The General Data Protection Regulation (GDPR)
The GDPR, leading a wave of laws and regulations changing the privacy and identity world, creates demand TickStream®.
The General Data Protection Regulation (GDPR) is a measure adopted by the European Union, which takes effect on May 25, 2018, that requires all entities to protect personal data and privacy. Although the legislation was adopted in April, 2016, and has been under discussion for several years, it has received more focus recently, as companies only have a few more months to comply. Among the key requirements is to protect “information relating to an identified or identifiable natural person” (Article 4), but differentiates, and in some cases, excludes (Recital 26), data that is “rendered anonymous in such a way that the data subject [that is, the natural person] is no longer identifiable.” This latter concept is called “pseudonymization” (addressed in Article 32), and refers to the condition where a data record cannot be linked directly to a person without additional information. This does not exempt the business from complying with other parts of the GDPR, but it significantly addresses many key provisions.
The GDPR contains an expansive definition of personal data (Article 9), far beyond the common, but informal, definition of Personally Identifiable Information (PII). Under the GDPR, this includes obvious elements like names and addresses, but extends well beyond that to include data gathered from one’s web browser, health and genetic data, political opinions, trade union membership, and much more – including biometric data. This is important to Intensity Analytics (“IA”) for at least two reasons:
- Traditional biometric data cannot be pseudonymized, as that kind of static information relates to a physical, easily observed trait of an individual. In stark contrast, the effort hallmark models that IA builds are not tied to any observable aspect of a person. IA’s TickStream AI engine extracts features from a given physical movement effort to compare to a previously-constructed, derived model. The process only works one way, and is pseudonymous by design (another GDPR directive, in Article 25).
- Many security products rely on data elements such as GPS location, IP address, and time-of-last-use as either primary sources of “behavior”, or as ways to fix precision with their identity analysis attempts. Some products are even designed to examine content for sentiment or mood to determine one’s state of mind. These approaches are in peril under the GDPR, since many are further called out as “special categories of personal data” (Article 9).
Another provision of the GDPR that benefits IA stems from the rights granted to individuals to data portability (Article 20). This provides that personal data must be provided to the individual on request, in such a way that it can be transmitted for use in another system. IA has a patent pending on a method for making behavior data portable, which is potentially a very significant development.
Finally, several of the most impactful new requirements relate to data breach reporting, which must include notification within 72 hours of detection (Article 33). With IA’s TickStream product running as an early warning beacon (we call it a Threat Intel product), it can help companies research breaches more quickly. It is also worth noting that IA’s pseudonymized data, if breached, is excluded from the notification requirements (Article 34), which makes the process of implementation simpler for organizations, since it won’t add to their breach reporting responsibilities.
Businesses are scrambling to get ready. According to a PwC Survey, more than 90% report GDPR readiness is one of their top priorities, and almost 70% plan to spend $1M-$10M on preparations, with 9% expecting to spend in excess of $10M on compliance. The impact of noncompliance is serious and can result in fines of up to €20M or 4% of global revenue, whichever is greater (Article 83).
Of course, there is a lot more to come on the GDPR as it becomes better understood.
For further reading, here are some more general summaries prepared by others:
In summary, here are the Ten Facts to Know about the GDPR (adapted from ComputerWeekly magazine):
- The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
- The GDPR expands the definition of “personal data” to include anything that can be used to identify an individual: genetic, cultural, economic, social, opinion, mental state… and biometric data.
- The GDPR establishes strict rules for obtaining explicit consent of individuals for the use of their data.
- The GDPR requires any authority (known as “data controllers”) that will process personal information to appoint a Data Protection Officer.
- The GDPR requires data controllers to conduct a Privacy Impact Assessment (PIA) to document their compliance.
- The GDPR specifies a common data breach notification across the EU – organizations must report to the local data protection authority within 72 hours of discovery.
- The GDPR describes the right to be forgotten – the data expires after the use for which it was originally collected, and must be deleted upon request by the data subject (a natural person).
- The GDPR covers organizations that work with personal data as well as the data controllers.
- The GDPR requires systems to incorporate privacy by design.
- The GDPR establishes a single point of supervisory authority, with enforcement backed up by fines up to 20m Euros or 4% of annual global revenue, whichever is higher.