The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25th, about two weeks from now. In the news it is often being called “overreaching” and “impractical,” but its objective is to place control of personal data back in the hands of the EU citizens. Maybe I’m “old school” (aka dinosaur), but I believe in privacy and the ability to protect my data. Why? Look at these recent events.Let’s start with the Facebook breach of 85 million users. Most people joined Facebook to maintain relationships with family and friends. It’s free and convenient. But that old saying, “There is no such thing as a free lunch” is really true. Facebook is “free” because they are collecting and selling your data: your likes, dislikes, preferences, habits, and on and on. No one who joined FB ever thought their data would be illegally used to alter a presidential election. Or that foreign nations would use the platform to influence our election process using fake news.
A few weeks ago, the news reported that the major DNA testing services such as AncestryDNA and 23AndMe are all collecting their customer’s DNA information and creating massive databases. People haven’t paid attention to – or chose to ignore – the privacy agreement included in the kit. And yes, they do state that they can keep and use your data. What are their plans for the data and these databases? Time will tell. But if they choose to use your data improperly, the chances of you finding out about it are slim.
Probably the highest profile news item this past month is the possible capture of the Golden State Killer, the most prolific unsolved crime spree in U.S. history. Why is this included in this blog? GEDmatch, a very small genetics matching service was key to cracking this case. People can upload their DNA analysis results into GEDmatch to locate possible relatives. The police uploaded the DNA information of the Golden State Killer into GEDmatch and searched for possible relatives. The police traced family trees back to people who lived in the 1800s and reviewed genetic data of several thousand people to arrive at the suspect. Think about that! If the police can do that, anyone can, including cyber criminals. The value and impact of your genetic “fingerprint” has yet to be determined, but I’m confident it will increase over time.
Ten years ago, I could not have imagined how hard I work now to protect my personal information. I have no doubt in the future I will have to work even harder to protect personal data including my genetic information. Many companies are building extensive databases on all of us through our day to day activities, such as Facebook and Equifax. Should I have the right to understand the data being collected about me and how it will be used? Should I have the right to have my data deleted by a company I choose not to support? I say yes! And that is what the European Union General Data Protection Regulations (GDPR) strives to deliver. By today’s technology standards, GDPR seems far reaching and overbearing because some requirements may not be practical to implement. Over time however, technology will evolve to solve these limitations. Facebook has publicly stated it will be GDPR compliant. As a result of the breach, I requested my Facebook account be deleted and discovered it could take two weeks to delete my account! That means the deletion is not automatic – people are involved, and it’s possible that all data won’t be deleted. Yes, I think we need a personal data “undo” button!
If your organization is concerned about GDPR and how it can affect your business, don’t hesitate to contact us at: compliance@thirdrock.com. We’ve recently added GDPR readiness assessments to our CyberCompass™ software. Third Rock’s CyberCompass™ software automates and simplifies cyber risk management for companies of all types and sizes.