“GDPR has an upside.” I was glad to hear Dr. Baljit Sarpal, Managing Director, Sarpal Consultancy, say this while speaking at TM Forum’s Internet of Everything InFocus event this week.
As technologists, most of us focus on the challenges posed by the impending General Data Protection Regulation (GDPR) legislation, which comes into effect in May. The rules impact all companies choosing to serve European citizens, which means that even companies based in other parts of the world must take the rules into consideration. If you are a mobile operator in Australia where EU citizens often travel or even a dentist in north America with an office near an airport, you need to ensure your systems are compliant.
As an EU citizen I am a big fan of GDPR and applaud the European Union for having the foresight to recognize that with the continuous, exponential growth of data, regulations are required to ensure a more ethical society and to ensure that companies respect the personal data of citizens. But as a technologist I recognize the limitations of legacy systems which have been designed inside out and as a result don’t have privacy by design in their DNA.
What are the requirements?
Several GDPR requirements pose significant challenges for companies doing business with EU citizens:
- Consent – it needs to be clear to people that they are consenting for the collection of their personal data. It must be as easy to withdraw consent as it is to give consent, and parental consent is required to process all data of children under the age of 16 (some countries may reduce this age further).
- Right to access – individuals can request any information pertaining to their personal data. For example, they can ask whether their data is processed and if so where and for what purpose. The provider is required to give a copy of the personal data, free of charge and in an electronic format. This is a dramatic shift in data transparency and empowerment of people over their information.
- Right to be forgotten – this rule entitles people to request to cease the collection and dissemination of their personal data and to have third parties halt processing of their data. In the context of managing services across complex ecosystems this represents a requirement for traceability and ability to remove personal data effectively across the ecosystem. During his presentation, Sarpal outlined that there may be some caveats such as the right to be forgotten when someone owes a significant bill, or where holding the data is in the public interest.
- Data portability – GDPR introduces data portability, which is the right for people to receive the personal data concerning them in a commonly used and machine-readable format, and the right to transmit that data to another controller.
- Privacy by design – at its core, privacy by design calls for the inclusion of data protection from the onset of designing of systems, rather than as an add-on. Providers should hold and process only the data necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing, requiring full transparency of access of personal data. In organizations processing personal data, a data protection officer must be appointed to ensure GDPR compliance. Fines of up to £500,000 will be issued for serious breaches, so they need to be taken seriously.
Making the most of GDPR
With every threat comes an opportunity. So what opportunity does GDPR present?
By ensuring that your organization is compliant you can help ensure that your brand is trusted, and customer loyalty is key to success in the digital world. GDPR rules also are forcing companies to become more data-centric, which will dramatically improve customer centricity.
Among telcos, Telefónica is embracing these changes with its “Fourth Platform”. The first platform consists of the company’s physical assets, such as network, data centers and storage; the second is made up of operational and business support systems; and the third is all the products and services offered to customers. The Fourth Platform then is the customer’s data and knowledge.
“The Fourth Platform centralizes all the data about our customers in personal databanks,” Telefónica’s Global CIO Phil Jordan explains. “On top of these personal databanks, Telefónica builds the intelligence and analytics needed to create recommendations to improve the customer relationship, and then gives the customer control of all this data and information.”
The Privacy API can help
Telefónica is one of nine communications service providers that have officially adopted TM Forum’s suite of Open APIs for digital service management. The Privacy API can help with the transformation of legacy systems to comply with the new privacy requirements. Its features include the retrieval, partial update, creation or deletion of a privacy profile type, privacy profile(s) or privacy agreement(s).
The API is free to use by anyone – we just request that if you use it and extend it, you contribute the extensions back to the community. You can download the Privacy API and others here.