The Roadmap to GDPR, and Creating the Right to be Forgotten

It’s Monday morning and you open your inbox to too much spam. Do you wonder what happens to your data when you hit “unsubscribe”? Do you wonder whether it really disappears from the company’s records? Beginning this May, as the General Data Protection Regulation (GDPR) is introduced to Europe, we’ll finally know what happens to our data. And more than that, we’ll be able to control our data’s fate.

In the EU, GDPR is the long-awaited refreshed version of the Data Protection Directive from 1995. It represents one of the most significant regulations in data privacy to take place in the last several decades. Organizations that control and process their customers’ data will have to be compliant with this new regulation until May. Otherwise, they may face severe penalties.

So what exactly will GDPR represent? One of the truly revolutionizing aspects is its geographic scope. The directive’s jurisdiction will be extended to every company worldwide that operates data in the EU, regardless of whether they have headquarters or even an office in that space.

New rights and obligations for all

The demands for more clarity and transparency are in the basis of the new regulation, so most changes will be reflected from the point of the view of the customers (or “data subjects,” as the directive calls them). The regulation calls for data consent, the right to access data, and data erasure (also called “the right to be forgotten”).

Data consent calls for terms and conditions to be rewritten in a straightforward way, so people can easily read and respond before sharing their data with companies. The right to access entitles people to obtain information about how their personal data is being used, and whether it’s actually being used and for what purpose. Also, people will be able to obtain a shared copy of the personal data in electronic format. The right to be forgotten gives people the possibility to have their personal data deleted, limiting its use for further dissemination.

How can companies cope with the upcoming volume of requests if customers decide to exercise their rights?

Data privacy has become increasingly important as sharing information online becomes the natural thing to do, both across social media and consumer brands. Companies want to ensure that the way they take care of people’s data does not compromise customer experience. Although there are perfectly good reasons on both sides to keep data, GDPR can been seen as an opportunity for companies to “clean house” and organize their data.

GDPR requires companies to maintain high standards in security and data protection. This is where Feedzai comes in, since we handle massive amounts of data every day, while also using the most advanced AI technology to protect the integrity and provenance of this data. Closely following the latest norms and keep compliant with rules and regulations is an integral part of our actuation.

The modularity of Feedzai’s machine learning platform allows for an easy accommodation of new sets of data, even as our customers’ databases undergo rapid change. In addition, encryption is a crucial part of the way that we handle the security of customer data, by protecting all sensitive data through tokenization. Our technology is about keeping data safe, fighting fraud, and also balancing the sometimes conflicting goals of mitigating risk and improving customer experience.

As highlighted by Richard Harris, Feedzai SVP of Sales International, in a recent discussion on open banking, GDPR is intended to increase security in a post-PSD2 world with open APIs, and an increasingly frictionless payments architecture. As data becomes more relevant, readiness for GDPR should account for a strong security framework that will require updates in internal security and business processes.

A survey steered by Deloitte asked a variety of companies from EMEA about their plans for GDPR compliance and their thoughts on the achievements on time for May. Surprisingly, the survey results demonstrate that only 15% of the companies were expecting to be totally compliant by the goal date, despite the fact they had two years to prepare.

Nevertheless, the survey also reports that companies have been taking several readiness approaches in the face of high penalties. The survey also demonstrates that the regulation can become beneficial for companies, as 61% of the businesses recognize further benefits beyond compliance. And of these 21% acknowledge potential benefits that go beyond competitive advantage, improved reputation and business enablement.

There is no kit or application that will make a business GDPR-compliant. The answer relies on creating a set of processes that will provide an answer when those “unsubscribe” requests will start coming. Taking advantage of the machine, and getting everyone on board, will be the best tactics to survive.

Additionally, important questions about ethical AI are surfacing as organizations begin to use machine learning for data integrity. For example, Feedzai’s Chief Science Officer, Pedro Bizarro, has developed an early version of an AI Code of Ethics that data scientists can use to protect the privacy and utilization of personal data in machine learning systems. To read more about the role of ethical AI and fraud detection, download our ebook: “What’s Next for Machine Learning: Ethics and Explainability in AI Systems for Fraud?”