The European General Data Protection Regulation (GDPR) comes into effect next year. It will have a big impact on how telecom operators – in Europe and beyond – manage data. Sarah Wray looks at the challenges, and opportunities, it presents.
GDPR, which has been described as “ground-breaking” and “historic”, comes into force on May 25, 2018. While this might seem like a while away yet, businesses need to get not only their own houses in order but also ensure there are no weak links in any part of the chain.
This is especially important in areas such as internet of things (IoT) and other digital services, where a complex range of ecosystem partners are involved.
Chris Stock, Director, Security & Privacy Programs, TM Forum, says, “Internally, large organizations will have their own compliance in hand, but is there a need for a broader ecosystem approach to compliance.”
Below are some of the key features. While many of the requirements are not brand new and were included under the Data Protection Act, GDPR supersedes previous European Union (EU) directives with a binding regulatory framework and harmonizes 28 national legislations into a single EU-wide regulation.
- Penalties: Data protection authorities will be able to fine companies that do not comply up to 4 percent of their global annual turnover.
- A right to be forgotten: When an individual no longer wants her/his data to be processed, and provided there are no legitimate grounds for retaining it, the data must be deleted.
- Easier access to data: Companies must give individuals “clear and understandable” information on how their data is processed.
- A right to data portability: Individuals must be able to easily transmit personal data between service providers.
- Breach notifications: Companies and organizations must notify the national supervisory authority of data breaches that put individuals at risk and communicate to the data subject all high-risk breaches as soon as possible so that users can take appropriate measures.
- Data protection by design and by default: ‘Data protection by design’ and ‘data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards must be built into products and services from the earliest stage of development, and privacy-friendly default settings should be the norm – for example, on social networks or mobile apps.
- Data processors: Data processors have direct obligations for the first time. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a data protection officer where required; appoint a representative (when not established in the EU) in certain circumstances; and notify the controller on becoming aware of a personal data breach without undue delay.
- Consent: A data subject’s consent to processing of their personal data must be as easy to withdraw as to give consent. Consent must be ‘explicit’ for sensitive data. The data controller is required to be able to demonstrate that consent was given.
The new potential penalties and requirement to notify of breaches are attention-grabbing, and requirements such as data portability and the right to be forgotten highlight the need for an ecosystem approach.
A group of some of the world’s leading operators (Orange, Vodafone and Telefónica) and suppliers (UXP Systems, Accenture, Brytlyt, Symantec and Infosys) are teaming up to solve some of these challenges through a TM Forum proof-of-concept Catalyst project. At the same time as aiding compliance, the work should create new opportunities.
Luis Velarde, Solutions Architect Senior Manager, Telefónica, says, “This effort is not only to deal with the legislation. It aligns with the strategy that Telefónica has around becoming a platforms company based on data. To do that we already knew we needed to enable the capabilities and provide them to customers, so they can manage their own privacy and their own personal data. If we don’t do this, we will not build the trust that we need from our customers.”
Giving users control
The Catalyst project’s solution is built around giving users control of their data – the user might not be the customer paying the bill, but a subscriber to the service. Think of how each family member can have their own account on Netflix, for example.
Atul Ruparelia, Data Architect at Vodafone Group Services, Vodafone, explains, “Through a dashboard, we want to give a 360-degree view of all the personal data that the CSP holds on customers’ and users’ behalf. Through that dashboard the user could opt in or opt out of certain permissions and preferences (consent management).”
He adds, “The challenges of GDPR legislation will turn into opportunities. CSPs need to be transparent with the user of the service about how their consent is managed. Once this transparency is maintained, ‘trust’ is established between the customer and CSP, which is crucial for a good customer relationship.”
The team is also tackling the data portability requirement enabling users to move their data from one CSP to another and demonstrating the use of TM Forum Open APIs to do this. Collectively, they need to understand the interfaces between operators and between customers/users and the operator.
Without collaboration, each industry is likely to use its own standards to create the portability format: Banks could rely on the European Banking Federation, insurers in France with the DARVA standard, etc.
The team will work to define a portability format based on the TM Forum Information Framework (SID). Through showing how this information can be shared via an API or standard format open ID, etc., the operators will showcase the unique capabilities that they bring to the challenges of meeting the legislation. An important part of the initiative is also working with vendors now to ensure their solutions are being developed with a privacy-by-design approach.
Fabien Venries, Head of Enablers & Partner Services and API Factor, Orange, says, “We cannot operate end-to-end privacy if one piece of the architecture or the system is not compliant. There are a lot of solutions currently already developed or in development – now is the time we need to define the touchpoints between platforms.”
At TM Forum Live! in Nice in May, the GDPR Catalyst team will demonstrate a dashboard where a customer can enter their personal data, allow or retract consent for an application to use the personal data and transfer the data from one operator to the other.