If you’ve not been trying to provide protection and security for people’s personal data over the past couple of decades this is a very reasonable question to ask. The answer is simple: attitude and technology, but it requires explanation.
Regular visitors to the ICO’s website will be familiar with the periodic announcements of who they have investigated and prosecuted for data breaches of various kinds. This site often gives more detail, and certainly more reliable reporting, than is seen in the mainstream press. There is a troubling list of those who have, through negligence, indifference, incompetence or malevolence, released or not prevented improper access to personal data entrusted to their care by their customers, patients or partner businesses. Reports show that many breaches went unnoticed, or the data controllers decided that they would try to conceal the breach. Hence one key problem that GDPR is seeking to solve is that of attitude, regardless of whether the personal data is held with consent or under some other legal basis. Speaking with a barrister about data protection a while ago I was surprised to be told that data breaches are inevitable and so paying the fines is merely part of “the cost of doing business”. Equifax and others tried to conceal the massive hack of personal data from their systems, presumably fearing the headlines that were inevitable once the breach became public. These are merely examples of the attitude that the EU lawmakers are seeking to correct in imposing potentially business-busting fines for non-compliance. Data breaches may be inevitable, but we should be making every effort to prevent them. Ask anyone whose stolen identity has been used about the level of pain (and inconvenience) they suffered, and you get a sense of why lawmakers think this is worthwhile legislation.
The personal data we are increasingly being asked to allow organisations to use in their efforts to support us is becoming more personal. Most of us have a sense of privacy, and few of us want our own and our family’s personal data to be public information. It’s only certain TV show houses where all the activities in all the rooms are exposed to the public, and even then there’s a level of “decency”. If a password is compromised it is quite simple to change it. Voice ID used by banks, fingerprint readers used for unlocking smartphones, for door access or for library lending, face recognition, iris scanning, and other biometric authentication methods are very clever and enable us to be identified uniquely on the planet. However, unlike passwords these cannot, realistically, be changed. Therefore, such data needs to be protected with great care. Whilst different organisations will use different algorithms to identify biometric data, there are limited ways in which such data can be extracted and stored, and the release of such data immediately has a potentially life-long effect on the individual’s ability to maintain their own identity. This is the technology problem that GDPR seeks to address, in part using security technology, but also by better data management discipline to provide security.
When reading the GDPR (not a recommended past time!) the desire to push change in attitudes and the use of technology can be seen clearly throughout.