The transition period to the new European privacy regulations, GDPR, will end in May after which compliance is needed. To me the GDPR is extremely interesting. First because it introduces a few novel concepts. Second because good data governance means openness, personal data protection and information security are all approached in the same way, which makes the GDPR important for my open data work. That open data work has been steadily shifting towards creating meaningful digital-first data governance.

One of the exciting novel concepts in the GDPR is that the legal obligations follow the data. The GDPR applies to any organisation holding data about EU citizens, regardless where they reside themselves. Another is that EU citizens must be able to clearly understand how data about them is collected and used. Terms of service where the snake hides on page 312 of a document full of legalese is no longer acceptable. This means that your data usage must be out in the open, as every individual has the right to verify how their own data is being collected, stored and used, as well as to export that data and withdraw consent. Compliance is recast from being a disadvantage to being a precondition and source of competition. To me it seems the GDPR is bringing the law much closer to our digital times. It paves the way for ‘ethics by design’ concerning data, and use it as a distinguishing factor. It also sets a de-facto global standard (although not everyone seems to realize yet).

The GDPR creates or reinforces a range of rights in law. Some of my clients have mentioned how they perceive this as a large heap of new work, but to me that’s not really true. It is true if you approach the GDPR as yet another administrative exercise to proof you are compliant, yet that is the old way of approaching privacy: Do whatever you want internally, and take precautions on the edges with the outside world. To reliably implement the GDPR and to be able to provide audit trails and pro-active proof of compliance (note that absence of this ability is interpreted as non-compliance), the most efficient way forward is embedding compliance in the data systems themselves. The ‘by design’ approach is mandatory for new systems. Knowing where in your data sets personal data resides, having consent as part of the metadata etc. This brings personal data protection firmly at the level of data governance and at the level of data system and structure design. Openness, personal data protection and information security can no longer be gates put around the data, but need to be part of the data, an ‘everything by design’ approach.

Two good articles to read are:
The report of a Berlin panel discussion, addressing the more general meaning and impact of the GDPR in 8 insights, by Sebastian Greger. (HT Alper Çugun)
A handy overview of the rights created under the GDPR and their meaning for e.g.
website and other tech design, by Cennydd Bowles.