Maybe you have noticed it. Privacy is an issue. A bit strange since there is only 1 day left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union. So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. So will the enormous amounts of privacy breaches be over? Will all privacy and freedom fighters celebrate 25 May 2018 as the beginning of an new Era?
Like enormous oil usage leads to global warming. The current way personal data is used leads to social cooling. Social Cooling has long-term negative effects on the way we humans behave and how societies develop. We are continuously watches by cameras and almost everything we communicate digital is analyzed, stored for ever and sold to marketing companies worldwide. Protecting your own privacy as individual is very hard if not impossible. This because besides private companies like Failbook and Microsoft almost every government is inspecting every bit of your digital communication. And of course: Chinese people look happy with their smartphone, but would you complain in the open against your government in a country without respect for human rights?
Storing personal information too long is waiting for a disaster that is going to happen. This accounts for governmental organisations and private organisations were too much data is stored centrally. Data breaches happen daily, in too many places to keep count on. Only in very rare cases a data breach is:
- Noticed and acted upon in a decent manner.
- Communicated transparent and publicly.
- Reported to the local governmental privacy authority. Which is a legal obligations already for many years in all countries.
The list with data breaches that is publicly known is far too long. Despite the new GDPR it is not likely that the number data breaches will decline. Creating systems based on privacy by design principles is hard. When private data is processed it is with the current IT technology impossible to protect the data. Even if you focus not only on technical measurements, but also on clear business procedures and very strong physical protection (e.g. USA NSA building). The weakest parts are humans with or without good intentions. As long as companies do not comply with privacy laws or constitutions that preserve freedom for people we need whistle blowers. Despite the high price Edward Snowden paid to raise awareness for privacy for us all more action is needed.
With the GDPR there is no need for hysteria for your business. At least when you are open and transparent in what personal data you collect, how you handle this and if their is a real need for it. If you do not process and personal information at all, you are fine. Asking permission of users in advanced in vague legal terms will not do any more. You must be very clear in advanced. The GDPR allows private individuals to contact their regulators to complain when you as business owner decide to ignore their requests to give openness on how you handle and protect their private data. EU privacy authorities will not more fines than under the current privacy laws. Companies will first be warned that they are not acting in compliance with the new GDPR law.
To really do something against a company as private individual means you need to get your local privacy protection authority in action. The local privacy authorities will function as a clearing house. Since the track record of these governmental organisations regarding protecting privacy for its citizens is bad you should use other ways to increase awareness for your your protecting private data at companies you work with. To take actions is simple.
A number of trivial options are e.g.:
- Do ask for real openness on how a companies handles private data. Do not accept vague information anymore. Pay especially close attention to the other companies that a company uses for providing IT services.
- Stop using services of companies that do not respect your privacy. There are plenty of alternatives in most cases.
- If you are an IT architect do start with improving your IT landscape using privacy-by-design principles and proven patterns.
- Support the Electronic Frontier Foundation(EFF) actions and use a privacy friendly browser, e.g. Mozilla.
- Create an open solution architecture for your IT systems and make use of the Open Reference Architecture for Security and Privacy.
The GDPR is a complex, long, vague and boring document. However creating systems with the use of a good security and privacy architecture is fun and gives less costs and business risks! This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!