GDPR: it’s time to rethink your approach to privacy

Be prepared for dramatic changes in data rules

From May 2018, UK companies could face huge fines for failing to comply with new data rules that many seem unprepared for. But instead of viewing the General Data Protection Regulations as yet another tick-box compliance issue, it might pay to take a more strategic view. At Thoughtworks, we think GDPR should fundamentally change the way you think about customer data.

That’s because GDPR introduces some challenging standards to meet. These include: changes to customer consent, the right to be forgotten and reporting data breaches within 72-hours. The impact of these challenges alone would demand extensive changes to many companies’ existing systems.

From the companies that we speak to, many are waiting to see who jumps first. It seems that many people think this is more a case of data reporting and audit process—simply where some i’s need dotting and t’s crossing.

In fact, the changes are potentially so profound that there are no sticking plasters or superficial approaches that will help. GDPR will force you to completely rethink your approach to customer data. That means compliance can no longer be viewed as a perimeter function contained somewhere within a report: it needs a deep-seated behavioral change. Indeed, companies and their legacy estates cannot remain as they are.

At Thoughtworks, we believe organizations and their systems will need to be adaptive and responsive to change in a quality assured manner. And they must be able to change at lightning pace.

What is GDPR?

GDPR updates UK’s Data Protection Act of 1998, which was written into the statute books before the Internet was widespread, before smartphones were common, long before the cloud and ecommerce.

As our relationship with the Internet has grown, consumers have sleepwalked into an era where they routinely give away information without realizing the consequences. As a result of this asymmetric information exchange, the customer gives and the companies keep collecting, reselling, spamming, and sadly, losing data.
 
GDPR is designed to catch up significantly and bring privacy back under some degree of control.

In essence, GDPR will introduce new data rules to include:

• Widening the scope of what counts as personal data
• Tightening the rules around consent to use personal data
• Introducing mandatory privacy impact assessments
• Introducing a data breach notification requirement
• Enshrining the right to be ‘forgotten’
• Requiring ‘Privacy by Design’

Don’t play the waiting game

We know from experience, that many companies are playing a waiting game. They want to know how the law is going to be policed, who will get audited first and how legal precedent will emerge.

There are, of course, risks in such an approach. Non-compliance with the GDPR could lead to fines of €20 million or 4% of global turnover—whichever is the greater. Are you sure you could comply with the data breach notification requirements within 72 hours? Maybe the first companies to fail with the data breach notification rules won’t face such stringent action, but inevitably, those that have done nothing to prepare for GDPR run higher risks of attracting the regulators ire.

What does this mean for my company?

To get an understanding of complexity of complying with GDPR—and the mind shift that’s necessary, it helps to look at the practical application of some of the new requirements.

Take the right to be forgotten. That should be easy to comply with, right? You just delete that person’s data from your system. Except it might not be one system. Relevant data could be spread far and wide: from references to them in marketing communication, tracking systems, emails. You might find you’ve shared data about that person with partners, or included their data in digital and physical reports. All of a sudden, you can see your IT staff recoiling in horror at the enormity of the problem.

Adding to this, you’ll have to deal with the new rules around consent, which has to be granted explicitly—not inferred or assumed. Do your current terms and conditions for collecting customer data stand up to the new definition of consent?

And what do these changes mean for companies that have previously exploited data within their CRM system or within some machine learning tools? Will your recommendation or personalization systems pass muster? We’ll know more as legal precedent is established, but at the very least, Article 22 of GDPR warns: “Automated individual decision-making, including profiling may mean that many algorithms currently in use, or indeed, many companies are looking to employ, may need to be adjusted.”

There are many other implications, but these points may just be enough to convince you that far-reaching changes are necessary. Indeed this is yet another reason why a legacy estate built for delivery that dealt in months or years is no longer fit for purpose. If you were looking to transform into a more agile delivery engine, now’s your chance. In fact you may just have to.

Put your focus on privacy

From both a philosophical and practical view, companies must begin to think about their customer at the heart of their systems. This relationship needs to be at the core of your business and not just solely in the digital consumer facing pieces. By so doing, you make it easier to construct a clearer understanding of the customer data you’re collecting, and improve your ability to trace data through all of your systems.

By giving customers a real identity and persona within your system, you can capture customer behavior and interactions with the company—improving your ability to track, trace and audit customer interactions. By creating models for 'real people' rather than just sets of vaguely related data structures, we create systems that are based on human behavior where issues such as privacy are expected and provided. Many technical digital projects simply think about people at the fringes and then bolt them onto the pre-existing systems. That’s not always a good match and can result in a series of ‘black boxes’, where decisions get made with insufficient articulation of the reasons.

As the business landscape changes, consumer expectations change too. Those institutions that have reported data breaches already face issues of trust. This is especially true when it comes to younger people, who are much more aware of issues around ethics and technology. But GDPR can help here, through its focus on the principles of Privacy by Design. These can be summarized as:

 

1. Proactive not Reactive, Preventative not Remedial.
2. Privacy as the Default Setting.
3. Privacy Embedded into Design.
4. Full Functionality—Positive-Sum, not Zero-Sum.
5. End to End Security—Full Lifecycle Protection.
6. Visibility and Transparency—Keep it Open.
7. Respect for User Privacy—Keep it User-Centric.

We think this transition, from moving the discussion away from compliance and towards new ways of working—ones that place genuinely client-centric, public interest attitudes first and put privacy at the core of your system thinking—is what happens naturally when you embrace the principles of Privacy by Design.

But how to start? One idea is to look at every new piece of work and put real people central to your modeling and put their privacy first. At Thoughtworks, we’re committed to the principles of lean testing and learning cycles, using evolutionary architectural principles. We strongly advocate starting as you mean to go on, and learning from everything you do.

Once this privacy-first approach takes hold, we believe that it will change your customer relationships for the better. We think there’s a real opportunity for companies to differentiate themselves on the strength of their privacy provisions. In many ways, it’s a first step to what we see as a privacy-driven economy. We’ll be exploring the ramifications of that in subsequent articles.