has seen so often. And it’s this kind of very public failure that is the most likely to push regulators to act.
Beyond this GDPR mandates rapid reporting of data breaches, and failure here will again incur the wrath of regulators. It also broadens shared liabilities with partner organizations, many of who will increasingly seek the ability to impose penalties on you, via contractual penalties or litigation if they are fined because of your failure(2).
You can be forced to delete data
If you are wanting to store data you are going to need to be clear about your need to do so (3), and you are open to challenge on this from the users in question. No more stockpiling of data because of some vague suspicion that you will need it for machine learning just as soon as you’ve figured out what a machine learning is… If you don’t use it, you will lose it.
In fact, there are a lot of circumstances that you can lose data even if you do have a well-articulated reason for possessing it. If you are found to be in breach of the regulations, you might be required to delete the data in question in order to avoid further penalties. As we will discuss, if you are relying on user permission as a justification for storing data, then if that permission is withdrawn, something that could happen on a large scale after a well-publicised data breach, then you will have to delete the data.
It might cause problems for machine learning
Firstly, GDPR may impact machine learning because training machine learning systems requires huge amounts of data. As we have already discussed, GDPR will prevent organisations warehousing data in the hopes that it can be later used to train a machine learning system. Deprived of sufficient data, or worse, using models built on data with unexpected holes, machine learning applications may fail to produce results or acquire unexpected biases(6).
Beyond this, another source of concern may be in what is known as the “right of explanation” (7). This requires that users be able to request an explanation of any decision made by an algorithm that has a meaningful impact on them. This is a huge deal for some machine learning processes, as researchers don’t yet fully understand how these processes work in the abstract, let alone have any way to untangle the complex decision making processes to provide an explanation for a specific decision. The final language of the GDPR has been softened here(8), and a lot depends on the precise definition of “meaningful impact”, but it’s definitely an area to keep an eye on.
It will change your relationship with users
Two aspects of GDPR are set to have a major impact on how users will interact with your services. First is that of consent. Not everything you do with data will require consent(9), but where it is required you are going to have to explain to users what data you are storing and exactly what you are going to do with it as well as give them a clear chance to opt out. In fact the UK’s Information Commissioners Office recommends that the user should be required to actively opt in to most activity(10). This means that it is likely to become a lot harder to obtain consent from users for activity that is not in their interest, and value proposition will become a much more important part of the conversation for all types of digital marketing.
The second big issue is the right to erasure (11), that is that under many circumstances if a user requests that you delete their data, you must undertake to do so to the best of your ability. This may extend to data that you have passed on to third parties, or data that has been moved offline for storage. Aside from the loss of the data itself the logistical challenge in implementing a system that can identify and delete data as appropriate, as well as ensuring that the users data isn’t accidentally reacquired is likely to be considerable.
You might not realise this applies to you.
Possibly the most terrifying scenario for a business under GDPR is that they don’t yet realize that GDPR applies to them. Hopefully UK businesses will be well aware that the GDPR regulations will come into force in the UK regardless of Brexit (12), but there are many companies further afield that may not yet have realized the impact that it will have on them.
Simply put if you do any kind of business with, or store any information pertaining to the citizens of the EU, then you are required to adhere to the GDPR provisions, a scenario that is going to be almost impossible to avoid for any digital business, short of taking drastic steps to limit who can access your services.