MAR 9, 2018
Protecting your Genetic Data Under the new GDPR Regulations
In GDPR we trust. 25th of May 2018. This is the date the relationship between consumers and tech companies changes forever. The emergence of big data trends in the past two decades nurtured and swaddled its growing but largely oblivious user base. The users kept coming and the tech kept improving, our lives churned into an exponentially swelling sea of exploitable data, 90% of which was created in the last two years alone! But the climate of awareness matured, and 2012 heard the first rumblings for a generalized data protection bill. Fast forward to the 14th of April 2016 and EU General Data Protection Regulation (GDPR) was approved by the European Parliament. Any organisation collecting and using data on human beings would now have no choice but to regard their subjects or customers through a new lens of respect and dignity. One which enshrines the rights of the individual and espouses three core tenets: consent, transparency, and accountability.
So, after a two year grace period everyone is nice and prepared and sunlight green pastures lie await in late May, June, and beyond for all. Or rather, a subdued nervous chill seems to be setting in. The Met office might as well name the next big Spring storm GDPR not ‘Beast from East’ or Kevin or something equally imaginative. In a world where data governs our everyday lives, the advent of a sweeping crystallization of human data rights can only be a Good Thing. But are data fueled companies prepared? Will innovation be catalyzed or stifled? And will the newest generation be able to thrive in their new landscape?
How prepared are companies?
Right now, more than two-thirds of British companies claim they are having trouble implementing this new level of data management security, despite spending an average of £1.3 million to implement preparations. 69% of the 750 IT companies surveyed by Claranet’s recent study Beyond Digital Transformation indicated the shortfall, and around a quarter of London firms are reported to be unaware of GDPR’s existence.
The challenges in restructuring centre around the obtaining of consent from individuals for profiling and data collection, with clear definitions of data types and uses. This requires an underlying architecture that is granular and traceable to understand where the data is located, how it is moved, and to whom, with logged consent for every application. Data ownership is now placed firmly in the hands of the customer/user, meaning they have the right to see and download all data pertinent to them held by the company. Individuals can demand a full report of their data, meaning it must be retrievable and easily compiled. Individuals can also demand an explanation of whatever processing is involved in the service provided, potentially leading to headaches where AI algorithms have been allowed to train themselves into a black box.
The right to be forgotten is a key element that causes some level of consternation with both old and new companies. In the boom age of Google and Facebook, we became warily comfortable with the fact that reams of data exist on us somewhere, dormant on some cold storage facility in deep America. Now, an individual’s data history must be able to be dredged up in its entirety and deleted, should that individual wish. This could also be a headache for the block-chain bandwagon, with open traceability and transparency being at odds with privacy and data deletion, where removing an element breaks the chain. And on the cyber-security side of things, alerts must be sent out by a company in the event of a data breach within 72 hours, something only 18% of companies are ready for.
Catalyst or damper on innovation?
By enshrining rights of the individual will there be a damper on innovation? Not necessarily, the data will still be out there, it just needs to be coaxed from people in a more ethical manner. In the consumer genetics field, there is a shift to empowering individuals with choice of how their data is used. Market places are emerging for individuals to sell access to their genetic data, or provide it for specific services. Small companies growing now are potentially at an advantage, with no choice but to mould themselves around the pillars of the GDPR, the new wave of tech and health tech should be one step ahead.
Being ready to bow to the onslaught of data requests from individuals may become an essential part of surviving the start up journey. Heightened publicity making people more likely to exercise their newfound rights, just because they can. The trust element of brand compliance and upholding of data rights will therefore become a pillar for of any young company. And with little or no history from the free-for-all days it will be theirs to lose in terms of getting data security right. This is all highly relevant to anyone who happens to be starting a company that will be gathering and processing contextual and genetic data from the consumer. As we build Chronomics we feel lucky to be putting roots down in the most highly scrutinised data environment to date. To embrace the values of data protection in the time of the empowered user, we need to go beyond mere compliance and become their champions.
The Chronomics Epigenetic Test is the first test in the world that allows you to sample the epigenetic information in your DNA in order to improve your health and wellness