Navigating the GDPR disruption.

Jul 16, 2018

Reconciling privacy protection with digital innovation is the biggest challenge posed by new regulation.

European Union’s GDPR, a new directive about personal data protection, came into effect on May 25th under much press coverage on the obligations it imposes. While its guidance is clear, its practical implications have yet to crystallise. Concrete jurisprudence will emerge one interpretation – and, eventually, one legal dispute – at a time. As with any case in which theory meets practice, the letter of the law will both shape and be shaped by the reality it confronts.

Communications Service Providers (CSPs) sit, understandably, at the bullseye of GDPR effects. Before data can be even stored, analysed or manipulated, it needs to be exchanged. And it is the CSPs that make that exchange possible, transporting back and forth all information, personal or not, subjected to regulation. It is a tall order.

Dealing with this heightened responsibility is challenging. Telcos’ desire (and need) to keep clients’ personal data protected conflicts with their aspiration to carve out a stronger presence within digital ecosystems. After decades of passive innovation, during which ‘outsiders’ came, saw and conquered digital data exploration, some CSPs still vie to be more than a pipe. And information, as it happens, is a key ingredient for that.

“Adapting to new privacy regulation while actively participating in the ongoing data revolution is within telcos’ reach”

To tackle this healthy tension between data protection and exploration, CSPs must establish the privacy standards they will adhere to. That starts by understanding the rules they will be held against and, notwithstanding the uncertainty surrounding their application, examining the practical impacts they might have.

In its core, GDPR was formulated around principles governing the obligations and rights of data subjects, data controllers and data processors. Many of them reinforce already prevalent practices (i.e. the data security principle, which states that data controllers and processors must protect personal data from unauthorised access). Some other principles, however, introduce new requirements to the data privacy landscape. A few examples are:

Principle What is noteworthy about it
Informed consent
  • Data subjects must consent to their personal data to be used.
  • Consent must be requested with a clear explanation of how the personal data will be used, it should always be of an opt-in nature, it can be withdrawn at any time and it must involve an active confirmation.
Fair, lawful and transparent processing
  • Personal data must be processed in a transparent manner, giving the data subject 100% visibility on how his or her data is being handled.
  • Controllers and processors must be able to provide an exhaustive history of how an individual’s data was transformed, integrated, shared and exchanged in their systems.
Purpose limitation
  • Personal data must be collected and processed under explicit, well-defined purposes. Companies cannot collect personal data under one stated purpose and use it to some other end.
  • If an opportunity arises for data to be used for a different purpose, a new explicit consent must be requested from the data subject.
Data minimisation
  • Entities cannot request and collect more personal data than it is strictly needed to fulfil the purpose for which the data is being obtained.
  • Capturing more personal data than required just to figure out, at a later point in time, if it can be used for something ‘useful’ is not allowed.
Data retention period minimisation
  • Personal data must not be stored for longer than it is necessary for the purpose associated with it to be achieved.

GDPR expects its principles to be baked into companies’ day-to-day operations by design and by default. Privacy should not be an afterthought, then: it should be considered a core requirement of any process, which must be engineered from the ground-up with GDPR compliance in sight.

Not stated as a principle per se, but also very relevant, are the rights of the data subjects. They are broad, all-encompassing and not trivial to deliver on: data subjects have the right to access their personal data anytime, to rectify it, to be forgotten (to request for data erasure), to restrict data processing, to be notified about data leaks, to port their data somewhere else and to object to automated decision making based on their profiling.

For the average telco, those are revolutionary demands. They entail revising end-to-end policies, deploying new IT processes and implementing a whole novel data management lifecycle (to keep track of where all personal data goes – and why). Given the huge number of OSS / BSS functions currently operating within CSPs’ environments, those are monstrous tasks. Add to them the innovative use cases that telcos may still want to pursue, in order to become more relevant as full-blown digital players, and the complexity of complying with GDPR shoots through the roof.

An emerging discipline within the software engineering domain may come to the rescue: privacy engineering. It aims to provide methodologies, tools and techniques that enable systems to deliver acceptable levels of privacy. It builds, thus, intelligent means to ensure that data-driven evolution can be carried out with no harm to individuals, marrying the best of both worlds. Still in its infancy, privacy engineering is quickly becoming the de-facto answer to combine progress with safety.

As the entire ecosystem of vendors and CSPs adapts, personal data privacy and exploration will likely strike manageable compromises. For telcos in particular, that poses a unique opportunity: to juggle the missions of guarding their clients’ data while reinventing themselves as purveyors of intelligence for new digital applications. It will not be easy, but the pay-off may completely transform where the telecommunications industry will see itself a decade from now.