Subscribe to our exclusive weekly newsletter

Join our mailing list and receive every week our news and tips into your mailbox!

GDPR is coming… and it’s not all bad

Only recently the GDPR deadline seemed far away, but there's now less than a month to go. Lee Williams speaks with Alan Calder, founder-director of IT Governance and Tom Hassall, data scientist at AI company Peak.
GDPR is coming but not all bad

May 7, 2018

GDPR is coming, and it’s scary. it’s not a new superbug or a weapon of mass destruction. It’s merely the EU’s new set of regulations on data privacy – the General Data Protection Regulation. But you might think it was one of those things by the way some businesses are reacting.

True, there are some rather frightening bits. Like the fines for data breaches, which can be up to e20M or 4% of annual global turnover. Levels which one commentator has already called “existentially threatening” to some firms. Then there’s the cost in money and time of becoming compliant, with organisations being forced to streamline their personal data – knowing where every piece is, what it’s being used for and why, and deleting any that is no longer relevant.

According to a PwC survey, 68% of US-based companies expect to spend $1M-$10M on becoming GDPR compliant. And according to IT solutions firm, IT Governance, the journey to GDPR compliance could take at least a year. GDPR takes effect on 25th May 2018, just one month away. And it doesn’t matter if your firm isn’t based in Europe. Any organisation handling EU citizens’ data is covered by the regulations.

When something scary is just around the corner, it is a natural human tendency to bury one’s head in the sand. Which perhaps explains why, according to a report by data governance company erwin, Inc in February, just 6% of organisations said they were ready for GDPR, with just four months to go.

But is all the doom-mongering really necessary? Many experts think not, and that, rather than burying their heads in the sand, organisations should be running to meet the new regulations with open arms. “If you’re complying with GDPR, you’ll be telling data subjects exactly what you’re doing with their data,” says Alan Calder, founder-director of IT Governance. “That means you can build trust with customers. It says come to us, give us your data. You know we’re going to do exactly what we say we’ll do. And not only that, you can probably rely on us for everything else as well.”

One demand of GDPR is that organisations discard all irrelevant and outdated personal data. Calder believes this provides the chance for a spring clean of the vast amounts of information building up like dust in organisations’ systems. “You get rid of all that data you shouldn’t be holding,” says Calder, “so you reduce the costs of your data storage. You clean up processes, you clean up storage, you clean up activity and you become much more cost-effective as a business.”

GDPR could also provide a chance to automate some data processes that are time-consuming and monotonous, thus freeing up human workers to do more productive work. Already AI is rearing its familiar head as a method of streamlining data processes in a GDPR-compliant way, and in ways that could benefit the organisation as a whole. Peak is an AI company which allows businesses to grow using data. It’s Artificial Intelligence System allows organisations to increase their revenues and profits, whilst helping to ensure that their data remains GDPR compliant along the way. Its machine learning algorithm scans all the data an organisation holds, bringing it together in a single stream and risk assessing each individual piece.

The result is a table of data with individual recommendations about how and where to store each piece of information, or whether to anonymise or bin it. The process not only brings data together in a streamlined way but provides a self-updating audit trail of an organisation’s data and how it has been used – a crucial factor in GDPR compliance, especially if a security breach occurs.

This rounding up (and possible culling) of errant data is good for an organisation’s performance and can directly affect the bottom line, according to Tom Hassall, a data scientist at Peak. “At the moment a lot of data is held in different departments and is not very cohesive,” says Hassall. “But if you have a view on your data where you can see the whole thing, like GDPR will force you to do almost, you’ll have better ways to approach problems. You can really increase your profits, grow your business and save a lot of money just by looking at your data properly.”

Much of GDPR compliance is about minimising the damage of that dreaded data breach if, or perhaps when, it eventually comes. But what if the risk could be eliminated altogether? Having a system that allows organisations to communicate with customers, but without having to store their personal information would be the data equivalent of having your cake and eating it. And blockchain could be the technology to deliver it.

Blockchain technology allows data to be stored online in a series of highly encrypted and anonymous ‘blocks’. This is usually used to provide secure cryptocurrencies such as Bitcoin. But already entrepreneurs are looking to exploit the technology to store personal data. One such company is Nuggets. It provides a one-size-fits-all solution to payment and data transactions where no one actually gets to see the data, even Nuggets itself. “What we did was look for a zero-knowledge solution,” says Nuggets founder and CEO, Alastair Johnson. “There’s no backdoor admin, no IT people who’ve got usernames and passwords and can leave their laptop in a pub.”

Nuggets employs a triple encryption system – first the personal data is encrypted by Nuggets, then encrypted within the blockchain, and finally a privacy framework is put on top. “It’s a bit like looking for a billion needles in a haystack,” says Johnson. “Even if you do find one of those billion needles, you’ve then got to spend a couple of hundred years trying to crunch it with modern computing power even to get into it, and then if you do, you might have the second part of my postcode, and you don’t know where the other needle is that’s got the first bit.”

Perhaps predictably, Johnson anticipates a fast spread of the technology, giving a two-and-a-half-year estimate for a good adoption. He doesn’t believe it will affect how companies use data to make decisions, he believes such data will be anonymous or, if not, with a value attached for the customer. According to Johnson, moving personal data onto the blockchain could be the first step to unchaining our digital identities from our devices. “I think you’ll have a personal cloud of information that’s associated to your identity,” says Johnson, “and you’ll be able to interface that through your TV, through information technology, through your mobile, your laptop or another interface that you can biometrically associate. You will become your data again, not the phone that you’ve got.”

GDPR, Johnson believes, will only accelerate the adoption of new technologies such as automated data governance and blockchain encryption because the penalties for failure are going to get so much heavier. “The same scenarios that were happening last year are going to happen this year,” he says, “it’s just that you’ll have a fine stuck on top. We are starting to see CEOs heads rolling and when that happens, things tend to get a little bit more focused.”

Perhaps GDPR is a bit scary after all. But it will provide a lot of opportunities, it seems, to organisations that embrace it. If fear is the motivating factor in that, then perhaps that’s a good thing.

ABOUT EUREKA

Eureka means “I found it!” and was the phrase that exclaimed Archimedes after discovering that the volume of water that ascends is equal to the volume of the submerged body. It is about problem solving, learning, and discovery. So that is precisely the purpose of this website: to understand, to learn. A tribute to our ancient history. From Europe to the world.