10 key things you need to know about the EU GDPR and personal data

The General Data Protection Regulation (GDPR) becomes law across Europe in May 2018, replacing a patchwork of data protection laws across the various member states and essentially making privacy the new norm.

Wide-ranging in its scope, a key theme is returning a lot more power over personal data to individuals, who will have new and increased rights over what personal data is collected, what it can be used for and what happens when they want to remove consent.

The GDPR also includes a ‘right to be forgotten’ as well as the right to know when your personal data has been hacked and replaces rules dating back to 1995 when the internet was in its infancy.

Completely in tune with digi.me’s vision to unlock the power of personal data by returning control and ownership to those who create it in the first place, the new law will apply to all businesses not just based in the EU, but also those dealing with EU citizens.

Here’s a quick guide to the main features:

  1. Privacy by design means that when you download an app or sign up for a service, you should not be asked for data that is not directly needed or relevant for the purposes of interacting with that app or service. Services should no longer be asking for capabilities they don’t actually need, which will immediately restrict data leakage.
  2. Explicit permission means just that – when you give permission to an app or website to have or use your details in a specific way, they can’t use it for any other purpose or, crucially, sell it on to third parties.
  3. Data portability gives you the right to ask for any data that a company has about you, which should be returned in a machine-readable form so that you can reuse it, for example to give it to another service provider.
  4. Giving someone your data doesn’t mean they will always have access to it – under the GDPR you have a right to be forgotten and will be able to ask companies or platforms to delete your data if you no longer want them to have it. The two caveats to this are a) that this won’t apply to some information that there is a legal requirement to keep, for example medical records and b) that it is also a personal right to forget, distinct from the 3rd party Right to be Forgotten, where individuals can request that outdated or undesirable information about them be removed from search engines. (read more about the difference here)
  5. Clear and affirmative consent will be needed before private data is processed and this will require an “active step” such as ticking a box. The Parliament is clear that “silence, pre-ticked boxes or inactivity will thus not constitute consent. In future, it should also be as easy for a person to withdraw consent as to give it.”
  6. Right to be informed in plain and clear language – MEPs have insisted that the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
  7. Clear limits on the use of profiling – new limits where automated processing of personal data is used to “analyse or predict a person’s performance at work, economic situation, location, health, preferences, reliability or behaviour”, including creditworthiness. Under the new regulation, profiling would generally only be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and should comprise a human element, including an expectation of the decision to be reached. MEPs also insisted that profiling should not lead to discrimination or be based solely on sensitive data, such as ethnic origin, political opinions, religion or sexual orientation.
  8. One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
  9. Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU.
  10. The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.

Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data, while giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.

The new rules will be backed up by harsh sanctions including fines of up to 4pc of a company’s global turnover if they don’t comply.

Driving interoperability adoption with the Kantara Initiative

Here at digi.me, we have three driving principles that inform and influence every step we take.

Two of them, you won’t be surprised to hear, are privacy and security – but the third is slightly less obvious. What is it? It’s interoperability, and it’s absolutely vital in the field of personal data ownership and control.

The ability for open data exchange, and for data from various platforms and businesses to be brought together in a reusable and useful format demands interoperability, which in itself requires common standards and ontologies.

If we are to bring (as we must to regain full control over our personal data) massively disparate sources of data together, and then require them to function together as a whole, at least for processing purposes, interoperability is the only way forward.

And so the work on advancing that becomes hugely important – which was a key reason behind digi.me joining the Kantara Initiative, as they are doing a great deal of pioneering work in this area.

Julian Ranger, Founder and Executive Chairman of digi.me, said: “It is important that we are leading the work to promote cross-businesss and cross-platform interoperability to allow individuals to maximise the use of their personal data whilst having full control.

“To this end, we have joined the Board of Kantara and are active within their Working Groups promoting development and adoption of standards for the Personal Data Ecosystem.”

Find out more about Kantara in this short leaflet summarising their most notable activities.

Sir Tim Berners-Lee: Loss of personal data control is an Internet tragedy

The loss of control over personal data sharing is one of the three biggest threats to the world wide web as it currently exists, according to its founder.

Writing an open letter in The Guardian to mark the 28th anniversary of his creation, when he wrote the initial proposal for what became the web, Sir Tim Berners-Lee said he has become increasingly worried over the past year about three new trends, which he believes  “we must tackle in order for the web to fulfill its true potential as a tool that serves all of humanity.”

And he is keen to see personal data control put back in the hands of those who create it as a major step to solving the first one.

Regarding this first point, loss of personal control of data, he wrote: “The current business model for many websites offers free content in exchange for personal data. Many of us agree to this – albeit often by accepting long and confusing terms and conditions documents – but fundamentally we do not mind some information being collected in exchange for free services.

But, we’re missing a trick. As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data and chose when and with whom to share it.

“What’s more, we often do not have any way of feeding back to companies what data we’d rather not share – especially with third parties – the T&Cs are all or nothing.”

This, of course, chimes 100 per cent with the Internet of Me vision (image above), where individuals at the centre of their connected world are in charge of their data and what is shared and with whom.

This ideal world, as well as being at the heart of our personal data and company mission, will also be front and centre of the next version of our app, which will allow both more streams of data to be collected in a private library, and the capability for sharing slices of data with directly with companies for personalised rewards.

Sir Tim goes on to point out that this widespread data collection by companies has other impacts, notably increasingly giving goverments the ability to watch our every move online, which creates a chilling effect on free speech.

Combined with the two other major issues of the web making it too easy to spread misinformation and the need for greater transparency in online political advertising, he writes: “These are complex problems, and the solutions will not be simple. But a few broad paths to progress are already clear.

“We must work together with web companies to strike a balance that puts a fair level of data control back in the hands of people, including the development of new technology such as personal “data pods” if needed and exploring alternative revenue models such as subscriptions and micropayments.”

Ultimately, he said: “It has taken all of us to build the web we have, and now it is up to all of us to build the web we want – for everyone.”

 

 

 

UK’s data protection body issues GDPR guidance on consent

The Information Commissioner in the UK has drafted guidelines for what businesses and organisations handling personal data will need to do to comply with the new GDPR out for consultation.

In the draft guidance, the ICO notes that: “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data.

“When consent is used properly, it helps you build trust and enhance your reputation.”

The draft guidance’s key points include:

• Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.

• Consent means offering individuals genuine choice and control.

• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.

• Explicit consent requires a very clear and specific statement of consent.

• Keep your consent requests separate from other terms and conditions.

• Be specific and granular. Vague or blanket consent is not enough.

• Be clear and concise.

• Name any third parties who will rely on the consent.

• Make it easy for people to withdraw consent and tell them how.

• Keep evidence of consent – who, when, how, and what you told people.

• Keep consent under review, and refresh it if anything changes.

• Avoid making consent a precondition of a service.

Overall, the draft guidance sets out how the ICO interprets the GDPR, key changes from existing data protection regulation, and its general recommended approach to compliance and good practice.

But it is also clear that the guidance will need to evolve both to take account of future guidelines issued by relevant European authorities, and according to experience once the law is in place from May of next year.

Digi.me’s Julian Ranger elected to MEF global board

Julian Ranger, the founder and executive chairman of digi.me, has been elected to the global board of Mobile Ecosystem Forum (MEF).

Digi.me is already a full member of the global trade body, and Julian has been working closely with MEF as part of the Consumer Trust working group to enable businesses to successfully take advantage of the transition to personal ownership of data.

As part of this, he has contributed to a major submission to the EU’s Horizon 2020 funding which would allow MEF to undertake trials and research, as well as introduced MEF to potential strategic partners and promoted its work to key personal data innovators.

He said: “I am delighted and privileged to be elected to Global Board of MEF, where I will be particularly supporting the MEF’s Trust and Personal Data initiatives and helping to develop interoperability requirements.

“As privacy becomes ever more a focus, especially with new laws such as GDPR, there is a strong belief that this presents an opportunity to businesses that embrace change with Trust rather than being a bar on business.”

In his election submission, Julian promised to focus on ensuring that MEF’s Consumer Trust initiative develops as the ‘doers group’ vis-à-vis other industry efforts – delivering value to members whilst addressing industry imperatives around research, interoperability and new use cases.

He also looks forward to supporting the Executive with dedicated introductions and business ideas to identify investment and partners to support these crucial activities.

Even if you ignore privacy, old-school data sharing is just so tedious

Technological innovation is a boon to time, to data sharing and to the imperfect nature of human beings who are far too capable of losing forever things that are precious to them.

In our time-poor society, there is a marked desirability for anything that does a task more efficiently – and that applies to the storage and search of personal data as much as anything else.

Consider an ongoing case study from yours truly. My parents being of an age where they are minded to get everything in order, piles of documents and photos have been arriving frequently from my childhood home.

These, encompassing school reports, baby pictures and all manner of things inbetween, are fascinating to look back on and hold emotional and entertainment value for me now, as well as potentially my children in the future.

But these flimsy paper and card memories have done well to get this far reasonably unscathed bar the odd coffee stain – and won’t last indefinitely unless I scan them to make them into a more permanent record by the standards of our time. Which, to be fair, is pretty unlikely.

Not to mention that they can’t simply be pinged over in an email, requiring physical transport as well as storage on arrival. So you’ve got to be very determined to share them successfully, and confident the recipient will like them enough to keep hold of them safely.

Consider the difference with photographs, in particular, now – synced to the cloud, stored on our phones or computers to leaf through at will – and its clear how much the shift to digital has revolutionised our data as well as our lives.

My parents are reasonably tech savvy these days, but my children will never know the delights (and frustrations) of waiting to get your holiday photos back from the chemist, so you could see what you’d actually taken and whether it was remotely in focus.

To them – to all of us, these days – pictures are as instant as the memories that generate them. And in all likelihood will survive longer.

Life still has to catch up with technology in terms of what happens to our collections of data after we die, but they exist at scale, and can be stored and shared with ease by both parties.

Which is pretty magnificent in itself.

 

 

Digi.me featured in The Economist as the way forward for personal data sharing

It’s always a delight to read a thought-provoking article in a news magazine you admire and find an unexpected reference to the good work your company is doing.

That was my happy experience earlier in the week, when the article, with a snappy tagline of ‘Should our bankers and insurers be our Facebook friend?‘ had already drawn me in (headlines like Big data, financial services and privacy have a tendency to do that.)

The piece is an explanation of what one contributor calls “an intensifying data arms-race in finance” – or the fact that additional factors, such as posts, language and tone on social media posts, are increasingly being used to help decide insurance premiums.

As ever when data is scattered freely without thought for potential consequences, having someone delving in your digital life that you didn’t expect to see there can go either way.

As the article explains: “Data can improve predictions of whether someone will fall ill or drive into a tree. Good algorithms are faster and cheaper than underwriters. Insurers also claim that the better they know customers, the more they can help change bad habits.”

Good potential use case -the insurer finds someone is about to do a bungee jump, but his or her life insurance policy doesn’t cover this – cue offering an add-on for a more tailored product.

But, as ever, there is a flip side as well: “The riskiest customers, and those offline, might be priced out. The more the industry relies on complex—and proprietary—algorithms, feeding machines that keep learning, the harder it will be for customers, and regulators, to untangle why they were rejected. ”

As the article makes clear: “Algorithms can be wrong. A bilingual speaker’s search-engine entries could look erratic; a social-worker’s location-tracker could imply a risky lifestyle.”

And since it is unclear how judgments are made, says Frederike Kaltheuner, from Privacy International, “you could get stuck in a Kafkaesque situation where you’re put in a certain box and can’t find out why, and can’t get out.”

While regulation, and indeed customers themselves, have a role to play in this, it is technology that will ultimately find ways to make this work for all parties. And that is where digi.me comes in.

“New businesses that give people more control over data, such as digi.me, which lets users share data only with those they want, hold promise. If such tools help users become their own data-brokers, they may be willing to share more data with their mortgage lenders or insurers,” the article states.

“But trust will truly be earned only if financial firms, old and new, get ahead of the game and start talking to customers about what’s really going on behind their screens.”

So, ultimately, leaving the customer out of the equation while mining their data is going to fall out of favour, and fast.

The individual at the centre of their connected world, as in the Internet of Me model, in control of their data and what happens to it, is very definitely the future.

 

Mozilla Internet Health Report: what lies ahead for the web?

As the web wraps ever tighter around us, Mozilla’s open-source Internet Health Report is investigating what is helping (and hurting) our greatest shared global resource.

The aim is to start a conversation with the “citizens of the internet” about what is healthy, what is not – and what lies ahead for the ecosystem as it continues to evolve, along with a proliferation of connected devices.

The initial version covers familar Mozilla topics like decentralisation, open innovation, and online privacy and security; through to newer areas like digital inclusion and web literacy.

Chosen because they are all deeply intertwined, Mozilla believes these issues and the choices we make around them have a deep impact on how the internet functions.

A Mozilla blog explains: “The Internet of Things, autonomous systems, artificial intelligence: these innovations will no doubt bring good to our lives and society. However, they will also create a world where we no longer simply ‘use a computer,’ we live inside it.

“This changes the stakes. The Internet is now our environment. How it works — and whether it’s healthy — has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies.”

So the health of the internet becomes of critical interest to us all, and we all need to play our part in creating a global movement to safeguard it.

The blog goes on to say: “We need to help people understand what’s at risk and what they can do.

“We have started work on the Internet Health Report at Mozilla for exactly this reason. It is an open source project to document and explain what’s happening to this valuable public resource.”

To find out more about contributing to future versions of the report, click here.

Ad-blocking up 30pc in 2016 as privacy becomes a hot button topic

A new worldwide report into ad-blocking has found that 615 million devices globally are blocking ads on the web.

To put that in context, that figure represents over one in ten people online, and is also up 30 per cent in 12 months.

The state of the blocked web survey, by Adblock, presents a combined picture of desktop and mobile adblock usage for the first time, and found that ad-blocking on mobile is exploding, particularly in Asia.

Key stats to be aware of:

  • 615 million devices now use adblock
  • 11% of the global internet population is blocking ads on the web
  • Adblock usage grew 30% globally in 2016
  • Mobile adblock usage grew by 108 million to reach 380 million devices
  • Desktop adblock usage grew by 34 million to reach 236 million devices
  • 74% of American adblock users say they leave sites with adblock walls
  • Adblock usage is now mainstream across all ages

Certainly privacy is one of the key drivers fuelling this phenomenon, as people tire of intrusive ads tracking them around the web, although the ads’ impact on page loading speed as well as bloated pages eating through data allowances are also significant factors.

So what does the ad-blocking surge mean for the privacy landscape?

Well, the numbers involved are obviously significant, which means we have a rapidly-growing online population that will modify online behaviour to avoid things that worry or irritate. And they’re doing it at scale, and across all devices, with the mobile ad-blocking increase predicted to hit North America and Europe next.

Also control is key – while this is not a revolt against digital advertising per se, rather the methods it employs, the internet population is increasingly showing it won’t be forced to watch or download things it doesn’t want to, because there is now another way.

With awareness around personal data issues also growing exponentially, this is heartening news – because the old ways are being disrupted in this industry, too, and technology such as digi.me is innovating in a way which again will benefit the consumer with minimal hassle to implement.

So all hail the ad-blocking army – user control and willingness to use a tech solution that shows a better way is good news for everyone driving the Personal Data Economy forward to a person-centred Internet of Me.

Major new privacy research shows worry for safety of personal data

New digital privacy research from the Pew Center in the US has found that nearly two thirds of Americans have personally experienced a data breach, and that a sizeable share of the public believes that their personal data has become less secure in the past five years.

The research, part of an ongoing series that has previously found that many  participants felt they had lost control of their personal data, was carried out midway through 2016, a year particularly notable for its cyber breaches.

It found that overall 64 per cent of adults who took part had experienced some kind of data breach. These included 41 per cent who had issues with fraudulent use of credit cards, 35 per cent receiving notices that some kind of sensitive information such as an account number had been compromised and 16  per cent having someone take over their email accounts.

Over and above this, 49 per cent feel that their personal data is less secure than it was five years ago – and the two entities they trust least to keep their data safe are the federal government and social media platforms. Interesting, 64 per cent also have at least one online account containing sensitive data such as health or financials.

So what can we learn from this? That the threat of having data or accounts hacked is alive and well, because current collection methods collate data from all users together, creating a massive honeypot for would-be hackers.

We can also conclude that people feel forced to entrust their data to businesses and services that they are not convinced will take care of it, because they have no other option if they want to access them.

Overall, this is a picture of an industry ripe for change and disruption – a new way of storing data that puts individuals back in control of what they create, able to hold it in a secure place of their choosing, and then do with it what they choose, on their terms.

This is a picture of an industry – and a society – very much in need of the Internet of Me – and we’re working every day to make that a reality as quickly as possible.