The use of personal data in recent years has prompted disruption, initiated digital transformations, increased competition and raised awareness of the issues associated with security, privacy and identity as never before. The market is quickly changing and the responsibilities of companies and their service providers are becoming not only ever more explicit but also are demanding a more balanced approach to the management of personal data. This presents a number of challenges in terms of assigning responsibilities, not least due to new and far-reaching EU legislation that includes the General Data Protection Regulation (GDPR) , the Electronic Identification and Trust Services regulation (eIDAS), Anti-Money Laundering 4 (AMLD4) and Payment Services Directive 2 (PSD2)
The introduction of GDPR in May 2018 will have a significant impact on all companies, including many outside Europe, involved in the processing of EU citizens’ personal data. Supervisory authorities will have a number of broad powers including the ability to impose severe penalties for non-compliance.
Nevertheless, it’s not all doom and gloom, as with new obligations also come opportunities for businesses, especially where there are new data sources and new ways to improve and re-invent technologies, systems, and processes to be more trustworthy. This is especially the case with the role of Fintech and PSD2, and improvements to data portability and mobility, self-sovereign identity and access to global services. In addition, eIDAS presents great opportunities to streamline identity verification and the legally-binding use of e-Signatures.
These legislative changes in the EU have further heightened the need for awareness and focus on the management, security and protection of personal data, especially in a regulatory context. From recent ‘right to be forgotten’ cases through to data mobility and privacy, these topics are inextricably linked and affect both consumers and businesses alike
Despite the best efforts of lawyers, consultants, journalists as well as specialist vendors and service providers to spread the word, remarkably few companies are taking steps to prepare, especially for GDPR. Most very large companies either have their own CPO or access to external advisors who can help them with advice. However, this is not the case with SMEs which could remain blissfully unaware of the changes and the consequences until it is too late
Understanding how, why, when and who is interested in leveraging personal data and how to protect the interests of the concerned stakeholders with more trustworthy technologies, systems, and processes is critical especially where new sources of personal data start to open up. Moving beyond social into mobile operators and indeed financial data the opportunities to leverage better, richer, more accurate sources of data than traditionally provided by data bureaux is now here. Empowering consumers and citizens with their personal data is a trend that will only increase over the next few years and will be essential for trust between all these parties.
Working Group Approach
This working group will focus on a practical approach to dealing with these new requirements and responsibilities and is designed to support SMEs and innovators who are dealing with these issues but are unfamiliar with the changing legal landscape.
A: Guidance and advice for citizens and businesses, particularly SMEs, on how to operate in a best practice approach in a privacy-driven world as well as educational materials that can be taken to industry, startups, SMEs and others to help establish a common and balanced understanding of these critical issues.
B: GDPR Compliance
- An analysis of the clash between and the challenges in implementing GDPR and PSD2
- An analysis of the gaps between GDPR and eIDAS trust services
- An analysis of the overlap and differences between GDPR and ePrivacy
C: Practical Implementation Support
- An overall architecture with building blocks and what’s missing
- Demonstration platform for electronic transactions leveraging an updated GTAC
- Interoperability of technology service providers
It is intended to address A and B first, and to start work on the practical demonstrator in the second half of the year
The intention is to disseminate the educational material as widely as possible, whilst in parallel maintaining an ongoing consultation with the appropriate departments of the EC as well as holding a one-day workshop with external stakeholders later in the year.
The initial scope for this working group is 12 months from 2 February 2017