The GDPR and Data Privacy as a Human Right
In the coming weeks, we’ll be blogging about the steps we’re taking at Palantir to collect and manage personal data in a manner that not only complies with the terms of the GDPR, but also respects the fundamental privacy rights of the people with whom we work.
In the wake of disturbing revelations from Facebook and others in recent weeks regarding the harvesting of personal information of millions of unsuspecting users, people are becoming increasingly curious and concerned about the ways that companies and organizations collect, use, and manage their personal data.
While the United States has relatively few regulations governing the collection and use of personal data, in many other places around the world data privacy is considered to be a fundamental human right. One of those places is Europe, where a recently-enacted law, the General Data Protection Regulation (GDPR), sets legal standards for the collection and use of personal data belonging to citizens of the European Union.
At the core of GDPR are four key principles:
- A person’s data can only be collected for a specific purpose.
- The person must be informed of and consent to the purpose for which their data is collected.
- Only as much data as is necessary to achieve that purpose should be collected.
- The collected data must be deleted at the request of the person from whom it was collected, or when it is no longer needed for the purpose which it was collected.
In short, GDPR asks companies and organizations to understand what data they are collecting, why they are collecting it, and have mechanisms set up to manage that data. Although GDPR is a European regulation, it applies to all companies and organizations that collect, process and/or hold data collected from users in the EU, regardless of where the controllers or processors are based. Penalties for violating the GDPR are enforceable under international law and can be as high as €20 million or 4% of annual global revenue, whichever is greater.
While many have focused on the specific measures necessary to ensure compliance with GDPR prior to its May 25, 2018 enforcement date, it’s important to keep in mind that the law is much more than just a series of checklists. Many companies and organizations will need to fundamentally rethink core business processes relating to the collection, usage, and preservation of customer data, which will require participation by multiple departments and at every level of the organization.
Those that have not already done so will need to develop tools and processes to track the provenance of the data they collect, ensuring that data collected for one purpose is not used for another. They will also need to develop new policies explaining how data is collected and used in clear, understandable language, not legalese. Technical controls will need to be put in place to ensure that when someone’s data is deleted, it is permanently and irrevocably deleted everywhere that it exists, including backups.
All of this sounds like a lot of work, but if there’s one thing that’s become increasingly apparent, it’s that companies and organizations need to provide people with more transparency and control over how their personal information is collected, used, and managed. GDPR is not a perfect solution, but it provides a good starting point for organizations to begin handling their customers’ personal data in a more ethical and responsible way.
In the coming weeks, we’ll be blogging more about the steps we’re taking at Palantir to collect and manage personal data in a manner that not only complies with the terms of the GDPR, but also respects the fundamental privacy rights of the people with whom we work.