GDPR: Whose Data Is It Anyway?

By Nigel Tozer

Even those who place their ear to the ground infrequently will have heard of GDPR (General Data Protection Regulation), the stringent European Union privacy regulations set for enforcement beginning next May. As a reminder, even if you’re not an EU business, but trade there, it will affect you. Get ready or face a hit on your business activities from a number of directions.

At the core of GDPR is personal information – the data trail created by every individual these days. But whose data is it? The individual’s, or the business that collects and uses it? It’s an interesting question.

The Business

Let’s say you have a business. You collect and process data using your own IP and infrastructure, which cost you a lot to build. So it’s your data, right? 

Well, you’d be right in most cases. But now you have to consider that GDPR will mean you need to ask for consent to collect and use it, and that it also turns you into a custodian with responsibilities you didn’t have before. For data that doesn’t have to be kept for legal reasons (such as transactions), the individual or subject of the data can make demands of you and has those rights protected by law. Set at the heart of GDPR is the right for that data to be secure and to notify the subject if data pertaining to them is compromised.

Think of it like this: Big business monetizes personal data, just like a bank uses your money to generate profit. In just the same way, beginning next May, it will be a business’s duty to protect that data like a bank protects its customers’ cash and keeps them informed. In the same way that you can take your money out of a bank, GDPR also mandates that an individual can request to be forgotten, effectively removing their data from the business. In fact, under GDPR, an individual can also ask for data to be transferred elsewhere, just like a bank transfer.

Data has been likened to currency many times, but the individual has never had the power over their data like they do their money. GDPR is there to redress the balance to some degree.

The Individual

Continuing the money analogy, an individual has choices for only some of their data. Just like your cash, some data is collected like tax – it’s notionally yours, but you never really get hold of it. Think of this as the information collected about your mobile devices, Internet searches or social activity. Then there is the data that really is yours (personal documents, photos, etc.) and you choose to put it somewhere, such as a cloud storage service. If you do that, is it still your data? Heck yes!

Unlike a bank, though, you really have to think of the cloud service as more of an investment. While you’re (probably) not going to make any capital from it, you could actually lose it. GDPR will help you here again, in that it should be kept securely, not snooped on and be available. What it can’t do is guarantee that it can’t be lost, so ultimately it’s up to you to create a backup copy. This is actually no different to a business using a cloud service. Those cloud services you rely on all have the same words in their terms and conditions: your data, your responsibility.

That’s where the data/money similarities end. You can’t take a copy of your money like you can your data.