Momenta Insights

Insight Vector: A Working Guide to GDPR

Written by Sandra Mueller | April 27, 2018


Innovation and market perspectives from leading IoT innovators

General Data Protection Regulation, or GDPR, is coming. We talk to Silvan Jongerius from TechGDPR to learn what it means, how it'll impact individuals and businesses - and how to prepare for it. 

TechGDPR is Berlin based business that aims to help techcentric companies working in sectors such as IoT, blockchain and AI become GDPR compliant. We deep dive into what technology they use and their business models and then basically do a gap analysis and figure out, ok where do they stand with their products and services and why do they need to be more GDPR compliant? - we say that because 100% compliance is something that is fairly vague and difficult to obtain.

 

Silvan Jongerius
CEO TechGDPR

 

Explain GDPR in a nutshell?

GDPR stands for General Data Protection Regulation, a regulation made by the European Commission that come into effect on May 25, EU wide. That means it applies to any company that has clients or does business in Europe. So not limited European resident or depending on your passport.  The UK also falls under the governance until Brexit is finalised. 

 

How can companies ensure their data is compliant?

There are difference levels of compliance depending on the kind of data that you deal with and how far you want to take it. Some companies want to be 100 percent compliant, and others want to make good first steps towards compliance. It's basically a risk-based approach to compliance and that means that companies will have to look at the data that they're collecting:  What is the impact to the privacy of the individual and how do they mitigate for that with technical and organizational measures?

A good example would be like, if I'm collecting an email address and a name and date of birth, information that has now basically say like a medium impact on privacy. So I make sure I use encryption wherever I store the data and make sure that no unauthorized people have access to it. Under the GDPR I am required to start building documentation around my data storage and protection process to make sure that I have an appropriate means to ensure that people's data is secure and that I only collect the data that is absolutely needed, and I can prove that whenever i’m audited. It's a whole package of things. 

 

How is GDPR compliance policed and what are the penalties for a breach?

More than anything else, it is your responsibility to build a case for being compliant so if or when you get audited, you can just supply a whole stack of papers. Every state in Germany has a data protection officer, and every European country has a data protection authority. This is an extension of their powers. An audit can be announced by the regulators at any time and they can commence an audit if they if they believe that there may be a reason to investigate, or more likely, they will act based upon complaints. So if someone has complained about a certain company not responding to an access request, for example, they might file a complaint and this would lead to an investigation and potentially an audit.

As well as the state and federal regulators, large and even small companies that deal with high-risk data are required to employ an internal data protection officer with their main responsibility to ensure that the company is compliant - their role needs to have a high degree of autonomy and need to report directly to the highest management level in the company, and they are also empowered to independently report any breaches to the authorities.

The fines are up to € 20 million or 4% of annual turnover. Previously in Germany, they were up to € 300.000 per company so you can see they taking compliance a lot more seriously.

 

I've heard the argument before by more than one startup in Berlin, that aggressive data privacy will stifle innovation. What's your take on this?

I've heard the argument before by more than one startup in Berlin, that aggressive data privacy will stifle innovation. What's your take on this? 

It's worth remembering that most processing data is still possible providing there is a legal base for it, such as consent. An advantage of GDPR regulations is that they require companies to inform people what exactly are you going to be doing with the data, how it will be stored etc. And if the purpose of the data changes, they need to either recollect consent, destroy the data or anonymize it.  

 

We hear a lot about blockchain technologies and cybersecurity, what is the impact of GDPR? 

The intersection of blockchain and GDPR is very interesting. In some respects, blockchain technologies are a means of securing data and the sovereignty of information. One thing that you're doing with blockchain is enabling trust between different people that it didn't previously trust each other. The immutability of the blockchain means that data cannot be changed or removed. However, this means that there are points of GDPR that just cannot be fulfilled for blockchain technology. One of them is the right to be forgotten and the notion that anyone who has given their data voluntarily can always revoke their consent, on which point the data has to be erased. Erasing data on the blockchain is not possible. So we are probably getting into an area where you can only say like OK do not store any personal data directly on the blockchain.

But then again what is personal data? An IP address is generally considered personal data so if these kinds of things make it onto the blockchain, you have a potential problem.

On the other side, there are products such as Jolocom, Civic, and uPort that decentralize personal information. With these you hold your own information within your own device. Even in a hacking scenario you create a high effort, low reward scenario. These applications allow you to hold onto your data and only give companies what they really need. And you can even do that with zero knowledge proof, so you can prove that something is true without revealing what the actual data is. Yet these things are not to the letter of the law, so it is still not comparable, as GDPR was designed for a client server model, not a decentralized or distributed model.

In all instances of trying to determine compliance, regulators are issuing guidance, but the only definite way is to wait for some cases to learn how they will rule.

Momenta's leading Strategic Advisory, Executive Search, and Investment practices, have been accelerating the growth of Connected Industry companies since 2012. Schedule a free consultation to find out how we can help you to accelerate your digital transformation journey.