• United States




What unintended consequences the General Data Protection Regulation could have

Mar 07, 20185 mins

Europe's General Data Protection Regulation could have effects you may not have realized watching webinars or listening to the consultants.

nasty surprise
Credit: Thinkstock

GDPR – General Data Protection Regulation – is a very well-known EU-driven regulatory framework and most readers would be familiar with the essence of the same – if you are hearing it for the first time, here is a quick and dirty explanation. It codifies the ownership, accountability and rights of service providers and consumers alike and focuses on these main tenets – data portability, breach notification, data protection by design and default, data/storage minimization, opt-in consent, right-to-erasure, appropriate technical measures and evidence of compliance (if your even more curious here are more details).

Now that we are on the same page, I want to focus your attention one important tenet – data/storage minimization. While innocuous sounding, this is huge. The importance of adherence or not to this can really make or break an organization. How so? The cost of storage has plummeted – flash, hybrid, cloud – you name it. Especially cloud, where you literally have “unlimited” storage and as a result you do what any business would do – collect all the data in the world because you can and the incremental cost of collecting another terabyte of data in a day (!!) is not even worth debating. And you have been doing this for years, decades even sometimes. And that results in a few new twists as it comes to GDPR conformance.

Do I start data minimization as of May 25, 2018?

I was having a conversation with a friend who runs a small service provider outfit the other day and he shared with me that they were looking to dramatically reduce the time period for which they would collect data for any EU resident down from years to literally four weeks. And this included everything – structured data, emails, PII etc. Unless otherwise required by law like an ongoing litigation, this was going to be their stance going forward. But it gets better, after assessing the overhead of having different sets of rules for EU and non-EU nationals, he decided to have a uniform rule for ALL his customers. So GDPR data minimization for all. #Wow. Is that a forward-thinking organization or a wonky one? Read on.

AI and machine learning anyone?

The easiest way to understand the stages leading to true AI is the following four in sequence – “data discovery” leading to “data insight” leading to “prediction” leading to “action.” But it starts with “data discovery.” And as seen from the introduction, this collection of data everywhere and constantly has never been an economic issue because of the dramatic reduction in storage cost. The mantra I oft hear is “we will collect it now because we can and can analyze and discard what is not needed later.”  And good data insight and prediction of the future is hinged on larger data sets to offset any biases or aberrations that smaller data sets can cause. What does that mean? It means the more we collect, the better our eventual AI algorithms will be. But that flies right in the face of “data minimization.” Or does it? The “collect now and analyze later” is the problem. If the temporal drift in data collection, insight, prediction and action can be reduced so that within the 30-day period boundary of data collection extremities – as in the case of my friend – this process can be run multiple times, so data hoarding is never an issue. And the ‘insight, prediction and action’ are enduring – they will live beyond the 30-day data destruction boundary.

What does it mean to you and me as consumers?

If, as a result of the above, also known as the service provider running closed loop discovery > insight > prediction > action, the consumer sees immediate and tangible benefits based on their talking, texting, browsing, sharing habits, it could be a really positive outcome for the consumer. An example of this – nothing to do with GDPR – but one that I bring up in conversations to highlight how analytics can help end consumers positively as well. Netflix – the poster child for analytics on AWS – has benefitted tremendously from your and my viewing habits to create hit TV shows. But let’s take my example – we were on the $9.99 plan which included HD and simultaneous streaming on two devices. And then on a whim, one day I checked to see if they had a cheaper plan and lo and behold they did – a $7.99 plan which included SD and single device streaming only.

But get this – we have ONLY streamed to a single device ever and Netflix analytics knew this, except it was of no consequence to them, but it was to me and an email suggesting a cheaper plan is available would have probably made a fan out of me. Except, they did not and I felt “violated” (I was a hard-nosed product leader as anyone and maximizing revenues is great but I also realize now that using technology to build enduring relationships with customers is a win-win in the long run). Anyway, where am I going with this? Immediate, impactful analysis of consumer data and using that to build better solutions could be a real win in this GDPR world.

So, there is my assertion about the “unintended consequences” of GDPR. Use data minimization as a trigger to do more real time analytics and predictions and turn around and give customers a better experience based on their current consumption patterns in real-time. Isn’t that a different take on what GDPR could bring to us?


Ashwin Krishnan is the COO of UberKnowledge, a cybersecurity knowledge sharing, training and compliance organization.

As a former vendor hi-tech executive in the cybersecurity and cloud domain he has turned writer, podcaster and speaker. His focus is on simplifying technology trends and complex topics such as security, artificial intelligence and ethics through enduring analogies which he shares on his blog and his talks. Ashwin is the author of “Mobile Security for Dummies,” and as a recognized thought-leader he contributes to a variety of publications, including Entrepreneur Magazine.

Ashwin is a regular host with CISOs on podcasts such as the Cyber Security Dispatch where he bridges the education gap between what the security practitioners need and what the vendors provide; as a tech ethics evangelist he is frequently on main stage at conferences educating and empowering consumers and vendors alike on the role of ethics in tech; his recent speaking engagements include the Smart Home Conference, Fog Computing Congress, and the Global AI Conference.

The opinions expressed in this blog are those of Ashwin Krishnan and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.