Do I have a website? Do I use analytics for that website?

It seems obvious, but before considering the risks of any platform, any peer-to-peer network, or even any business model, consider your website. On your typical website, information is being collected about who is visiting. This could be as mundane as basic analytics, or a even standard email list. Depending on how this information is gathered (and how consent to share data is established), it’s possible to be in possession of what the GDPR classifies as personal data. This is a problem that can easily be solved if attention is paid to web analytics early on.

Do apps impact the privacy of my blockchain network?

It could be your own app, or it could be someone else’s. Many bitcoin exchanges, for example, are very vulnerable to hacking, raising the chances of losing the personal data of their users. Conversely, more traditional financial institutions have an interest in monitoring certain blockchain activity, especially cryptocurrencies. This creates a financial incentive to keep an eye on the size of crypto markets, as well as their weaknesses. Having the ability to identify data controllers in the event of a breach is an important step towards improving application security, particularly for blockchain companies.

Do I have a contingency plan in place if a regulator approaches me?

Let’s assume that you found a startup using blockchain technology, and are making meaningful efforts to comply with GDPR regulations. Is there someone in your organization who can prove this? For reasons unanticipated, regulators may need to inquire about your data storage practices. If that occurs, having someone assigned to providing key information is critical. If you cannot do this (and show it on a technical level), difficulties can quickly arise. To that end, it is important to ensure that companies have defined internal guidelines and contingency plans concerning data security in general. These guidelines can then be pragmatically applied to how blockchain technology is being used. It may be important to distinguish between broader company practices and a particular blockchain project. All of these needs require the effort of more than one person or department, but can be much better coordinated with the help of a Data Protection Officer. 

Am I or any of my B2B Partners working with end users?

Even if your startup isn’t working with end users, one of your partners might be. B2B transactions can end up involving some degree of personal data depending on the partnership.  It’s good to be aware of this as it concerns your own partnerships. A common assumption is that unless a blockchain company is not purely made for ordinary consumers, it does not have to worry about personal data or data security as it relates to EU citizens. This is a myth. Though there is less likelihood of having trouble, the trouble that a B2B product could have is also less clear, varying from case to case.  There are often straightforward specifications surrounding different cases, especially as it concerns B2B marketing.  But if a company is to comply, it must know what these specifications are.

What tools am I relying on to conduct my business?

This could apply to digital tools or standard hardware. Blockchain platforms, whether on servers or smartphones, require the interaction of many different devices.  Having at least some idea of device security is the key to maintain the integrity of your blockchain network, especially when it comes to IoT products, which pose a data security risk if they are not properly patched. Though blockchain can also potentially improve IoT security, articulating a concise strategy that also shows compliance takes some time.

Do I really need a DPO? If so, how often?

As already mentioned, DPOs at companies provide regulators with the information they need when questioned, but that isn’t their only function. They also do a great deal of important work for companies undertaking any significant data processing. In Germany, for example, companies of a certain size are now required to have DPOs. If a full-time DPO hire isn’t necessary, companies can also outsource DPO work to trusted third parties. What’s most convenient for blockchain startups is typically to use the services of a blockchain DPO. This way, the DPO is already familiar with the technology in use, as well as understanding GDPR requirements.

Nearly all blockchain startups are affected by at least one of the above scenarios. In each case, being prepared is far easier and far less costly than being hesitant.

To stay up to date on how the GDPR affects technology, follow TechGDPR on Twitter.

The post Blocks Ascending: The GDPR Checklist for Any Blockchain Project appeared first on TechGDPR.

Understand Your Collaborators

Knowing who is handling IoT security for a given device is critical. A great many IoT ventures do not work solely on their own, and require partners in order to most effectively collect, store, and analyze their data. If you are collaborating with anyone, it is important to confirm that they have these three things:

1. A means of collecting consent from users if personal data could be collected by any device (even non-consumer devices may have what the GDPR considers personal data).
2. Contingency plans in place for data breaches where affected people can be notified.
3. Safe data storage procedures.

The best way to know if your collaborators thoughtfully understand and respond to these three needs is to already have them in place within your own organization. Here are more details regarding how to do exactly that.

Know When to Collect Consent

Sometimes the toughest part of collecting consent is understanding the context in which an IoT device may be collecting personal data.  This can be more straightforward for companies that collect data from household appliances or other consumer devices where usage habits regularly equals personal data. Less clear is when connected devices are being used in areas such as research, B2B engagements and the monitoring of other machines. In a web of interconnected devices, tracing a trail of breadcrumbs back to a single individual’s ‘personal’ data and determining if you are indeed the liable party who must request their consent can be far more difficult than first expected.  To address this, you will need not only legal resources, but also experts in your field who can relay unique technological constraints of a given case to those who best understand the law.

Improve Your Data Storage Methods

This step is the most straightforward.  Even without the GDPR, no serious company considers reliable data security an optional measure. Though many have feared a negative impact of the GDPR on technological innovation, the incentive under new regulations to improve data storage doesn’t place a ceiling on progress, but a floor. Being transparent about actions taken as it regards security and storage procedures is also very important, even for companies that aren’t in constant dialogue with customers. It can also be tougher task for IoT ventures that don’t directly (or intentionally) handle consumers’ personal data to understand how to most effectively identify it.  A science lab studying algae, for example, is somewhat less incentivized to worry about personal data on their IoT devices than a company that regularly has direct connections to customers. Nevertheless, IoT security should still be a concern in both cases.

Prepare for Breaches & Establish Plans of Action

Before even considering the damages of a data breach, consider what can be done to prevent them in the first place.  For IoT security, that begins with regular software updates. Since many IoT devices are difficult to patch and are also connected to other personal devices that hold far more sensitive data, being aware of every vulnerability is a must. So, too, is allocating enough time and resources to update all devices early and often. If there is a breach, there must be an established process for identifying it, communicating the breach to authorities, and informing affected people.  The administrative load for this process varies from organization to organization, but it is often best handled by a designated data protection officer.

These and other measures all contribute to not only better GDPR compliance, but also to more organized IoT security measures and more robust data management practices overall.  Though there are still many other important IoT factors to consider, establishing key protocols for collaboration, data collection, data storage and data security is a solid start.

To stay up to date on how GDPR affects technology, follow TechGDPR on Twitter.

The post Your IoT Product is Not as GDPR Compliant as You Think appeared first on TechGDPR.

GDPR compliance mandates can be tricky to interpret for companies handling advanced technology. For leaders in tech, it can be tempting to look at the new rules laid out by Europe’s GDPR and seek a simple, one-size-fits-all solution to the problem of sustained compliance. As any good CISO will tell you, however, such solutions do not exist. Instead of approaching the GDPR as a box to tick, a hurdle to jump, or even an eloquent privacy agreement with an anxious little ‘I agree’ button at the bottom, it is best to see GDPR compliance for what it truly is – a process, not a product. The price of not doing so can prove as much a threat to a company’s competitive advantage as it is to its ability to avoid those 20 million euro fines.

The Current Perception

Proof of perception impacting preparedness can be found everywhere. Often presented in the form of regulatory horror stories, it is perhaps little surprise that the rollout of the GDPR has caused many businesses to react with a mix of fear, frustration, and at times, outright confusion. This mindset has already led to bad results. With half of affected companies predicted not to be fully GDPR compliant by the end of 2018 and 60% of affected US companies being unprepared, it is painfully apparent that a fog of reluctance still hangs in the offices and meeting rooms of more than a few vulnerable firms. Companies interpreting new mandates as something that can be cleaned up with a bit of legal paperwork and some new privacy updates is a mistake. In fact, practical measures for integrating the compliance process into daily operations will make businesses more competitive, rather than less.

The Scope of Work – Beyond Only Tech

Whether collecting user consent, appointing a DPO, or identifying sensitive data, this consultancy recognizes that each company has different needs in terms of GDPR compliance, and each case involves its own unique scope of work that must be identified. GDPR compliance is about tech, but it’s not all about tech. When we first speak with companies, we are looking to understand several other important factors before diving into their use of technology. We initially need to map out the scope of their compliance issues. Some companies are well on their way, but other companies have problems that go beyond the GDPR. In these cases, going through the compliance process can help with planning projects, communicating across teams, and measuring long-term success. If you can measure key performance indicators, you can be GDPR compliant.

Regardless of company size, sector or current compliance needs, these are the four primary questions we ask ourselves as we begin providing support to the compliance processes of the companies we work with:

What has the company done before in service to data protection?

Does the company have methods in place to secure the privacy of their customers, or is data being collected without a consistent plan for what will be done with it later? Has the company considered the human, as well as the financial cost of data breaches? Do they have team members who understand, through lived experience, the security concerns of their customers? The more complete the answers to these questions, the more beneficial any risk assessment will be to the company.

Is the company’s leadership willing and able to make necessary changes?

Data protection may require a change in business practices, and some team leads may not be at ease with the pace or direction of such changes. Data protection may necessitate changing vendors, hiring a Data Protection Officer, or spending time on training essential staff to meet new challenges. All of this costs time and money, which must be accounted for. Someone with the authority to devote resources to compliance needs to be willing, or else there will be significant delays to the compliance process.

What is the company’s management structure like?

What sort of project management processes have been adopted? Are there any processes in place to deal with time-sensitive issues? What are they? When employees spot problems, is there a defined process for reporting their concerns? How does the team usually respond?  Companies that ignore critical vulnerability reports may be in for a shock when they read about the responsibilities of a Data Protection Officer, including being a point of contact for Data Protection Authorities that must be notified about breaches even when there is no customer impact.

What role should software play?

Many companies may be familiar with a particular kind of software that they would like to use in order to keep their compliance protocols consistently monitored, maintained, and documented.  For these purposes, software can be fantastic. It can scan large systems of data, support project management goals, assist in data-mapping, and streamline certain administrative tasks. That being said, even the best programs cannot train your people, design your products, or configure your data collection practices to automate subject access requests. Here, human-led procedural oversight must be instituted. Software can enhance well-established compliance practices – not replace them.

Continuing the Process

When it comes to GDPR compliance, perhaps the easiest thing to lose sight of is the fact that just like technology, the law is constantly evolving in response to people’s wants and needs.  Keeping a vigilant eye on existing procedures and being transparent to customers about data usage is something that any capable company should already be doing – even without the GDPR. But more must be done to maintain compliance through an ongoing process. As technologies reliant on Blockchain or Big Data continue to develop, so too must our understanding of how to implement compliance within new platforms and services.

At present, we must relegate thoughts of data protection as a one-time event to the cobwebbed catacombs of a pre-GDPR world. New laws outside of Europe demonstrate that the public demand for privacy isn’t going anywhere. Companies that rise to the occasion and recognize GDPR compliance as an ongoing process in service to their customers rather than a patchwork appeasement product for regulators will have everything to gain. It appears no agree button can offer that yet.

To stay up to date on how GDPR affects technology, follow TechGDPR on Twitter.

The post GDPR Compliance: It’s a Process, Not a Product appeared first on TechGDPR.

Data and the Problem of Purpose

Few things are likely to make a bigger impact on GDPR compliance than purpose limitation. Purpose limitation refers to one of the principles mentioned in Article 5 of the GDPR. It states that there must be a specific, explicit, and legitimate reason for a processor to collect the personal data of customers.  Additionally, the moment there is no longer a specific, explicit, and legitimate reason for collecting that data, the company is obliged to stop processing it. Designed to promote trust and limit abuse by data processors, this principle represents a sizable effort to protect data subjects. It is also, to the horror of many data-dependent ventures, painfully vague.

Such vague wording is not good news for those fighting to stay afloat in the already hyper-competitive markets for products that rely on what the world increasingly refers to as ‘big’ data. The term Big Data in this sense is used to describe the process of collecting and analyzing vast amounts of data from various sources, including personal data and ‘sensitive data,’ as defined under the GDPR. This, too, is a rather vague definition if you are concerned about compliance, and a definition that will be hard to understand without further legal context – context that will ultimately come from how the GDPR will actually be enforced in the coming months and years.

The Opportunity Cost

In the meantime, the potential costs to innovation in the form of fines on forward-thinking (but non-compliant) tech companies are hard to understate.  Larger still could be the opportunity costs faced by corporations, or even entire economies, if they are not able to realistically capitalize on the innovations that big data enables.  This is especially the case when looking at the advances in productivity that good data analytics can inform. As many already know, big data is regularly used alongside data analytics, which reviews large volumes of data in a short amount of time. Such technology is already helping companies and research institutions around the world make unbelievable gains in terms of the speed and quality of their work. A process that, for obvious reasons, hopefully even the most hawkish regulator would not want to hinder.  

The stakes are also highest for the firms that have been most effective at digging opportunities out of big data and the many technologies that orbit it. Advances in capturing the most value from data analytics have been uneven between public and private institutions – as well as among different industries. Retailers, for example, fare far better than the EU public sector or US healthcare when it comes to making the most out of the data in their possession. This could be in part due to retail’s need to keep up with fickle shoppers and public institutions’ more siloed data between departments, but what is clear is that the institutions that have benefited most from new technology also know that they are the ones who have the most to lose should their use of it be hindered. The cost of a GDPR violation is high enough, but being slowed down by the process of collecting consent from vast numbers of people is no cheap affair either.  

Plenty to collect

Startups, too, with fewer resources for compliance could also suffer. Big corporations may have more numbers to crunch, but they also have more manpower and connections to get them through it. Smaller, more innovative companies are not just trying to keep up with, but redefine marketplaces throughout Europe and beyond. Big data regularly informs the development of better business models, better ad-targeting measures, and various cost-cutting practices throughout an array of industries. The potential cost to nearly every industry as it regards corporate profits is astoundingly high, even for slow adoption, let alone not adopting certain technologies at all. Still, for all of the risks to business that purpose limitation poses, A GDPR-compliant startup or corporate is still in a far better position to seize upon big data’s blooming opportunities than those that are not.

A Data-Driven Path to Compliance

For all of the innovative risks and potential headaches posed by the sometimes clumsy fist of regulatory enforcement, it must be noted that the principle of purpose limitation does not entirely prohibit processing big data. A company can be granted permission to keep doing so, provided it is able to prove that the data being processed is necessary in order to provide a service and that consent has been given regarding its collection. In some cases, authorization from the person giving away their data can ensure that this data may go on being collected, even if the original purpose for its collection is no longer the same as it was in the beginning.

It must also be stated that the purpose limitation will likely do much to help data subjects, so that their personal data is not processed without their explicit consent – But the problems it puts on firms’ backs are not to be underestimated.  Companies that deal with big data analytics must check if the data they process is being processed for the same reason for which it was collected in the first place – No easy task, even for companies with modest amounts of data. If that is not the case, processors must try to get explicit consent from their data subjects, which is also tedious.

Perhaps most important to note is that this process, however painful, also has the potential to inspire more comprehensive regulatory enforcement.  The way in which the GDPR is interpreted and enforced within the sophisticated and ever-changing ecosystem of data-driven business models will certainly evolve. Staying engaged by keeping tabs on advances in technology as they overlap with changes in regulation is especially important. So too is ensuring that you have technical and legal protocols in place to respond to change when it comes.  Taking these and other measures will ensure not only that you reach a reliable level of GDPR compliance, but also remain there.

To learn more about data privacy and the GDPR, follow us on Twitter. 

The post GDPR’s Big Issue with Big Data appeared first on TechGDPR.