GDPR – Just a regulation or a whole new frontier?

For those of us who have been immersed, over the last few years, in understanding the impact of the EU-GDPR it’s very difficult to imagine that anyone resident in the EU or dealing with the data of EU residents is not yet fully aware of what is arguably the most important piece of data related regulation in a generation.

The EU-GDPR (or to give it it’s full name: The “European General Data Protection Regulation”) sets out a new landscape which is rooted in a core set of rights for data subjects and a set of principles for processing the data of same which must be adhered to even if the organisation doing the processing isn’t within the EU. In short, it’s globally significant.

Of Global Significance

Most coverage to date focuses on difficulties in adoption of the GDPR and the extremely high cost of breach (up to 4% of global annual turnover in the worst cases) but in that respect I believe we miss an opportunity if we focus only on the challenges of the GDPR and miss out on the fact that this legislation (which is now law in all 28 EU member states with a compliance deadline for organisations of May 2018) changes the landscape of data processing of the personal information of EU residents in a fundamental and potentially disruptive way.

To Explain –
Recently my colleagues and I have been discussing the API Economy enabled (in the UK) by the OpenBanking regulations while they wax lyrical about how it will disrupt the financial sector I disagree with them in that respect because ultimately it’s not changing the industry or market, just (potentially) changing the players. The same business carried out in a different way or by different agents is not disruptive it’s simply evolution.

To be truly disruptive something has to intrinsically alter the paradigm of a market or industry. I believe the GDPR does just that for any and all industries that rely on the processing of personal data because it enshrines in law, effectively, that said data is an asset owned by us as individuals and does not belong to the organisations who process it on our behalf. Not only does this shift the “balance of power” in the processing of personal data but it will fundamentally change how whole industries interact with their customers.
For example, there are several tech giants built on the “you are the product” model where they offer free services in return for the use of your data as marketing data. The GDPR fundamentally undermines this proposition as it prevents both the collection of data for marketing without your explicit consent and withholding a service based on the provision of “optional” consent. Think for a moment what this will mean to organisations such as Facebook and Twitter and you will see that this is a very disruptive piece of legislation.
Equally, monetisation models based on processing our personal data will have to be completely reworked as it will rely on explicit consent for profiling (e.g. Ad targeting) and the organisation controlling the data will have to name any and all parties that data will be passed to before your consent is sought. Again, think about how this changes the game for organisations such as Google who rely on this capability to generate the vast majority of their revenues.
With such sweeping and fundamental changes comes great opportunity for organisations to re-write the engagement model with the data subjects around a partnership rather than “you are the product” basis and I foresee some very interesting new propositions, not only from new tech companies but also from the big tech giants as they pivot around this new paradigm in personal data processing.
So, when my colleagues groan at me for going on (and on) about “some boring data protection regulation” I’m most often inclined to smile and ask them why wouldn’t I be excited to be working in an area which may be one of the next big disruptors? As an architect, what more could you ask for?