Uncontrolled data collection and storage have economic, ecologic, and social drawbacks. And the solution to those challenges is data sustainability!

Be careful what you wish for

Our digital world is built on data. The adage of recent years was that the more amount of data you collect, the better. After all, “Big Data” promises a glittering treasure trove that can improve profits and innovation. However, it is not enough to gather data; also you must analyze it, understand it and create insights from it.

Data volumes are exploding, making it increasingly difficult for businesses and institutions to handle or analyze the data they have. According to a research by splunk, 57 percent of business and IT professionals say that the amount of data is increasing at such a breakneck speed that their organization can no longer keep up. It’s time to rethink, and the solution is to think long-term. What approach should we take?

The answer is long-term sustainability.

You might be thinking to yourself, “Sustainability? Isn’t that something about environmental protection?” Yes, you are correct, but we’re talking about economically oriented sustainability here. It is not about generating profits and investing in environmental and social projects; it’s about generating profits in an ecologically and socially acceptable way.

So, when it comes to data sustainability, there are a few things to consider, which we shall explore in greater detail below:

• the economic aspect
• the ecological aspect,
• and the social aspect
  

The uncontrolled collection and storage of data cause high costs and data protection troubles

It is an expensive hobby to collect all the data you can

Data collection and storage have a high cost, many of which we are unaware of. Before we get into the specifics of costs, here are some quick definitions to help you. Data can be categorized into the following three types: business-critical data (clean data), ROT data, and dark data:

• Business-critical data is information that is critical to a company’s financial stability and development. It has been used, hence the name “clean data.” These represent 14% of the whole.
• ROT stands for “redundant, obsolete, and trivial data.” 32% of the data is ROT data, which refers to information that exists multiple times, is not needed for other reasons, and therefore is worthless.
• Dark data is unclassified, or data that has been unused for a long time and whose content and usefulness are unknown. This group’s share is rapidly increasing, with 54% as recently as last year.

Data storage and management are both costly and time-consuming, as shown by the following example: A firm with only 250 terabytes of data must spend around $1.25 million each year on data storage. This entails the following:

• $175,000 to store clean data (14%)
• $400,000 to store ROT data (32%)
• $675,000 to store dark data (54%)

As a reminder, only clean data is important for the company’s survival; the rest is – excuse the pun – a waste of money. Cost is not the only issue here anyway. The assumed 250 terabytes represent roughly 580 million files. According to the stats, more than half of these files, or just over 300 million files, are entirely unknown to the enterprise. Many of these files contain sensitive personal information which is also relevant to the GDPR… 

The social aspect of data

According to the splunk poll cited above, 80% of CEOs consider data a key success indicator. This is also seen in the cost of data. However, the only ones who do not participate in this trade talk are us – the data producers. We can use services and platforms supposedly for free, but the price we have to pay for them is our data in a nontransparent setting. We, the users have lost control of our data, and we are frequently unaware of the ramifications since the consequences are typically indirect. As a result, our privacy gets violated once in a while by some company we handed our data for using a service or a product.

An expensive hobby fueled by CO2

The amount of data collected and stored is increasing at an accelerated pace. Every year, the amount of data worldwide grows by about 27%, according to IWD. To put it another way: One zettabyte is the equivalent of a billion terabytes. A 90-minute film in standard quality requires 500 megabytes of storage. A zettabyte is equal to 2 trillion films…

The IWD predicts that worldwide data volume will reach 175 zettabytes in 2025. This enormous amount of data presents us with a further problem: Energy requirements for data centers mean producing vast amounts of CO2.

The uncontrolled data collection and storage is an ecological mistake

From 2010 to 2021, energy consumption for German data centers has increased by 15% to 12 billion kWh/a or approximately 2% of Germany’s total electricity use. The growth rate is increasing: By 2025, the electricity consumption will be around 16.4 billion kWh/a. As a reminder, dark data accounts for over 50% of the data in this statistic.

And according to projections, the global energy demand for storing dark data in 2020 resulted in the emission of 5.8 million tonnes of carbon dioxide. This compares to the amount of CO2 discharged by a car as it travels around the globe 575,000 times.

Data sustainability as an image factor

Why collect data that you do not need or can’t use? Why should the GDPR be considered a cost center rather than a competitive advantage with which you may credibly improve your image? This is an enormous potential for European businesses because the valuable resource isn’t data but insights that may be drawn from it.

Instead of collecting all the data twice and three times on central servers and analyzing it with algorithms, sending the algorithms to where the data is stored, would be much cheaper and more effective. I can almost hear you asking how. The answer is deceptively simple: We may explore data right there on the spot with the supercomputers in our pockets—our smartphones. Thanks to a decentralized architecture, we can access information directly on any end device, cutting down on data movement and allowing greater insight retrieval.

The uncontrolled collection and storage of data have many disadvantages. Data is essential for our society and therefore indispensable. What is the alternative, then?

That is where we, polypoly, come in with polyPod. This is a GDPR as technology – built by us, a data cooperative owned by European citizens – created to give people more control over their personal information. The polyPod makes sense because only the precise information required is obtained rather than data. The savings potential is significant!

The knowledge generated by polyPod can be used to improve productivity, safety, and security. polyPod is environmentally beneficial because it reduces CO2 emissions. However, the CO2 savings potential is not overwhelming but still significant. polyPod is also social since it generates a digital income for citizens. When the algorithms arrive at the end devices, users can decide who gets access to their machine’s computing power and insights. Thus, we create data sustainability, while making data visible, and meaningful, and keeping users happy!

The EU’s GDPR renewed the data industry’s focus on user privacy, but new regulations are, in fact, a staple of the ebbing and flowing digital landscape. Although businesses are seeking new processes in response to current privacy laws, it pays more to stay ahead of the curve. 

Changing regulations are always around the corner, so to maximize time and resources, organizations can adopt data privacy by design (DPBD). The DPBD framework, published in 2009, proactively ensures business operations are built with privacy in mind.

Today, companies can build minimal, transparent, and consistent systems that enable them to leverage data while safeguarding user privacy. Here’s how DPBD streamlines the way to future-proofing compliance, generating stronger business and product outcomes, and establishing trust from partners and customers. 

The building blocks of privacy 

Online users give off data with each action, interaction, and even inaction. This is valuable to marketers, media owners on the open web, and – when this data is used with transparency and intended use – consumers. All parties stand to gain from a stronger advertising experience, so how does DPBD allow businesses to safely make the most of data?

DPBD supports a holistic approach to data that can be applied to industry players across the ecosystem. Its principles include:

• Collection limitation – By minimizing the amount of data they gather, organizations can reduce the risk of breaching privacy laws. Additionally, users must have a clear choice to opt out of data collection.
• Data quality – Focusing on data quality enables businesses to efficiently determine what information they truly need to drive results.
• Purpose specification – Identifying from the outset how data is being utilized to guarantee fair usage and productive outcomes. 
• Use limitation – Businesses need a clear understanding of how data can be used throughout their operations, and specifying limitations shapes data practices. 
• Security safeguards – One example of this is checking how data has been anonymized, pseudonymized, and encrypted and evaluating operations and enterprise measures to minimize breach, leakage, or other unintended intrusions. 
• Openness – Transparency is no longer a nice to have; it’s a necessity. Knowing a data segment inside and out supports businesses in leveraging it safely. 
• Individual participation – What inquiries can be made about the data? Just as consumers need control over their information, companies also need a view of what data they use. 
• Accountability – When asked, can a company identify what the data is, where it is, and ensure it can be amended or deleted? 

Altogether, these principles define how a business ingests, processes, and outputs data. Most importantly, DPBD constructs a malleable architecture that can be easily adapted as needs change over time. 

What are the considerations of the DPBD system architecture?

To put DPBD into practice and build sustainable data flows, organizations must monitor how data enters their company. For instance, businesses should ask – what commercial product requires this data? Are there any characteristics that make this data sensitive or unique? When handling sensitive data, it’s vital to implement security parameters that guarantee it is retained securely. 

Furthermore, businesses should be aware of what data is truly necessary for their products and what data can or cannot be combined to reduce any unintentional usage. By answering these questions, companies not only evaluate a product’s commercial viability but also how end-users receive it.

The importance of future-proofing

The best approach to take when future-proofing compliance can be summarized with Wayne Gretzky’s famous quote, “skate to where the puck is going, not where it has been.” If a company’s systems are built for data privacy as it stands today, they will quickly become redundant. Succinctly:  the data industry continues to transform. Even independent of the ongoing regulatory changes, DPBD offers a way to stay ahead of these changes and improve systems when change does occur.

To illustrate, the principle of data minimization future proofs value. A big data footprint comes with the risk of big problems, but taking in as little information as possible produces a smaller footprint with built-in compliance. Delivering the most effective product with the least amount of data mitigates the impact of new regulations, whatever they may be. With a robust and consistent architecture, businesses can proactively sustain the value of their offerings and ensure agile, compliant data practices. 

Building trust for partners and customers

Trust is founded on shared business values and, of course, results. Identifying use cases early on clarifies the core purpose of a company’s product, alongside how data should be used to achieve this. Organizations can then open discussions around data flows across departments, which facilitates more productive decision-making and stronger outcomes. 

We can examine device graphs as an example, which is a method used by companies looking to connect individual behaviors to all their preferred devices. To increase a graph’s accuracy, it can be tempting to incorporate a broad range of data points, such as behavioral information from multiple sources, and tie these actions to real people, rather than just looking at the traffic being generated. Doing so, however, creates a high-risk proposition. As an alternative, businesses can look at key factors that, at a minimal level, facilitate data matching without ingesting or ascribing additional information beyond the initial purpose of connecting behaviors. Through keeping a clear focus on the graph’s purpose – in this case, to match behaviors across devices – companies can support effective ad targeting in a way that is privacy safe. 

DPBD principles are more than an ideology – they guide tangible actions that all businesses can take to protect data privacy. Building them into operational workflows creates a consistent, long-term approach to establishing end-to-end compliance. Businesses must put in the hard work upfront to achieve data minimization, accountability, and ongoing trust. Only then can they walk the walk and preserve data privacy in the years ahead. 

International Data Privacy Day is almost here. January 28 is a chance for all of us to raise awareness, remind ourselves of our commitments to data privacy, and ensure we know data protection best practices.

Data privacy (sometimes called “information privacy”) is a subset of data protection that deals with the proper and correct handling of data with a strong focus on compliance with data protection regulations.

Therefore, the focus is on how data should be collected, stored, managed, and shared with any third parties and compliance with the applicable laws and regulations (such as CCPA or GDPR).

While linked to data security, it is not the same thing. Data security is concerned with the measures you take to prevent third-party access to the data you are storing.

Data privacy laws

According to the UN, 128 out of 194 countries have passed legislation to secure data and privacy protection. 10 percent of countries have drafted legislation, while 19 percent have no legislation at all.

Familiarizing yourself with the applicable data privacy laws that affect you – usually your server’s location and the location of those you are collecting data from – is important. The UN’s tracker makes it easy to see what bills have been passed in each location.

GDPR, for example, applies to any company or entity that processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed, or to any company established outside the EU that is offering goods or services (paid or for free) to EU citizens or is monitoring the behavior of individuals in the EU.

That’s important to remember, and it means that you need to keep abreast of your obligations regarding several different laws. While most companies will need to comply with at least GDPR and CCPA, staying compliant with the likes of PIPEDA (Canada’s data privacy legislation) and other major laws is important.

Data privacy prerequisites

Keeping on top of all of those regulations sounds daunting, but some basic prerequisites will ensure you stay on the right side of all legislation.

Beyond the requirement to keep up with the latest data privacy regulations, there are two other key elements to focus on.

One is the right of an individual to be left alone and retain control over their personal data. The second element is the necessary procedures for properly handling, processing, collecting, and sharing personal data.

The first element reminds us that as an organization, you are only borrowing the personal data of the individuals you are processing. Remember: you do not own this information.

Individuals, therefore, should always have the right to be forgotten.

So an important part of data privacy is transparency. It would be best if you showed, by openly communicating with your clients and potential customers, what you collect, why, how you’ll process that data, where you’ll process it, and whether or not third parties are involved (and gain permission for that transaction).

The good news is that transparency breeds trust, and trust is crucial to gaining a customer and keeping them. Salesforce’s State of the Connected Customer reports showed a big shift in the need for trust between 2018 and 2019. In the 2019 report, 73% of customers say companies’ trustworthiness matters more than it did a year ago, and 54% say it’s harder than ever for a company to earn their trust.

In its 2020 report, Salesforce states that nearly half of customers have stopped buying from companies because of privacy concerns.

Transparency, trust, and the ability to communicate exactly what you are doing, and how you’ll react to consumer requests will not only ensure you’re staying on the right side of data privacy legislation; it will give you a competitive advantage.

Data privacy tools

Of course, you don’t have to navigate data privacy alone. There is an ever-growing number of data privacy management, consent management, and data subject access request (DSAR) platforms available that help to keep you up-to-date and compliant.

Also, a simple search will deliver an almost infinite number of data privacy consulting firms. Of course, do all of your due diligence, and make sure you read independent customer reviews before engaging with an agency.

But the message here is clear. On this International Data Privacy Day, you’re not alone. Despite the enormity of the problem and the complexity of the solution, you can rest assured that the knowledge you need, the tools to help you, and the people that can assist are available to ensure you get it right.

For over the last decade, some of the most successful companies on earth have made their riches by mining user data and selling it to advertisers. The big question is whether this will continue to be a sustainable business model with the ever-mounting scrutiny on data privacy and if not – what’s the alternative?

Many say the Cambridge Analytica scandal sparked a great data awakening by bringing to light the ways in which some companies were amassing and monetizing personal data about their users. As a result, Facebook was recently slapped with a record $5 billion fine and new privacy checks following a year-long probe by the US regulators into the Cambridge Analytica scandal and other data privacy breaches.

As The Verge pointed out though, Facebook had previously settled similar charges in 2011, but such slaps on the wrist don’t seem to be an effective deterrent. While a $5 billion fine sounds highly punitive, many in the industry doubt that this would solve the privacy problem overnight. (Especially when you consider that Facebook made $22 billion in profit alone last year.)

This isn’t a problem that is exclusive to the giants of Silicon Valley. In Europe, hefty fines have also recently been meted out to British Airways and Marriott for data breaches. As data protection complaints have doubled year-on-year, regulators will be getting tougher on companies to ensure their compliance with GDPR (General Data Protection Regulation).

Meanwhile, GDPR has driven a global movement as governments outside the EU, from Australia to Brazil, are set to introduce similar data protection regulations. The GDPR policy has helped to create greater awareness about data protection among the masses. The European Commission’s March 2019 Eurobarometer survey showed that about 67% of European citizens surveyed are aware of GDPR.

The convergence of a compliance culture within organizations, stricter data privacy regulations globally, and consumers becoming more aware of their rights will continue to have a huge impact on businesses that profit from personal data, and even any business which collects it.

The situation demands urgency as the stakes have never been higher. According to a report by Gartner, by 2020, personal data will represent the largest area of privacy risk for 70% of organizations, up from 10% in 2018.

Monetizing Data While Maximizing Privacy

Better privacy for individuals doesn’t mean it’s bad for business. On the contrary, companies can use this opportunity to establish trust with customers while becoming more thoughtful and innovative about their approach to data monetization.

Here are the three key factors organizations need to know about monetizing their data while respecting privacy and complying with regulations: 

1. Your business data could be valuable to those you might not have thought of..
   
   For many firms, data monetization has been inextricably linked with the personal data of their customers. However, they could be collecting, generating or archiving other types of non-personal data that could be valuable to certain end users. That is, the alternative data that may even be overlooked by the business handling it.
   
   In fact, there are many use cases for such alternative data in the world of investing when every bit of timely information helps to gain an edge. This is where anonymized and aggregated data matters most and personally identifiable information has zero value. What matters most to economists and asset managers is how many soft drinks Coca Cola is selling across Europe this quarter, not whether John Doe bought a Coke. The focus is never on the who but the what and how much.
   
   
2. Technology has made it easier to extract the needle from the haystack…
   Most companies have more data than they know what to do with. Forrester reported that on average, between 60% to 73% of all data within an enterprise goes unused. But new tools and technologies have made it easier to mine and process huge amounts of raw data into insights. These insights could serve as timely intelligence to those in other sectors, like economists, analysts or investors looking to identify patterns and trends.
   
   Valuable or insightful data is simply good-quality data. And while data is always described as one of the most valuable enterprise assets, it’s not often treated like one. In order for firms to unlock the full power of data, they need to approach it as thoughtfully as any traditional asset. They will need to carefully consider issues like data architecture management and data quality management. If data is not their core business, then they need to find the right tech partners to ensure their data meets standards that enable the generation of insights.
   
   
3. Aggregation and enrichment of data make it more valuable…
   Your company’s raw data by itself can be one-dimensional. But integrating data from different companies and sectors can provide a more complete and nuanced picture.
   
   For instance, a firm working with vendors across the country might have data on national beverage sales. It could track these sales and provide additional insights back to the vendors as a value-add to help them improve sales and promotions. The company could also share this data with beverage brands so they can finetune and optimize marketing by city. This would allow the company to monetize its data and open up a new revenue stream, without ever sharing any sensitive information that would jeopardize its relationship with customers.
   
   When information is provided in an aggregated form, it’s a safe and secure way of delivering an exceptional level of insight without compromising privacy. It allows economic, social and commercial questions to be answered without revealing any individual’s details.

The growing focus on privacy doesn’t mean data monetization has been taken off the table. Data will always be an important and valuable asset for any organization, but it needs to be harnessed with the full respect of individual rights to privacy.

Was this a transition year for data protection? How much were the fines collected in the first year of GDPR? What regulations have been enforced so far? Here is all you want to know about GDPR, after a year of its implementation.  

The European Commission started in January 2012 to set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. As a result, General Data Protection Regulation (GDPR) came into force after years of debate and preparation. Approved by the European Parliament in April 2016, the legislation came into force across the European Union on 25 May 2018, and completed one year recently.

Reshaping how personal data is handled and raising awareness

This regulation is aimed at fundamentally reshaping the way personal data is handled across every sector in Europe. One year later, we can clearly see that this regulation raised professionals and individuals’ awareness of data protection issues. The regulation gave extensive new powers to individuals in how they can control their data. For example, data subjects can demand from organisations to tell them how their data are used and ask them to destroy their data,  “the right to be forgotten” and the fines for non-compliance were significantly increased.

According to the Eurobarometer of March 2019, the increase in queries and complaints confirms the rise in awareness about data protection rights among individuals. Indeed, 67%of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of them indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results according to the European Commission.

How has the GDPR been enforced so far?

On February 26, 2019, the European Data Protection Board released an overview on the implementation and enforcement of the GDPR.

According to this report, cooperation mechanisms within national data protection authorities have been heightened. Between May 2018 and February 2019, 444 mutual assistance requests, both formal and informal, have been triggered by Data Protection Authorities (DPAs) from 18 different EEA countries. Furthermore, 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries, 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalised. These cases are mainly related to the exercise of individual rights, consumer rights and data breaches. The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.

The total number of cases reported by DPAs from 31 EEA countries totalled 206,326 with 94,266 complaints and 64,684 of those cases initiated on the basis of data breach notification by controllers. 52% of the above cases have concluded while 1% are being challenged before national courts. DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totalling €55,955,871.

GDPR fines in the first year

In 2018, based on a complaint by the non-profit organisation NOYB (“None Of Your Business”)  the french supervisory authority imposed the world’s stiffest privacy fine against Google. In January, the CNIL impose a fine penalty of 50 million euros to the company in over how it uses data for ad-targeting by violating the GDPR principles of transparency, adequate information and valid consent regarding ads personalisation. While there is limited transparency of the enforcement and only some DPAs have published their results to date, some details for the different states in Germany are known:

As recent as May 21st 2019, a fine was imposed for breaches of the General Data Protection Regulation in Lithuania. The  data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimisation, adequate security measures and data breach reporting requirements of GDPR.

A transition year for data protection

By enhancing data protection we are protecting the fundamental rights and freedoms of persons that are related to that data. As General Data Protection Regulation came into force only one year ago, improvements are made in order to address issues that companies and europeans citizens are facing into the day-to-day practice of data processing.

The EEA Supervisory Authorities have reported that they need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities in order to standardise and provide the best solutions to secure our data.

The first 12 months and looking forward

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments: ”It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace.”  

European Data Protection Board (EDPS) had adopted the framework of the 2019-2020 work programme and is willing to develop operational cooperation with its non-European counterparts and a convergence of data protection principles worldwide.

(This article was originally published at the TechGDPR website and the copyright lies with them.)

What are the fears around data while exploring potential use cases to demonstrate the value for the ‘smart citizen’? Here is a look.

With The United Nations reporting that two-thirds (68%) of the world’s population are expected to live in cities by 2050, scientists are seeking new and innovative ways to improve the quality of life in our urban jungles. With a recent death in the UK linked to illegal levels of air pollution, it’s more important than ever to utilise technology that drives progress and innovates to develop a more sustainable future – creating smart cities.

However, with a large proportion (68%) of the UK public unclear about what a smart city is or the benefits it can bring, it’s obvious that further education is needed. In a post-GDPR world, citizens are increasingly aware of the vast amount of data being collected throughout their day-to-day activities. Once an understanding is established that these smart initiatives save time, money, and provide peace of mind, citizens will be more open to working with their government bodies to future-proof their communities.  

Getting smart about cities

With the aim to provide a more liveable and responsive environment, the smart city industry is projected to be worth $400 billion by 2020, Citywise reports. Underpinned by real-time data, truly smart cities understand how demand patterns change and are able to respond with faster, lower-cost solutions. Benefits from this approach include improvements to safety and congestion for efficient traffic management, healthcare advances from patient experience to data-driven public health interventions, and air-quality monitoring and energy-use optimisation to minimise environmental impact. All alongside further social connectedness and civic participation, new job opportunities provided through e-careers, as well as reduced cost of living thanks to improvements such as dynamic electricity pricing and usage tracking.

To provide these benefits, smart city initiatives must gather the relevant data from multiple sources. Sensors and beacons, communication networks, and open data portals – which can be introduced by city councils and governments to the existing infrastructure – are primary sources. For people management, smartphone data is invaluable in both gathering and providing instant information about transit, traffic, health services, safety alerts, and community news. Other sources include connected networks and devices – such as home-security systems, personal-alert devices, and lifestyle wearables – which offer value that many city stakeholders are willing to pay for. Mobility applications also provide greater value, thanks to the rise in popularity of e-hailing services like Uber and Lyft, and e-bikes or scooter schemes.

From byte to yotta

The benefits this data holds are visible through the deployment of connectivity resources available to many citizens now. But the data is held in several separate silos, each relating to a specific aspect of urban life. To improve the city as a whole and realise its smart potential, an interconnected data system is needed; one that integrates big data from multiple sources – state and citizen.

From traffic and pollution sensors to shared bike schemes, extreme amounts of data can already be collected, processed, and analysed in real-time and at scale. However, to provide a truly holistic citywide view of these, a combination of multiple sources is needed. Once this is achieved, advancement such as improving the daily commute via smart-mobility application can be implemented through networks of internet of things (IoT) sensors on physical assets. Real-time information can then be relayed via mobile apps or digital signage, enabling commuters to efficiently adapt their routes on the move.

This smart approach to modern cities also has impacts on crime levels, with a data-driven policing strategy utilising real-time mapping to cut emergency response rates. For a population of five million, this could mean saving up to 300 lives per year. To protect the environment, citizens and cities can work together to optimise the use of finite resources. The use of sensors is particularly key for the environment, by identifying sources of pollution to enable cities to arm their citizens with real-time protective measures so they can make the best decisions for their health. This digital feedback loop also works for conserving water, with leaking pipes one of the biggest water waste contributors. By collecting data on the health of city infrastructure and its surrounding areas insights can be gleaned, for example, on soil moisture levels to identify the waterlogged environments that surround a leak.

Identifying a truly smart citizen

It’s not only about installing digital interfaces in traditional infrastructure or streamlining city operations. Smart cities are primarily opportunities to use technology and data purposefully to make better decisions, and deliver a better quality of life for citizens.

By establishing channels for two-way data communication that feeds into the data infrastructure, a truly smart city can respond more dynamically to how resource demand is changing. For this smart future to become a reality, governments and councils need a reliable big data source to base long- and short-term decisions on – to safeguard the future health of the urban ecosystem. Only once a holistic view of the city is achieved can stakeholders make the key decisions and positive changes needed to ensure the future sustainability of its metropolitan environment.

Throughout my ongoing meetings and conferences about the GDPR and how it relates to cutting-edge technologies, I encounter many ‘add-on’ privacy solutions such as ‘secure your Office 365’, ‘breach detection’ and ‘fix your network.’

Such options, which aim to patch privacy vulnerabilities as they arise, also have the secondary effect of demonstrating the importance of implementing privacy from the start. While some of these add-on options are essential in business environments, it is almost impossible to ensure all vulnerabilities have been repaired. But when privacy is by default and implemented from the start, it is much more likely to be effective. If we are talking about blockchain, the stakes are even higher. With blockchain, privacy by design is the only option. Since blockchains are immutable, there is no way to ‘fix’ things once data is out in the open, and the source code is public.

With the introduction of the GDPR, the concept of data protection by design and by default has been signed into law. It is no longer just great advice as outlined by Dr. Ann Cavoukian in the mid-1990s in Privacy by Design: The Seven Foundational Principles. Now these principles are also fully enforceable, and non-application may result in fines of the second highest level: up to €10 million or when greater, 2% of worldwide turnover. Dr. Cavoukian, the former Privacy Commissioner of Ontario, Canada, continues to be to be a champion for privacy by design.

While we speak in general terms about privacy by design, the GDPR deals with the specifics ofdata protection, which I approach as a subset of privacy. Article 25(1) details the specifics of Data Protection by Design and Article 25(2) discusses Data Protection by Default.

The European Data Protection Supervisor has published Opinion 5/2018 on Privacy by Design, one of the first opinions published under the GDPR—again emphasising the importance of implementing privacy from the very beginning.

From a high-level perspective, blockchain effectively enforces parts of the Privacy by Design framework, and practically leaves it as the only option. Due to the immutable nature of blockchain, there is simply no other way than to apply it from the very beginning. Protocol or dApp developers could face liability issues if this is not implemented correctly from the start.

The Seven Foundational Principles of Privacy by Design are:

1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality—Positive-Sum, not Zero-Sum
5. End-to-End Security—Full Lifecycle Protection
6. Visibility and Transparency—Keep it Open
7. Respect for User Privacy—Keep it User-Centric

Analyzing each of these principles within the context of blockchain offers insight into the greatest challenges for blockchain in privacy by default and privacy by design.

1. Proactive, not Reactive; Preventative not Remedial

The GDPR defines “proactive privacy” in this way: “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures”.

The basics are easy – and really the only option for blockchain privacy. If you work with blockchain/DLT you can only be proactive, because if you are not, and personal data make it onto an immutable ledger, you can no longer comply with subjects’ rights.

But you will have to think this through to the end, and that can be challenging. If usage patterns or interaction can be linked back to a natural person, you should already be careful about having this information out in the open.

While encryption can bring a lot of advantages, you should still live under the assumption that it can be broken one day – and in the case of public ledgers, you will end up facing a problem.

2. Privacy as the Default Setting

The GDPR defines privacy by default as “implement[ing] appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.

Users often don’t understand the decisions they are being asked to make regarding their privacy. So it is important that when no action is taken by the user, the default option is the most privacy-friendly option, which collects only data needed for the legitimate purpose that has been explicitly defined. (Article 5(1)(b), purpose limitation).

For example, a private transaction within a cryptocurrency, that can be revealed if the parties so desire, is a much better option from a privacy point of view, than one that is public but pseudonymised through a wallet address. Perhaps usage patterns, either now or in the future, may reveal (more) personal data than originally intended or foreseen.

While encryption is helpful, it should, as the GDPR and the guidance suggests, be seen as a technical measure to protect the data, and not as a way to anonymize it. Encryption algorithms may be broken in the future, at which point all encrypted data on a public ledger is indeed, public. Major data breach!

3. Privacy Embedded into Design

The GDPR describes this in Article 25(1) in the following way: “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures”.

Privacy should be considered at the design stage, and be applied consistently throughout the product or service. Small flaws or overseen points can have oversized bad outcomes, particularly in a blockchain environment. One should also look beyond the protocol or dApp itself: how do the other system layers impact users’ privacy? Is additional information collected on another level, and can this be related back to a natural person or lead to singling out? To do this properly, all system layers should be evaluated.

4. Full Functionality — Positive-Sum, not Zero-Sum

The GDPR does not have specific requirements for this.

In blockchain, privacy and functionality can co-exist. Most implementations dealing with personal data will only store the verification on the blockchain, and keep other parts of information elsewhere. This way, there is no need for a trade-off between privacy and functionality. Innovation can still happen in a privacy-preserving regulatory environment, and the GDPR is no exception. Blockchain offers great possibilities for giving the data subjects full, uncompromised control without the need for personal data to live in central containers that are not only in the control of a single party, but are also vulnerable as high-reward attack targets.

Decentralized, blockchain-based self-sovereign identity solutions are a great example of increased privacy with a user experience that meets or exceeds current identity services. By applying privacy by design, the paradigm of trade-offs such as: “if we want to live in a more secure world, we need to compromise our privacy” is simply not true, and blockchain can actually be a great help in achieving both privacy and security.

5. End-to-End Security — Full Lifecycle Protection

The GDPR defines this in Art 17 – right to erasure, and Art 5(1)(f) – integrity and confidentiality.

When using blockchain, it is easy to deliver on the integrity of the data. The concept of blockchain is immutability, and if therefore tamper-proof, ensuring that data can be deleted only by having a clearly breakable link to any personal data. This means no information on the blockchain should be able to be re-linked to any personal data once the link is purposefully broken. To achieve this, the current best practice is storing only hash-proofs on the blockchain that include a secret piece of information that can be permanently deleted, or even better, by using zero-knowledge proofs.

It should be emphasized that even a hash, if it can be re-constructed, could be considered personal data under certain circumstances, following the same reasoning as the judgment of the CJEU in Case 582/14 – Patrick Breyer v. Germany.1 This is not always the case, but in most cases, this will not be known with certainty and should therefore be assumed to be personal data if any doubt exists.

6. Visibility and Transparency — Keep it Open

The GDPR phrases this principle as “the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data,enabling the data subject to monitor the data processing, enabling the controller to create and improve security features” in Recital 78, and in Article 5(1)(a) (“lawfulness, fairness and transparency”).

Blockchain is transparent by nature, so this principle should be easy to uphold. The recommendation of Privacy by Design is to verify that the business practices or technology involved are, in fact, operating according to the promises and objectives they have defined. Within public blockchain environments, not only the code, but also the data generated, is public and can be verified.

At times, blockchain could be a little too transparent; every participant in public networks, can see everything. While this makes it a great feature for certain purposes, you also want to make sure not to store any personal data on a blockchain (a nuance here is in place, as there are ways of storing pseudonymized data, but that’s beyond the scope of this article).

7. Respect for User Privacy — Keep it User-Centric

In Recital 7, the GDPR states that, “Natural persons should have control of their own personal data.”

Operators and architects of blockchains should keep the data subject and their privacy in mind in all stages of designing and operating the system. This is particularly important at the start of any blockchain protocol design as what has been stored on a blockchain is immutable, and cannot be deleted or reversed in the future. Ideally, it should be made difficult or actively discouraged to store any sort of personal data on an ‘immutable ledger’, not only for privacy reasons but also because software developers could risk liability as certain regulators are of the opinion that they could be seen as Data Processors under the GDPR.2

On the other hand, blockchain technology also has the ability to give users control over their personal data through self-sovereign identity systems. The user has control over where the data is stored, on their own device or elsewhere. This is protected against falsification by storing the third-party proofs (and no actual personal data) on the blockchain. This allows users to reveal their identity or only parts or proofs thereof to other parties of their choice.

Conclusion

Privacy by design includes a set of important principles now deeply embedded into the GDPR. It is no longer optional to consider and implement the principles and related requirements. Especially with blockchain, there is no alternative to implementing privacy by design from the start, as the usual add-on privacy enhancements simply will not satisfy the requirements of the GDPR.

This short paper is to be seen as a primer of potential further work on the subject of how to properly practice privacy by design using blockchain technology. There are a variety of examples and ideas available, most of them initiated or developed by Dr. Ann Cavoukian, to be evaluated with the constraints and opportunities of blockchain. Future work could also include evaluations of how specific blockchain projects implement or practice good privacy by design.

Disclaimer: This is a working document; the author (Silvan Jongerius)  welcomes your feedback. Version one was published on December 4, 2018. The Reviewers are: Greg McMullen, COALA (coalaip.org) and Abigail Garner, TechGDPR. You could download the paper here.

Like the article? Follow @DataconomyMedia on Twitter !

It’s not new news that Europe is suffering from a near-chronic skills gap. It’s been going on for a while now, with industry experts and government bodies all scratching their heads over how to solve it. The problem is about to get a whole lot worse, as the soon-to-be-enforced General Data Protection Regulation (GDPR) will turn the skills gap into a chasm.

GDPR breaches can cost up to €20million

Under GDPR, your business could be one mistake away from a breach that could cost you up to €20million or 4% of your global revenue. A fine-worthy breach includes data hacks, loss or misuse of data. ‘Misuse’ covers a number of sins that employees lacking in the right technical knowledge risk committing every day.

To make the issue even worse, to prepare for GDPR itself you’re going to need staff that are adequately trained in data protection, data management and GDPR compliance. As GDPR affects nearly every company in the EU (and those that do business with EU citizens), people who have knowledge of all of the above are going to be in extremely high demand.

Data literacy training from within

For some companies, it will make sense to nurture and develop staff from within. A quick search online brings up several GDPR training courses you can send your IT team and other technical staff on so they can get clued up on GDPR and its requirements. Some businesses will need a dedicated Data Protection Officer (DPO). Again, because of the vast number of businesses affected, DPOs are going to be in high demand. One solution for smaller businesses that cannot afford to fight for a DPO is to appoint a third-party who can act like one.

There is the further issue of your staff potentially leaking customer data, misusing it or storing it incorrectly. As part of your GDPR preparations, you will have to ensure all staff are aware of GDPR, its implications and what GDPR-compliance looks like. You’ll have to go into detail over what constitutes a breach, as well as put in place policies on bring-your-own equipment and data governance that all staff will have to be trained in.

There’s no one-size-fits-all type of training that will speak to all your employees. Therefore, you should consider holding a few different training sessions with your employees based on how tech literate they are and how clued up they are on GDPR. You’ll also have to schedule in regular refresher sessions in case anything changes and to really ensure compliance and include GDPR in induction sessions for new employees. The emphasis here is to do several different levels of workshop, however, a fresh faced graduate who has grown up surrounded by email, social media and smartphones is going to handle GDPR readiness very differently to someone who isn’t quite as confident with technology.

Organiztations should focus on solid data infrastructures

Between setting up employee training and finding yourself a DPO, it’s very easy to forget about the main preparations for GDPR readiness. That is, getting your data infrastructure up to standard as well. Privacy by design will become the default approach, where you hold the minimum amount of data for the task you need to carry out. Likewise, you’ll need to carry out a data audit to ensure all your data is stored correctly and securely, is easily transferable when requested and has all the required consent.

When beginning your GDPR preparations, you should firstly take a long hard look at your data infrastructure before training your staff. However, you don’t want a chicken and egg situation on your hands if your staff aren’t skilled enough to audit your infrastructure in the first place. This rings especially true for smaller businesses and start-ups. Again, to save yourself the hassle of trying to hire someone, it’s worth considering third parties who can audit your systems for you.

Conclusion

There’s a significant amount of work to be put in before the May 2018 deadline when GDPR is enforced. The skills gap only makes this mountain harder to climb. It makes sense to begin your preparations now before the impending deadline and skills gap makes it a sellers’ market. Invest in the right people now and it’ll pay off in the long run – and at the very least save your business from that €20 million fine.

Like this article? Subscribe to our weekly newsletter to never miss out!

Follow @DataconomyMedia

Data security is being pushed to the top of the agenda by the new General Data Protection Regulation that comes into force next May, and that means a focus on issues that many organisations have neglected.

Companies across the globe that process data about European Union (EU) individuals will need to take much more stringent security measures to keep that data safe from prying eyes, whether those are criminals or employees.

One area of the GDPR that hasn’t got quite as much attention though is continued access to data. In fact, it seems that the regulation will create a disaster recovery obligation on organisations, so that if there are any attacks or unforeseen problems that bring a company off-line, they will need to get back up and running as fast as possible, or face a fine as well as the wrath of their customers.

Getting to grips with the GDPR

The GDPR is an EU-wide piece of legislation which will creates a revolutionary series of new rights for individuals and will force everyone to think differently about how individuals’ data is treated. Essentially, the principle is that everyone becomes the owner of their personal information. A Data Subject – any individual – has the right to much greater control over how their data is used by Data Controllers – people or companies who keep personal information such as sales records – and Data Processors, the people who use the data, such as call centres.

One of the responsibilities of both data controllers and data processors is to keep that data safe, and if there is a data breach, organisations can be fined up to 4% of their annual global turnover or €20 million.

“Security of processing” and the GDPR

For all the focus on individual rights and the possibilities of a breach, one area of the GDPR has been broadly overlooked – article 32, the security of processing.

This includes two provisions which, according to Giancarlo Butti, a security expert and author, mean that a disaster recovery plan is an essential part of every organisation’s set up:

“the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”

and

“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”

Previous EU regulations gave firms up to seven days to restore data – restoring access to personal data in a “timely manner” is likely to be interpreted more strictly. As Butti says: “Surely we are far from the concept of ‘seven days’.”

Why businesses need a disaster recovery plan

Many larger businesses have relied on back-up tapes as a fixed form of storage – sometimes known as “immutable buckets” of data as they can’t be amended and are separate from the rest of the system. Tapes create an “air gap” which means that even if a ransomware attack succeeds, the tapes cannot be affected.

However, the length of time that tapes require to restore data may be prohibitive, both for the business and its potential reputational damage, and under the new GDPR.

Companies like Sungard AS offer online solutions which are much faster and use a Data-Recovery-as-a-Service model which means that data protection and recovery expertise can be brought into focus on the affected system. Since most businesses have multiple systems and data flows, there is seldom any single way of protecting data, which makes a holistic approach vital.

Cloud data storage and recovery, using data centres such as Amazon’s AWS service, are now being used by NASA, the United States Air Force and the US Department of Justice, which offers a great vote of confidence in the levels of security for the data.

Not having a disaster recovery plan means losing valuable data – and worse

Data is at the heart of most companies’ ability to do business, which means that every minute counts. Banks that can’t give customers access to their money, when RBS and NatWest customers could not use ATMs, or an airline which can’t check in passengers, like British Airways’ computer failure – these issues cause massive disruption to a business, reputational damage and significant financial loss.

In 2016, a study by IBM found that a single data breach cost companies in the US around $7million on average, with an over increase in costs amounting to seven percent. Many businesses that don’t have a data recovery plan simply never recover. In the case of British Airways, the incident led to 700 cancelled flights, 75,000 passengers stranded and a bill of £80million.

The GDPR may seem at first glance to add a significant level of non-urgent and overly arduous regulation to a business. Yet the GDPR offers an opportunity for businesses and organisations to develop a detailed and practical disaster recovery plan that will protect them from serious harm.

Like this article? Subscribe to our weekly newsletter to never miss out!

Follow @DataconomyMedia