Are We In The Calm Before The Data Privacy Storm?
HIPAA. PIPO. GDPR. One thing we know about abbreviations...they're frequently used to put a palatable front on something that is going to dramatically impact our lives. (IRS, anyone??) In about 30 days (you can see an exact timer by clicking here), the General Data Protection Regulation (GDPR) will take effect, and it's going to be big. We've talked about GDPR before, and have shared some of the compliance rules and penalties, but what we haven't discussed is "what's next." No, not as it "What do I do now if I'm not GDPR compliant and need to be ASAP" (although we do have a solution for that...), what I mean is more along the lines of "is GDPR just the first wave of a data privacy Tsunami?"
We think it is.
Start with Why (right, Simon Simek?)
Regulations that impact most of the globe don't just materialize out of nowhere. Obviously, there is a burgeoning need for data privacy, and we see it underscored every day with headline after headline of personal data being breached, stolen, shared, sold, or otherwise provided to someone else without our consent. So, why do we have regulations coming to address this? Well, that's rhetorical.
But the "why" is also precisely what is spurring other questions, like "what?" As in "what is coming next?" And "when," as in "when will personal data privacy finally reach a point where the public is comfortable again...if ever?" There's also "who"...like "who is ultimately responsible for data privacy? Should it be the person who owns the data or the organizations they interact with?" Finally, of course, is "how?" That is, "how do you go about preparing for the future that is simultaneously certain (meaning there's definitely more to come) and uncertain (because we don't know what the next legislative move will be)?"
Let's recognize that "personal data" is exactly that..."personal." With this comes "personal responsibility." Sounds kind of harsh, right? Well, who has a greater incentive to protect personal data--the person who owns it, or an organization who is using it as a commodity to sell products or services? Again...rhetorical.
I believe that if we leave the presently growing issue of ensuring data privacy up to legislative action alone, we inherently cede some of the very privacy we seek. That is, more data, workflows, processes, and procedures will need to be interrogated (and potentially violated) before the next great solution can be codified, and who knows how long it will last or the extent of which fines and penalties will devastate otherwise well-meaning companies? After all, not EVERY company is sharing our data with Cambridge Analytica... Instead, let's allow everyone hold on to their own data so they can share only what they want to share with whom they want to share it. It sounds simple...because it is.
Think of it this way: the threat to privacy will always exist (at least as long as there are two or more human beings on the earth) so doesn't it make sense to dilute the threat profile as much as possible? In our present situation, anyone can access millions of personal data records by infiltrating one organization (whether "legally" or illegally). Even if that organization takes precautions to make it hard to breach or has policies in place to stipulate how data is maintained, the potential payoff is worth it to take a risk and go for the jackpot. If, on the other hand, we make it such that in order to access the same "millions of records" a bad guy has to infiltrate millions of individuals, the challenge is MUCH higher...and the payoff is orders of magnitude less. Reducing the threat profile down to it's lowest common denominator effectively makes it as close to impossible to conduct a massive data breach as is possible...and, I believe, avoids further waves of legislation designed to protect us from ourselves.
I realize, of course, this isn't something that would happen overnight. But, the threat to data privacy is an epidemic right now that deserves at least some sort of alternative thought activity. GDPR is big and it will be effective...
...until it's not.
That's not a comment on GPDR specifically. It's more about legislative activity in this space in general. Regulations, no matter how large, only flirt with the issue instead of jumping all in and enacting a truly comprehensive solution. If I were wrong about this, we wouldn't have seen any personal medical records illegally accessed after HIPAA in 1996, right?
Feel those raindrops on your face? The storm is coming. Now's the time to seriously discuss ways to take shelter, because once the heavy stuff starts coming down, new legislation will be like handing out umbrellas in a hurricane.