The European Union's General Data Protection Regulation is a genuine renaissance for data protection – and not just for EU, but for all humanity. Credit: Michael Coghlan This is not “yet another” article spooking you with the eye popping “Fines of up to 4% of revenue or 20 million Euros for failure to meet GDPR regulations.” There are plenty of webinars, self-styled GDPR analysts and experts who are drumming up the fear of the upcoming looming GDPR May deadline. Granted, some may be motivated to educate, but a bulk are hoping to monetize the spend that goes into data classification, encryption, key management and the like. Which is fair if you are a business who is looking for a compelling event to monetize but I believe we are selling ourselves short as a technology community. There is a higher moral ground that we need to strive for. That higher bar that I refer to is a different expansion of the GDPR acronym – Genuine Data Protection Renaissance.Before you fall off your chair let me explain. The main tenets of GDPR – data portability, breach notification, data protection by design and default, data/storage minimization, opt-in consent, right-to-erasure, appropriate technical measures, evidence of compliance – are amazing codification of laws that every service provider and vendor on this planet – that may or may not be impacted by the regulatory framework itself – would do well to make an integral part of their DNA and offering – for their existence and their customers’ well-being. Sound like fiction? Let me explain.1. Data portabilityWith the cost of storage plummeting, sensors everywhere and the need to understand your customer “deeply” – collection of data is becoming the norm (see #3 where I talk about this issue). But along with this collection, if there is a consequential & moral decision that all this data needs to be portable that can be handed over to me – the end customer – on demand, imagine “what a wonderful world it would be.”2. Data protection by design and defaultAgain, every piece of data that is collected needs to be, by definition, secured. Period. That becomes the design criteria for every product, architecture and service. I can sleep soundly at night. 3. Data/storage minimizationI have heard this phrase at least a hundred times just in 2018 across vendors and service providers. “We collect data because we can, we will decide later what to do with it”. #Stop. Just because you can doesn’t mean you should. And this tenet codifies that. Stop instrumenting me all the time.4. Opt-in consentIf I did not explicitly say “I do,” it means I said, “I do not.” Because by default I always say “No.” And that does not mean that you – Mr. Provider – paralyze me with a 60-page EULA that I have no option but say “I do” without knowing what I am saying yes to. There is a better way. Let me know what data you are collecting, why and how I can revoke that consent any time. #Easy 5. Right to erasureThe digital exhaust that I leave behind continually is something that I am blissfully unaware of so if you can provide me with an “easy” button that I can hit any time and all my bits are erased for eternity, I will breathe a lot easier and trust you a whole lot more.6. Appropriate technical measuresThis is all you. Not just adhering to a regulatory framework but going above and beyond a “box-check.” Now that is truly raising the bar. Appropriate technical and ethical measures. #Wow7. Evidence of complianceIf you did all the above, then this is a piece of cake. Log everything, provide a forensic trail. But there is a catch. Frequently, this is an escape hatch. It is so much less arduous if you just did enough to show that you did a ‘best effort’ so even if a data breach happens we do not get fined. That is subversive, escapist and downright immoral. And organizations that turn this attitude on its head and truly make this a no-brainer because they did #1–#6 right will eventually win.So, there you have it. A genuine renaissance for data protection. Not just for EU but for humanity. Related content opinion Have you been ransomware’d yet? You need to understand why this is one of the most potent attacks – what you must do to avoid becoming a target. By Ashwin Krishnan Aug 20, 2019 5 mins Data Breach Ransomware Hacking opinion Is the cloud lulling us into security complacency? In other words, can reliance on cloud services cause us to be less secure than before? By Ashwin Krishnan Jul 31, 2019 4 mins Data Breach Cloud Security Security opinion The CSO and CPO role just dramatically expanded overnight How two high-profile incidents highlight the changing definition and scope of security and privacy. By Ashwin Krishnan Feb 25, 2019 5 mins CSO and CISO Data Breach Data Privacy opinion Take time to think about security amidst the greatest gadget show on the planet – CES Let us put our thinking caps back and ask the right questions. By Ashwin Krishnan Jan 08, 2019 5 mins Technology Industry Data Privacy Application Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe