GDPR

The European Union will be introducing a new privacy law on May 25 as a bid to bring data protection laws up to date with modern technology. The issue about privacy and personal data protection has been the focus of media attention recently, following the Facebook scandal involving Cambridge Analytica. The recent news surrounding those two companies has once again sparked the debate over our data into the mainstream— who owns it? Where and how is it being used or shared? And what should companies do to protect their customers?

Thanks to the new rule called General Data Protection Regulation, or GDPR, there will be new restrictions on how personal data is collected and handled. New reforms under GDPR started to attempt to standardize data protection regulations in 2012. Germany made GDPR active under their Federal Data Protection Act in May 2017.

Starting next month, any firm that stores or processes data of EU citizens, including U.S. or Asian companies that sell goods and services in the EU, must comply. So, suppose you're in the e-commerce industry, and your company sells products to citizens in the EU. If your online shop also analyzes the information of all its visitors, then your company must also comply with the regulation. If not, the penalities for breaching the GDPR can be a fine "up to 4% of the company's annual global turnover or €20 Million (whichever is greater)," according to eugdpr.org.

"The basic point of GDPR all comes to data of a person," says Noah Ross, senior front-end architect at ICANN. "If you are collecting data points that can be used to specify a user - you have to be able to justify the claim of why you need the data."

"So email, for example, can identify a person, but if it's used as the login name - you can justify it," Ross adds.

However, if a company was collecting extra information, like gender, to be used just as a metric, Ross says that it shouldn't collect that data any further.

GDPR will work to ensure that users know, understand, and consent to the data collected about them. In other words, companies have to be clear and concise about their collection and use of people’s data like full name, home address, IP address, location data and web trackers used on smartphones. Hence, pages of tiny, fine print won’t suffice. 

The other point that Ross brings up is the "right to be forgotten."

"A user needs to be able to request the right to be forgotten," says Ross, "which means you have to be able to properly anonymize all data about that user wherever it may be present, including logs."

"And you cannot retain any key info to 'un-anonymize' it," explains Ross, "If you can get away with just deleting the data, that's even better; but anonymizing is fine if you still need to track for metrics."

In addition, data collectors must also obtain permission from the data subjects for collecting most types of personal data. While consent is not strictly necessary, it can restrict the kind of data that can be collected or used by organizations.

Not every company can comply with it without severely negatively impacting function.

"When it comes to the GDPR, there is no distinction between public and private, only between personal and non-personal," John Thompson, an Ireland Region Manager at Tech Data AS Ireland, wrote on his LinkedIn (https://www.linkedin.com/pulse/data-science-under-gdpr-john-thompson/). "All personal data processed systematically falls under the GDPR."

“Overall I think regulations like this are very positive,” Zuckerberg said during a conference call with reporters on April 4. He said that Facebook intends to make all the same controls available not only in Europe but everywhere.

“Is it going to be exactly the same format? Probably not," Zuckerburg noted during his call in with reporters. "We’ll need to figure out what makes sense in different markets with different laws in different places. But let me repeat this, we’re going to make all the same controls and settings available everywhere, not just in Europe.”

A study by IAPP estimated that, once the GDPR takes effect, at least 28,000 Data Protection Officers will open up in Europe and the United States alone. Moreover, in response to GDPR around the globe, the IAPP estimates that up to 75,000 DPO positions will be available.

The new GDPR requires that a single person acts as the data protection officer (DPO). The data protection champion would be responsible for the following: Who does what on which data and where is it done? What is the impact of a process on the global system? And what are the performance metrics of the processes?

The principle is sound; however, some say that data governance is such a new field.

While most of the coverage surrounding GDPR focuses on how companies collect, store and govern data, it's also important to note the implications for AI development. For example, how will machine learning applications be affected by GDPR?

A study by two researchers from the Oxford Internet Institute suggests that GDPR might prohibit a “wide swath of algorithms” and “could require a complete overhaul of standard and widely used algorithmic techniques.”