Data and GDPR: Living in a material world
GDPR confers a certain ‘materiality’ to data that has become lost to the public consciousness, writes Geoff Copps – it’s time we considered how this translates back to concepts of ownership
Business leaders wishing to bring their privacy lawyers out in a cold sweat could do worse than recommend a viewing of Luc Besson’s 2014 film Lucy.
Its barmy plot involves a heroine who, for reasons too boring to recount, is gradually transformed into a super-computer capable of absorbing and processing ‘all the world’s information’. In the final scene, the super-computer presents the film’s other main character (a kindly professor played by a baffled-looking Morgan Freeman) with what looks like a portable flash drive containing the results of her endeavours.
Imagine. All the world’s data on one measly, corruptible, highly misplaceable memory stick.
Apart from being lawyer-baiting nonsense, this vision fails the first test of speculative science fiction. Even in 2014 it looked old-fashioned. It now recalls for us a time past, the world of the mid noughties perhaps, when ‘data breaches’ first started regularly to hit the headlines. Remember the Cabinet office laptop left on the seat of a Waterloo train? The government hard-drive found in a pub car park?
We have moved on. Data, we now tell ourselves, no longer works like this. We have architectures, we have systems. Data exists on some higher plane above the constraints of humdrum reality, doesn’t it. Doesn’t it?
It’s a question worth asking. For one of the things we’ve lost in the last five years or so is a sense of what I shall call the ‘materiality’ of data.
[advert position=”left”]
Citizens and businesses alike have grown used to thinking of data as something near-magical: streams of numbers and characters, incantatory and elusive, captured and mobilised through little-understood methods.
The reality, of course, is different. All personal data has a specific and traceable origin – whether in a person, action or interaction. All data has physical presence. It must be collected; it must be stored and handled. It is of these facts that we are reminded by the final image in Lucy.
Today, in early 2018, the ‘materiality’ of data is firmly back on the agenda. It has been put there, forcibly, by a more powerful instrument than any Hollywood plot.
The General Data Protection Regulation is the European Union’s new privacy law, put together by the 28 member states. It updates an earlier data protection directive passed in 1995. The GDPR comes into force on 25th May 2018. Before then, businesses are working hard to make themselves compliant.
The GDPR usefully foregrounds the ‘materiality’ of data in a number of ways.
It reminds us that all personal data requires capturing and processing. It insists that these processes require careful regulation.
It insists that there is nothing magical about data. ‘Plain’, ‘specific’, ‘unambiguous’: these are some of the regulation’s favourite words.
It demands the demystification of all workflows involving the processing of personal data, in order that they may be thoroughly documented, recorded and made retrievable for inspection.
In short, the GDPR makes businesses think hard about everything they do with data.
Under such scrutiny, common data terminology loses its ethereal air, becoming more specifically physical.
Take, for example, the concept of ‘The Cloud’. In the popular imagination, The Cloud is something mysterious, floating around somewhere ‘out there’, as clean and white as an Apple Store interior. The reality is different. That Cloud technology exists beyond view, that it is not geographically proximate, shouldn’t prevent us from seeing it as a very real and solid thing (or set of things). Steel-and-wire units housed in brownfield bunkers. Arrays of high-tech servers blinking hotly in desert facilities. Again, the GDPR forces upon companies a demystification process. Business leaders and their lawyers must ask questions that formerly concerned only ‘techies’: for what services do I rely on The Cloud? Where are these services performed?
Broad terms such as ‘processing’ also become more physical, fleshy even. Under the GDPR, data processing is understood to include everything from deploying data in mathematical models, to scribbling down a telephone number on a scrap of paper.
GDPR also has much to say on a subject that often gets overlooked when we deny the ‘materiality’ of data. That subject is the issue of ownership.
In every relevant business there is a recognised database owner. But who owns the data in the database?
Where personal data is concerned, the EU’s answer is clear. The GDPR tells us that the owner of any data is ultimately the ‘data subject’ – the natural person to whom the information refers. The EU considers the protection of personal data a fundamental, if not absolute, human right. Accordingly, under the GDPR the data subject has expanded rights of access, restriction and objection, rectification and erasure (‘the right to be forgotten’) and portability (the ability to transfer data from one company to another). The acronym once known as ‘Subject Access Request’ has effectively now broadened into the all-encompassing ‘Subject Access Rights’.
Where organisations dealing with personal data at scale are concerned, the key terms are ‘Controller’ and ‘Processor’. The Controller determines ‘the purposes, conditions and means’ of processing personal data, while the Processor is the body that processes the data on behalf of the Controller. Note how the regulation’s wording here prefers the language of responsibility and decision-making; ownership hardly comes into it.
The final main way in which the GDPR foregrounds the ‘materiality’ of data is in the legislation’s extra-territorial reach. No longer can data be seen as airily free of geographical constraints. Personal data usage must now take account of international borders – just like physical entities such as people and shipping containers.
The GDPR applies to all processing of EU citizens’ personal data, regardless of whether the processing itself takes place within the Union. In addition to this fact, Processors need to make provision for their clients’ differing attitudes to the regulation. Some clients are choosing a belt-and-braces approach, requiring by contract that the data they control never leaves the EU.
Whatever else it does – whatever its merits or failings – the GDPR provides a corrective to common misconceptions that have grown in the popular imagination over the last decade. The regulation doesn’t let us forget the ‘materiality’ of the asset to which its 87 pages and 99 articles refer.
Like all laws, the GDPR requires real physical actions to be undertaken. Actions that cost time, money and resource. Organisations falling within the GDPR’s scope must appoint a Data Protection Officer. They must rigorously interrogate their data workflows via structured Data Protection Impact Assessments. They may need to relocate storage and processing facilities, and to set up mechanisms to service incoming subject access requests.
Such example measures are necessary to make companies compliant and accountable, to better serve the public, and to produce the best future-proofed solutions and outcomes for clients.
Those who neglect these duties risk being left like Morgan Freeman at the end of Lucy, bewildered and vulnerable in the face of the brave new world stretched out before them.
Geoff Copps is Managing Partner, Head of Data at IPG Mediabrands UK