Simply mentioning the European Commission's General Data Protection Regulation (GDPR) is enough to send shivers down the backs of businesses which have had to make rapid changes to be ready in time for the deadline.
The cutoff point for organizations to conform to the new GDPR legislation has passed, but emails are still flooding in from companies hoping that you will re-subscribe and give them consent to contact you, some online services have -- at least temporarily -- become unavailable for EU visitors, and we are likely to see disruption for some time to come as companies catch up.
The new framework, which impacts all EU member states, requires businesses to be more transparent in connection to what data they collect and store from users, to report the discovery of data breaches within 72 hours, and to manage information securely.
The core of the legislation was designed to bring some order to the lackluster rules surrounding data collection, the masses of information stored for no business purpose, and the constant threat of data breaches.
However, many organizations have been left floundering -- unsure of where their information is, how it is recorded, what has been collected in the first place and for how long, whether or not user consent for storage has been granted, and if this data has been secured.
It has caused chaos and is likely to continue to do so.
According to a recent IBM study, 80 percent of organizations claim they are cutting down on the amount of personal information they collect and store due to GDPR. However, not every organization has met the EU's deadline.
It might be messy, but there is a silver lining to the challenge -- the fostering of data-driven innovation and the promotion of machine learning (ML) and artificial intelligence (AI) in the enterprise.
In an interview with ZDNet, IBM's Chief Privacy Officer and the recently-appointed European Data Protection Officer (DPO) Cristina Cabella said that GDPR is an "undeniable challenge," but also presents an opportunity for customers and the enterprise at large.
The role of the DPO is now mandated under certain conditions for businesses. These professionals must be hired to interpret GDPR effectively, advise companies on how to manage their data and comply with the new legislation, and ensure GDPR has been met through testing and audits.
Control, auditing, and a thorough understanding of the new framework is a requirement for this role, but DPOs cannot function properly unless the business at hand goes back to the basics when tackling GDPR.
"By asking companies to appoint a DPO in certain instances, GDPR is sending a message which is: we want your accountability to be controlled by your DPO," Cabella says. "That role is also going to be critical in the relationship with authorities because it is not just securing internally accountability, but [the DPO] also represents the company."
See also: Rabobank, IBM aim to use cryptographic pseudonyms for GDPR | IBM warns of instant breaking of encryption by quantum computers: 'Move your data today' | How Australia's Department of Defence is using IBM Watson | IBM launches open-source library for securing AI systems | IBM Q1 solid, IBM Z boosts hardware, as-a-service run rate at $10.7 billion |
IBM has approached GDPR as an "opportunity to enhance existing privacy and security measures and controls," according to the executive. The tech giant has reviewed its policies, client offerings, and terms & conditions linked to customers and vendors at the global level, with the aim of improving these relationships and encouraging trust.
"GDPR is introducing more accountability, more transparency, and those are elements [with] which we can develop trust with our customers which is the base for any relationship long-lasting in the future," Cabella said. "Innovation requires trust and the use of data."
Innovation, Carbella believes, may turn out to be the silver lining amidst the upheaval caused by the data protection regulations -- especially where machine learning (ML), artificial intelligence (AI), and cognitive systems are concerned.
In preparation for GDPR, IBM made a number of changes to current enterprise offerings related to data security and storage, as well as consultancy services. These changes introduced ML and cognitive learning systems which, according to the executive, are useful for the "acceleration" of GDPR compliance.
These systems can take over some of the GDPR workloads from IT staff and existing data systems. IBM, for example, has developed an automated system based on cognitive computing which is able to scan data caches, index findings, and automatically complete tasks such as user data requests -- now permissible under the new legislation.
"If you don't have a time-effective and automated system to scan where your files are and to understand how they were used, and for what purpose, you may fail to comply with data requests or to be able to notify authorities when there are security incidents," the executive added.
Carbella believes this may be the start of a new chapter for ML, AI, and cognitive systems.
If these technologies prove their worth by helping companies cope with GDPR, this may prompt fresh interest in the other capabilities of such systems. The executive commented:
"I believe that GDPR, in a sense, is setting the baseline on a few important principles; one being accountability for compliance (it's not enough to say one is compliant, they need to be accountable for that); the other is transparency. Both of them are all about the responsibility that companies need to claim in the way they use data.
Data is fundamental for companies in business and it is the fuel of innovation for companies in digital business.
GDPR has helped by introducing some fundamental principles that ML, AI, and cognitive systems can bring to the next level [...] a more advanced use of your data."
However, the executive cautioned that businesses must start from the beginning, rather than leap straight ahead to new solutions.
Unless enterprise players have a solid understanding of their data sets and current data practices, they will not be able to use cognitive systems to their full potential.
The DPO said:
"The regulation is just the starting point. There is a double effect; from one side, GDPR is raising awareness of what rights [clients] have and how companies are using their data. On the other side, it is forcing companies to have a better understanding of what data they are collecting, where from, how they are securing [this] data, and for what purpose they are using it.
It is forcing change and that will [prompt] greater trust. And hopefully, through that trusting relationship, there will be more use of data -- which is fuel for innovation.
Without data, innovation cannot succeed and I think GDPR is contributing in this respect."
Whether or not to introduce the principles of GDPR worldwide has caused ripples in both the technology and government sectors.
Silicon Valley and US lawmakers, for example, are now gearing up for a debate across the pond on data regulation, whilst IBM executives have suggested the adoption of voluntary industry standards.
When asked whether or not legislation such as GDPR should be implemented on the international scale, Cabella was cautious, emphasizing that a "one size fits all" approach would not necessarily be workable for the enterprise or consumers.
"We recognize that there are countries outside of Europe where there are different privacy standards, there are different law[s], there are different cultural perceptions around privacy, and applying a single standard everywhere may not be the right solution," the executive said. "What we need to do is ensure is that there is more cooperation between countries, but what we cannot afford is a system which will not work with others because we need data flowing."
See also: GDPR compliance: For many companies, it might be time to panic | GDPR: A boon for privacy or choking regulation? Businesses weigh in | What is GDPR? Everything you need to know about the new general data protection regulations | GDPR: It's here, so what happens now? | GDPR compliant? Here's a handy five-step preparation checklist |
For those companies that are still struggling to meet the demands of GDPR, however, Cabella has offered some advice.
"Start from the beginning. Understand your organization and the way you are currently using data.
Sometimes companies are running to the end and skipping the basics which is understanding what your company does. If you understand that, you can create a map, and from there, you may need to leverage solutions to help you manage your data better.
You need to understand what you have, and what use you have for your data. From there, you can make GDPR work for you."