Data Pro­tection and the Environment

Finally, it is 2018 ­­­­­– a year to be heavily impacted by the EU General Data Protection Regulation (GDPR). What may feel like a revolution, was in fact called a reform when the the EU Commission announced the first GDPR proposal in 2012. Nothing has changed overnight, but accompanied by regular news of data breaches and activists like Snowden, information privacy has certainly gained some traction since then. Now, I’d say we have a working climate for data protection and privacy in place.

Regulation helps reducing environmental pollution, and will similarly limit dirty personal data processing.

And talking about climate makes me think about our environment, literally. Just consider how much activism, regulation and expertise is required to make a healthy life on planet Earth viable for a growing population. Progress has been slow, at least compared to technological developments. Over time, there has been a few dirty factories and vehicles polluting the planet. Disasters with nuclear waste and oil spills have ruined life for millions of creatures.

Similar to polluting industry, there are quite a few dirty data controllers and processors around. The world has seen a few privacy disasters already, with hundreds of millions of individuals getting their personal data exposed through some data breach. While the consequences of these are not comparable to health issues and death, the economy for personal data has been growing exponentially and uncontrolled. The problem is that we as individuals cannot foresee what consequences lie ahead of us, say in five or 50 years from now. Without enforced regulation, these data will simply pile up like toxic waste, and one day lead to problems bigger than ever imagined.

In 1987, the Brundtland commission of the United Nations published “Our Common Future“. The report had significant impact, because it linked sustainability directly with economic growth. Environmental protection should no longer be just for the sake of protection and idealism, but because it would also be the most economically compelling thing to do. In parallell, new regulations would bring taxes and fines to provide industry incentives to reduce or secure toxic waste, and little would probably happen without them. Today, green technology is finally starting to become mainstream, and few would argue that Tesla cars are anything less of a great car than a traditional Audi (or whatever you prefer). Still, few people risked buying them until regulators came up with additional support like tax discounts and free parking (in Norway, at least).

With new regulations, companies finally have incentives to reduce and secure personal data. Personal data minimisation will become the new norm, when considering the cost of liability from accumulating personal data. Although this brings stark contrast to the big data and data maximisation trend, the GDPR has raised the bar for sustainable solutions: If you cannot comply, you’re not allowed to play.

My data protection career started back in 2010, on a project to design a privacy friendly system for sharing patient status information in hospitals. The prototype and privacy features were well received by end-users, but there was little incentive from procurers to proceed with implementing it. In 2012, my industry conference talk (in Norwegian) about the system’s data protection design attracted the sheer amount of 15 people. Last month, in comparison, I spoke at a similar health conference to over 300 people in a plenary session. Moreover, I’ll be lecturing about privacy by design to master’s degree engineering students at NTNU this semester.

I’ve also recently engaged with a company who wants to use data privacy as a competitive feature (and others are showing interest, too). Ever since its first draft, the GDPR has included a dedicated article about data protection by design and default. And when this finally comes into full force, I believe that privacy at last can become a differentiating factor for systems and vendors. Not just because we have to, but because it is the most compelling thing to do – even financially. And it is possible because of a working climate to make long term priorities.

Now, who wants to drive the Tesla of sustainable personal data processing?


PS: Want to learn more about data protection by design and default, and GDPR article 25? Send an email to [email protected], and my company Secure Practice can get you going.