Paul Vallée is CEO of Pythian, a global data and IT services company that helps businesses leverage disruptive data technologies and a founding member of the Council of Canadian Innovators
In today’s digitally fuelled economy, where data is considered by many to be the new oil, 2018 is proving to be one of the most controversial years for data governance. Fresh on the heels of Cambridge Analytica’s misuse of Facebook data, the federal government has even addressed data privacy in a new election reform bill – just in time for the 2019 vote.
This announcement coincides with May 25, the much-anticipated go-live date of Europe’s General Data Protection Regulation (GDPR). The threat of steep fines for violations – up to €20-million ($30-million) – or 4 per cent of a company’s global annual revenues, whichever is highest – has CEOs and CIOs understandably on edge. GDPR raises a critical question that Canadians can’t afford to overlook: Where do we stand as a country, and as a global society, on the issue of data privacy?
A national data strategy can provide a level playing field and clear framework for all Canadian stakeholders on data issues and the basis to maximize the opportunities and manage the risks of the data age. We could position ourselves as leaders on the privacy front, showing the world we’re serious about data and privacy and leveraging Canada’s national brand as a jurisdiction where trust, accountability and transparency are the cornerstones of our success as an open, liberal democracy.
GDPR is likely to become the de facto global standard for data privacy legislation. While Canadian companies have enjoyed an “adequacy exemption” under Europe’s Data Protection Directive since 2002, GDPR’s advances puts this in jeopardy – and policy leadership will be required to preserve our privileged position. Compounding the challenge, a NAFTA renegotiation is underway, and we should be exceptionally cautious about references to “data” in NAFTA, and ensure that any provisions are GDPR-compatible.
In a compelling paper, Dan Ciuriak of the Centre for International Governance Innovation, argues that data are not treaty-ready, and Canada should be cautious about entering into international commitments as the implications are currently unclear.
A national data strategy designed to meet the requirements of the Canadian economy, sovereignty and citizenship, could provide clarity and peace of mind for Canadian businesses that operate on a global stage.
To make this happen, we need to re-examine our data practices, seize the moment and design a national strategy that would permit data-driven companies to operate within a standard framework where compliance with privacy laws that apply to us is verifiable. This strategy could be executed through one of the mechanisms that GDPR encourages, such as a code of conduct or a certification, and could be developed in co-operation with organizations such as the CIO Strategy Council, the Council of Canadian Innovators and implemented by organizations accredited by the Standards Council of Canada.
While privacy regulations aren’t new, the GDPR shakes things up for a few reasons. First, it is extraterritorial: Anyone wanting to do business in the EU has to live up to the same standards that apply to companies in the EU. Second, it empowers individuals to control what others do with their information – including giving them the right to be forgotten. And last, but definitely not least, the consequences of non-compliance are severe.
All of this makes GDPR a nerve-racking prospect for organizations already struggling to control the movement of their data because there’s so much of them and because the boundaries of the enterprise are more porous than they’ve ever been, with remote and distributed work forces and collaborative integration with partners and suppliers.
So, in one corner, we have companies generating mountains of data that they need to control and want to leverage for different purposes, from economic growth to better public health, and everything in between. Today, advances in big data analytics, machine learning and the Internet of Things raise the stakes as they offer highly sophisticated ways of doing this, by developing insights into patterns that can help businesses and governments make informed decisions. This is a good thing, right?
However, in the other corner, individuals need their privacy protected – and to have control over what others do with their personal information. Regulations such as GDPR are, in effect, giving back something that already belongs to them in the first place.
A national data strategy implemented through a certification mechanism could give us the framework where lawful uses of data by companies and governments and privacy rights of individuals co-exist harmoniously.
The road to a national data strategy may be complex, but it would be worth it, both to position our country strongly for the global data future and also to serve as a beacon for others dealing with similar issues. The opportunity is ours for the taking.