After years of buildup, the EU’s General Data Protection Regulation (GDPR) is finally in effect. Now comes the interesting part, where we all get to learn—in real time—exactly what it means, how it will be enforced, and how it will interrelate with U.S. laws and court rules such as discovery. We’ve written already about what we expect to happen. What’s interesting is how our thinking about data privacy—at least here in the U.S.—has evolved as businesses have prepared for the GDPR.
Here are a couple of the thoughts we’ve had throughout the process.
The Differences in Terms Reflect Differences in Mindsets
The U.S. has long referred to “personally identifiable information,” or PII. While PII has gotten broader over time, the U.S. usage of it is still somewhat limited to information that could directly identify an individual. Of course, your name, address, and Social Security number are all PII. But the EU’s term, “personal data,” is exponentially broader. Personal data includes obvious identifiers, but it also encompasses your IP address, your fingerprints or DNA, photographs of you, demographic information, and so on. If someone could—even if it took substantial effort—figure out who you were based on a combination of tiny slivers of information about you, those individual slivers would each be personal data.
Similarly, we in the U.S. think of “processing” data as doing something with it. The EU begs to differ. Under the GDPR, processing includes
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Unlike the U.S. conception where only active alteration or use of data is thought of as processing, this definition makes it so that anything a company does with data, even fairly hands-off steps like storing or erasing it, equates to processing.
What do these differences in terminology mean? They highlight the fundamental distinctions in how our cultures value data privacy as opposed to commercial interests. While we’re coming closer together in the global economy, the U.S. default has been a staunch protection of free speech and capitalism, while the EU has a longer history of appreciating privacy. The way we define terms reflects these different backgrounds.
Technological Solutions Can’t Replace Personal Solutions
Some data privacy problems can be solved with better logical security measures. In today’s cloud-based computing environment, privacy by design is the best practice, wherein data privacy and data protection are integrated from the outset rather than appended at the end of a product’s lifecycle. Ensuring that your company and your partners incorporate these technological solutions is vital—but it only goes so far.
There must always be a layer of personal trust with any company you provide your private or confidential information to. The most secure technology in the world can be undercut entirely by one clueless employee who uses “admin” as both his username and password. Without establishing trust, both between you and your partners and you and your customers, your business is dead in the water.
We’re excited to see what comes next with the GDPR. Whatever it is, we’re prepared to earn our customers’ trust every day.