Before I begin, I wish to extend my thanks once more to the Barbados ICT Professionals’ Association (BIPA), the Internet Society of Barbados (ISOC BB), and the Barbados Information Security Systems Association (BISSA) for taking a lead on compliance to the European Union's General Data Protection Regulation in the Barbados. Overall, our discussions have proven to be very lively and enlightening.
I have mentioned the GDPR before, however we need to read further into the legislation to understand its civic importance and the importance of compliance. As we do so, I want us to keep five key points in our mind, specifically:
- There is little new under the sun;
- The affected are far greater than expected;
- There is no time for ignorance, but there is room to maneuver;
- Technology will not save you but it may help you, and finally
- This will only get better (or worse) depending on your response.
There is little new under the sun.
The GDPR is not the first legislative attempt to protect personal data in the 21st century; it is the latest in the line of such efforts previously made by the E.U. Other countries have also made this legislative attempt, such as:
- the United States with:
- Canada with
The difference is that the GDPR harmonises the data protection legislation of 28 member countries, inclusive of the United Kingdom, which was a member of the E.U. during the development of the GDPR. Furthermore, the laws are broader and more punitive, possibly in response to the exponential growth in breaches and intrusions
The affected are far greater than expected.
Great emphasis has been placed on the effects of GDPR on the digital marketing industry, technology companies, primarily Microsoft, Facebook, Google, Amazon, Apple and Samsung, and the developers who often operate at the intersection of both industries – using and reselling user data to earn a profit on otherwise free mobile or web applications. I’m sure many of you have received a slew of e-mail messages from your local non-profit to your favourite international newsletters begging for your consent and agreement to accept new messages. These are only the first wave of e-mails and notices you will receive.
Fundamental structures are being rattled by this legislation because GDPR in particular applies where a breach is likely to be a
‘risk to the rights and freedoms of natural persons’
due to poorly considered, unknown and excessive collection and processing of personally identifiable data (PID) such as name, IP address, location, age, gender, etc. Furthermore, GDPR applies irrespective of the format in which the data is collected; this is not just an 'Internet law' but applies to data collect on paper forms or over the telephone as well.
Therefore, hotels and airlines, frequent flyer miles or other rewards programmes in the region, who often use such data for marketing research must understand if they are in compliance. Financial institutions from the local credit union to the travel insurance company on your credit card must understand if they are in compliance. Insurance companies with health portfolios, hospitals, medical centres, polyclinics and the local GP must understand if they are in compliance. Even our government institutions, schools and universities need to understand if they are in compliance.
We in the Caribbean must also remember that the region has a sizable ex-patriate and/or dual-citizen population. Many persons in the region may still be covered by E.U. law even if they identify as regional citizens - simply because they were born before certain islands became independent. Additionally, numerous aid agencies have outlets in the region and the foreign staff often bring family members with them, where they are integrated into schools and workplaces across the region.
There is no time for ignorance, but there is room to manoeuvre
The Caribbean has seen not one, but three major breaches of offshore companies in the past 2 years: the eponymous Panama Papers, the Offshore Leaks from Bahamas and the Paradise Papers from Bermuda. You can sift through all this data at the International Consortium of Investigative Journalists website. Under current interpretation of the GDPR, if these leaks had happened just 24 months later, offshore companies in the region could be looking at multiple fines each worth 20 million euros or 4% of annual returns, whichever is greater. Regionally and most definitively in a local sense, companies simply cannot afford to be complacent.
Nevertheless, micro, small and medium-sized enterprises with less than 250 employees, as well as businesses that do not target the E.U. directly may have some leeway on certain aspects of the GDPR, particularly where it comes to identifying a separate data protection officer role.
Public safety also appears to be relatively unaffected by GDPR, therefore countries should be able to continue to police their borders and maintain the security of citizens, residents and visitors as they chose. Our regional immigration and policing bodies may breathe a small sigh of relief, for now. Taxation bodies may not be so lucky.
Overall, communication is key. If, after safeguards and policies are implemented, there is a breach that is likely to result in ‘a risk to the rights and freedoms of natural persons,’ companies with E.U. users must practice aggressive communication or what I call like to call 'an open window policy'.
Breaches of PID must be reported within 72 hrs to relevant authorities either locally or in the E.U. and companies should accurately and transparently inform users of said breaches, the PID compromised and any proposed resolution. Neither silence nor inaction count as consent; automatic opt-in due to use of website and pre-checked opt-in boxes are out. Most importantly, consent to use data for one purpose does not convey to other uses; data provided for a newsletter cannot be resold simply because it was collected once upon a time, a long time ago.
Technology will not save you but it may help you.
Automation in particular is targeted in the GDPR as particularly in need of clarity and everyone should be aware that consent must be gained for the use of automation to process data. Under the guidelines, we can see that more transparency and separate consent must be shown before automation can be used to send targeted product catalogues, special birthday coupons and reminders of unfinished transactions.
More importantly, the artificial intelligence and automation that financial service firms, e-commerce sites, recruitment firms and landlords have been employing to recommend products and review applications for credit, jobs or housing must now face the daylight. Even with user consent, these aforementioned firms must have in place a human dispute and/or review channel to supplement the automation and ensure that decisions are free of bias built into the algorithms of the software.
Furthermore, when we consider that the development of more sophisticated artificial intelligence and machine learning - built to learn from the deep wells of Big Data often managed by the financial industry or university hospitals have long collected, managed and protected through obscurity, we must wonder what path future development of the technology can reasonably take without running afoul of the GDPR.
Given that the UN's special agency on information and communication technologies (ICT), the International Telecommunications Union (ITU), had chosen the theme, "Enabling the positive use of Artificial Intelligence for All," for this year's World Telecommunication and Information Society Day (WTISD), the dichotomy of using new technology while protecting PID and people's right to a fair decision will continue to be of grave concern.
Indeed, all future development of promising technologies must regroup and/or consider serious redesign in order to meet the GDPR specifications. One particular aspect of the GDPR, the right to be forgotten, may currently be untenable with current Big Data configurations and blockchains, which tout the immutability of the data once placed in a block and successfully processed. Too add to this conundrum, how will hospitals, companies and governments transparently and thoroughly explain the use of, as well as gain consent for the myriad IoT devices proposed for use on our roads, our medical devices, our electrical grids?
Technology can still assist in securing data through information security management tools, constant, proactive threat vigilance and heuristics, access logging, software patching and maintenance, etc. Smaller businesses could end up mitigating a large part of the compliance risk by outsourcing all IT infrastructure to large cloud operations such as Microsoft Azure. Nevertheless, it cannot be a cure-all if consent is required. Transparency of use and data minimisation are more critical than ever before.
Finally, this will only get better (or worse) depending on your response.
As I stated in the beginning, the GDPR is not the first legislation on PID and it will not be the last. Indeed, we can expect the UK to continue to maintain similar legislation, despite Brexit. Once that happens, it is likely that the Commonwealth countries would follow suit - indeed, even beforehand as India is already on the path to implementing a data protection law.
We in the Caribbean must begin to care more about our citizens' rights and freedoms, beginning with better care for how their data is used. Misuse is no longer a theory or problem for 'over and away'. Not with Cambridge Analytica attempting to manhandle elections in the region. Not with 'tourists' using our ATMs to drain the coffers of unwitting citizens and residents whose identities has been stolen and/or sold. No government, business or consumer should allow this to happen unchallenged.
The key now is to champion a regional data protection legislation and rebuild business models in the region to pro-actively and strategically manage and protect customer privacy. Talk to your Board of Directors, your lawyer, your accountant and your IT manager about the steps that need be followed. Reach out to skilled professionals to learn how earn goodwill and business using greater compliance.
Whatever you do, don't brush this under the carpet.
Those enterprises that are successful in pivoting will lay the groundwork for future compliance while being able to attract much richer business from tech-savvy users and digital nomads. Those who cannot and refuse to see such regulations to create opportunities will instead panic and forever drown in a sea of data misuse and security despair.