Cambridge Analytica. New Zealand's new Privacy Bill. GDPR. Data issues are everywhere and affecting everyone. What should you being doing about it?
Data is the both biggest opportunity and the biggest threat in the tech sector right now. There is no doubt that the ability to collect and use ever-increasing volumes of information in ever more intelligent ways is driving technology to impressive new heights. However, with these developments comes the equal and opposite potential for harm to occur when this doesn't happen in the right way.
A major moment for big tech?
Large platform providers like Facebook and Google - whose business models rely heavily on harvesting, packaging and commercialising data in various ways have been feeling regulatory and political pressure for some time now, but the Cambridge Analytica story may be the one that truly captures the public consciousness and causes a major shift in the way people view data privacy. The bargain embodied by the well-known trope - "if you're not paying for it, you're the product" may be one the average user is no longer willing to make - at least without greater assurances around privacy and autonomy over their data.
In the background, GDPR (the General Data Protection Regulation) is about to come into force in Europe - bringing with it more stringent obligations around privacy and security, and some serious consequences (including fines of up to 4% of global turnover) for those who get it wrong.
New Zealand developments
Into this heady international mix - with impeccable timing - comes New Zealand's new Privacy Bill. This overhaul of our 25-year-old data privacy regime is long in the making, but (in its current form) short on the types of penalties that could act as a genuine deterrent to those who use data illegally. This has been acknowledged by the Privacy Commissioner himself - who is pushing for powers to impose much larger fines.
The bill makes some important changes - for example:
- strengthening protections around cross-border data flows and clarifying the application of the law to overseas providers;
- providing for mandatory reporting of data breaches; and
- adding to the Privacy Commissioner's powers (e.g. to issue compliance notices, gather information, and make binding decisions on data access requests)
.All these things are going to be important for New Zealand organisations needing to comply with GDPR, and for New Zealand to maintain its "adequate country" status - allowing data to be transferred here by organisations in the EU without the need for special measures.
It's also fair to say the proposed new regime is - rightly or wrongly - less prescriptive and detailed than GDPR and other international equivalents.
So, what should you be doing?
If your business captures and uses data, and particularly if you rely on the data as part of your business model, it's important to understand these developments. The concept of "privacy by design" - an approach to projects that promotes data privacy and compliance from the start - is enshrined in the GDPR and will be the minimum standard expected not just by regulators, but by customers. To succeed in this environment means:
- assessing the way you (and other organisations you rely on) currently capture and use data
- building data privacy into the design of your products and services
- looking at your legal terms - with both your customers and your providers - to ensure they comply with law while appropriately protecting your interests (and those of your customers)
- reviewing the new Privacy Bill and participating in the parliamentary process to ensure your interests are taken into account.
In addition to all that, does your business need to go further? We are approaching an era where individuals will demand control over their own data, and if they don't like how you're treating it, will stop engaging with your business. In this environment, our view is that any approach to collection and use of data should be built in a way that recognises the value of the data, respects the individual who is the source of it, and gives them the control they are looking for over their own data. This is the essence of privacy by design.
There are some complex and intricate balances to be struck to ensure you maximise the opportunities and minimise the threats presented by use of data.Those who are engaging now are in the best position to succeed.