Consent, transparency, security, protection of data, Datastreams

Dear Santa, we need to talk about the GDPR

Dear Santa Claus, it has come to our attention that you are among the biggest collectors of personal data in the world. By our calculations, you collect personal information on more than 30% of young children in families around the world. Information gathered concerns whether subjects have been ‘naughty’ or ‘nice’, the geographic location of the bedrooms of children, knowledge about wishes and dreams and most peculiarly: sleeping patterns.

We can only assume that this information has been gathered through extensive data-gathering operations, rumored to be accomplished via a program termed ‘Elv3s’, distributed through the Rud01PF platform. With the GDPR fast approaching, we are concerned about whether your data collecting and processing activities are being conducted in a way that complies with the GDPR-regulation that comes into effect May 25, 2018. Because at Datastreams.io we are big fans of your charitable behavior, we would hate to see you fined up to 4% of your annual turnover. To avoid this, you might want to take a hard look at the following elements of your data processing:

• Consumers consent. While at Datastreams.io we know that you have nothing but good intentions, we also know that it is important to establish the lawfulness of your data processing activities. We believe that the lawful processing basis for your activities should be consent. We therefore advice to look at your consent policies, which are no longer up to date. Under the GDPR you will also be required to ask consent from parents before gathering information on their children. We’ve already written a guide on GDPR consent that may be useful to you.

• Transparency and disclosure. We understand you are a very secretive person, but it’s time to disclose some of your secrets. Specifically, which data you collect and how this data is collected and stored. You have clearly attempted to disclose some of this behavior in songs like ‘Santa Claus is coming to town’, but we believe this disclosure of information is not sufficiently written in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” as the GDPR prescribes. Furthermore, data subjects will need to know where to contact you if they want personal data deleted or lodge a complaint. It’s time to reveal where on the North Pole your company is, exactly. 

• Security and protection. Because you are, as far as we know, the only data processor working with the Elv3s software, we hope that you have taken possible privacy concerns into consideration when implementing your data solutions. Encrypting data and regularly testing your cybersecurity solutions will be integral to keep operating in a compliant way. Make sure you don’t forget to inform your data subjects in the event of a data breach. Because you regularly monitor data subjects on a large scale, you will also be required by law to appoint a Data Protection Officer. You can appoint one of your current employees as a DPO, or bring in help from outside. We’re sure many ‘little helpers’ will be happy to take on the role.

These are just a few concerns we have with your data processing policies, Mr. Claus. The Data Protection Officer you will hopefully appoint will likely point out more issues, such as the profiling of children as ‘naughty’ or ‘nice’ and the reliability of kept records. You might find your current data architecture incapable of dealing with GDPR demands, but no fear: our data stream manager & consent manager solutions will help you comply with GDPR demands in time, so you can work on getting us those presents we asked for…

Merry Christmas, Santa!

Control and protect data, collaboration data platform Datastreams

GDPR and data-driven collaboration

Many of us have heard about the EU General Data Protection Regulation (GDPR) and understand there are various obligations and requirements to comply with. If we don’t adhere to the GDPR, we are also aware there are big fines which will be levied by the data protection authorities. However not everyone is actively involved as part of their day to day role in working out how to bring all this together before the deadline is reached on 25th May 2018. Business carries on as usual, deadlines and KPIs need to be met…but increasingly the question is asked “are we GDPR compliant?” For those of us that are involved with answering this, it seems that some form of collaboration is inevitable.  There are very few organisations who can manage all of this themselves.

To deliver GDPR successfully, clients (data protection authorities, data controllers and data processors) and suppliers with relevant expertise in policy, people, platform and process need to work together. We’ve created a GDPR collaboration model of overlapping service and solution expertise from suppliers on the one side in order to meet obligations and requirements from clients on the other.

GDPR delivery for clients and suppliers, GDPR collaboration model

This is what we are seeing with our partners and their clients. At Datastreams.io we have expertise in GDPR ready, privacy by design software. In keeping with the “4 P” (Platform, Policy; People, Process) right hand side of this model, we therefore deliver a technology “platform” for our partners. These partners are in the main, data processors working on behalf of their clients, who in turn are data controllers. We empower data-driven collaboration by providing governed access to trusted data sources. Our Data Stream Manager (DSM) ensures instant, compliancy first data logistics for our partners and their clients. With the DSM they get the right data, in the right place, in the right format, at the right time.

Ok, so far so good and in terms of data-driven logistics – this alongside our consent manager – is what we are predominantly bought in to deliver. However, we completely recognise that this by itself is not enough to do everything that is required under the GDPR. Other software platforms might be required for other requirements and/or client use cases, for example tokenisation and pseudonymisation. In order to do this, our DSM easily connects with experts in that domain, such as our partner Protegrity. We therefore openly work with other experts across this collaboration model to help our partners.

Taking this model further it’s clear that if you want to achieve compliance across your organisation, you need to work collaboratively with experts in other areas as well. Do you have in house people expertise in the form of a Data Protection Officer (DPO) or do you need to outsource one? Do you have consultants (in house, or externally) who can deliver the technical and business-related process expertise for effective data management and governance? What about the legal advice you need to understand how GDPR applies to your organisation, your contracts, data processing agreements, policies and procedures etc?  Even the largest organisations aren’t always able to do all these things in house and this naturally this applies to SMEs as well as a practical step take a look at this next model, then think about these four areas within your organisation and plot the people or teams or partners you need to work with for each one.

Data processing, policies and procedures of Datastreams

You will soon see that to achieve what needs to be done in terms of GDPR at your organisation, will require some degree of data-driven collaboration. This collaboration will need to be resourced, contractually agreed, then managed and operationalised so that all parties are clear on what they are doing to deliver and do what is required in a GDPR compliant way. This collaboration needs to be robust enough to not fall foul of the data regulatory authorities and satisfy the individual rights of each and every EU citizen, whose data you might be collecting and/or processing. Don’t forget, this applies even if your organisation resides within the EU, or outside of it, come May 25th 2018!

We are open to data-driven collaboration to help our partners and their clients meet their GDPR requirements and obligations…are you?