Tuesday, March 27, 2018

Europe Gets Grip on Data

The European Union’s General Data Protection Regulation (GDPR), which has been a Decade in the making and takes effect on May 25th, applies to any Business that handles the Personal Data of European Residents. The Rules cover almost anything that can be Linked to an Individual: Addresses, Credit Card Numbers, Travel Records, Religion, Web Search History, Computer ID Codes, Biometric Data, and more. “GDPR holds companies of all sizes to account,” Facebook Chief Operating Officer Sheryl Sandberg said at a January Conference in Brussels, before the Cambridge Analytica Leak was revealed. The Law will affect almost everyone, she said, because Businesses “all use data to improve their services.”

The World’s 500 biggest Corporations are on track to spend a total of $7.8 Billion to comply with GDPR, according to Consultants Ernst & Young. Businesses must appoint someone in the EU as Liaison with Regulators, and many larger Companies are required to Designate a “Data Protection Officer” responsible for Compliance. Microsoft Corp. has 300 Engineers working to ensure its Software is GDPR-Compliant. At Krones AG, a 15,000-Employee German producer of Bottling Equipment, almost 60 people are involved in GDPR Preparations. “The bigger an organization is, the bigger a nightmare it is,” says Julian Saunders, Chief Executive Officer of Port, a U.K. Startup selling Software that helps Clients control who gets Access to Data and creates Audit Trails to Monitor Privacy.

Even so, many Companies outside Europe have only recently awakened to the fact that GDPR affects them. And few can be sure they’re really ready, with Researcher Gartner estimating that more than half the Companies affected by GDPR won’t be Compliant by the End of the year. “I’ve been practicing privacy law for the last 17 years, and I haven’t got a clue what ‘ready’ means,” says Tom De Cordier, a Lawyer at CMS DeBacker in Brussels.

That’s in part because many of the Law’s Provisions remain Ill-Defined. There are questions about the difference between “Consent” and the “Explicit Consent” GDPR requires for Sensitive Data such as Criminal Records. And Companies can Claim a “Legitimate Interest” in Data that outweighs Privacy Concerns, but there’s Conflict over what that means. Does it include Data needed for targeted Online Ads? Signals Broadcast by Wi-Fi Routers? Medical Results collected to improve Health Care? “Every player in the industry wants to call what they do ‘legitimate interest’,” says Nicholas Oliver, Founder of People.io, a London Startup that Pays Customers to hand over Personal Data and View Advertising. “It’s got to be in the interest of the consumer.”

Under GDPR, Companies can no longer Bury Data Collection Policies deep in Legalistic “Terms and Conditions” that few bother to Read. They must Certify that their processes minimize Impact on Individual Privacy Rights. And they may Collect only Data needed for immediate purposes rather than simply Sucking Up Information expecting to make Money from it later. Larger Businesses must keep Records of the Data they hold, Why they have it, How Long they’ll Keep it, and how they Protect it. “It takes a long time to compile all the documentation,” says Klaus Hufnagel, Managing Director of Verivox, a German Comparison Shopping site for Home Energy and Insurance. GDPR grants Consumers the Right to see the Personal Data an Organization holds about Them, and they have a “Right to Erasure,” meaning they can Ask that the Business Delete it, for pretty much Any Reason. If anything is Lost, Destroyed, or Stolen, whether via a Hack, losing a Thumb Drive on a train, or an Engineer accidentally hitting the Delete Key, Businesses have 72 Hours to Fess-Up to Regulators.

It will take Years for Europe’s Justice System to clarify what it all means. Courts are still Debating current EU Privacy Rules, Two Decades after they were Enacted. Wim Nauwelaerts, a Lawyer with Sidley Austin in Brussels, says each Country has enough Discretion under GDPR that there could still be a lot of Differences, forcing Companies with Operations across Europe to comply with Multiple, potentially Contradictory Privacy Regimes. “What was the purpose, then,” Nauwelaerts asks, “of having a GDPR in the first place?”

Large Multinationals will spend $7.8 Billion to Comply with the EU’s New Privacy Regulations, though some Consultants say more than Half of Companies won’t be ready when the Law takes effect in May.

One of the biggest impacts that GDPR will have for Consumers, Citizens of Countries that Comply with GDPR, is the Right to be Forgotten. A Person can Request that they be Removed from a Record. What if the Record is part of a Blockchain? This poses a challenge for Blockchain Implementations.

Blockchains are Designed to Last Forever. Each Block has a Hash Tag based on its Contents, and carries the Hash of its Predecessor. So when you look at a Block on a Blockchain, you can Trace the Block Back through its Predecessors to the Founding Block. Changing the Contents of a Block changes the Block’s Hash Tag.

If a Block’s Hash Changes, the Successor Blocks will no longer Reference it. This would Brake the Chain to the Original, Valid, Block from further Chains.

Rebuilding the Chain with the Replacement Block means the Hash for each Successive Block(s) will have to be Recalculated, which is an Enormous Computational Task. And that Cost will increase, as the Deleted Data could be spread over many Chains.

NYC Wins When Everyone Can Vote! Michael H. Drucker
Digg! StumbleUpon

No comments: