Everybody knows companies like Apple, Google, Amazon, Microsoft and Facebook. These companies are striking examples of platform businesses that have rapidly become an indispensable part of our global economy. Inspired by the tech-savvy leaders, major Dutch organizations such as Philips (the HealthSuite digital platform) and Rabobank (with the Global Farmers Platform) are now starting to leverage the digital platform model as well.
The rise of these digital platforms is notably due to the fact that the volume and variety of data generated on a daily basis are growing at an unprecedented rate. The use, transfer and creation of (personal) data are increasingly important to the success of digital platforms and also as source of revenue, i.e. Google and Yahoo employ a revenue model which is primarily based on delivering personalized advertisement, fueled by data streams.
As data has been dubbed as the currency of today's digital economy, there is a need to emphasize the importance of data protection in the digital age. Especially, since the success of digital platforms rise potential privacy issues. These issues need to be addressed and resolved if platform businesses want to evolve to their full potential.
A new EU-wide General Data Protection Regulation (GDPR ) will be enforced as of the 25th of May 2018, and places new obligations, especially on all digital platforms that handle EU data. Processing personal data of users is at the core of the success of a digital platform, so implementing the GDPR-requirements is inevitable.
Transparent: Data to be gathered transparently
Purpose: Used only for the collected purpose
Actual: Kept up to date and accurate
Security: Security protected
Individual: Deleted at the request of the individual
Large internet companies, such as Facebook, Google and Amazon, have a lot at stake in ensuring that their services are compliant with GDPR. E.g. as of 25 May 2018, these companies are no longer allowed to use the personal data they hold for advertising purposes based on profiling, without explicit user permission, as well as storing EU data in the cloud without complying with the GDPR.
One of the goals of the GDPR is to give people more control of their personal data. We believe that the GDPR is part of the response to the challenge of upholding information rights in the digital age, as the GDPR enshrines a wide range of existing and new rights for individuals, all in respect of their personal data such as the right to be forgotten and the right of data portability, and gives more obligations to organizations. Protecting the rights and interests of the individual has become extremely important since we live in a world in which we face an explosion in the quantity and use of data by platform organizations in an environment of extremely rapid technological change. When organizations do not adhere to individual rights, they may face serious consequences such as reputational damage.
Take for example payment apps; very handy apps for transferring money to someone else’s bank account. Besides your IBAN bank account number, PIN, location and transaction details, of which you are potentially aware of, a lot of other personal data is included as well; technical data pertaining to your device, contacts on your address list, direct debit mandate.
Let’s look at how these apps would deal with a right to be forgotten request: A consumer requests the closure of his or her bank account, which implies the end of the relationship. In this case the payment app has no longer right to hold the data of that consumer, for instance for marketing contact. In the theoretical case that the payment app is hampered by disparate and disjointed identity systems, and the consumer ends up receiving marketing material, this act would be a breach of GDPR compliance, as well as consumer trust.
Secondly, user data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Imagine for instance a health platform, which is aimed to connect devices and data from hospital to home. All players at the platform are only allowed to request such health data as is necessary i.e. to operate each client application (fueled by user data) and that both the platform company and the user have authorized to request.
Therefore, app developers for instance are allowed to access and use user data solely to develop (new) client applications for the platform. They are not allowed to use these materials to influence/speculate on price fluctuations or to sell user data to insurance companies, pharmaceutical institutions, hospitals etc. By taking this into account, the platform company would be compliant with GDPR in this theoretical example.
The GDPR will be enforced strictly and high fines are involved. Therefore, platform organizations should take steps now to implement appropriate technical and organizational measures in such a manner that processing of data will meet the requirements of the GDPR. Example measures are: encryption of data, continuous security monitoring, archiving policies, end-to-end data flows, and role based access. Insight in the environments in which personal data is being processed (dev, test, acceptance, production) and stored is important. At all times, data processing terms should be articulated to customers. In this way, privacy can be used as a ‘unique selling point’ and for storing apart from competitors.
Although, integrating these rules into an existing network of digital platforms is a complex challenge. One of key difficulties with the application of GDPR in a platform context is identifying and then allocating responsibility to the multiple stakeholders involved in processing data. The key task is to identify the roles and interfaces of those entities so that obligations and liability can be assigned appropriately. The GDPR-requirements apply to all the processing activities and data flows of digital platforms, the flow of personal data from internal and external sources into each platform and then via the network into every business connected to the platform.
The GDPR will come into force in all EU member states from 25 May 2018. The clock is ticking: are you prepared?
KPMG can advise you on various privacy aspects and help you implement the GDPR-requirements. We perform, among other things, Privacy Impact Assessments, Privacy Maturity Assessments, draft privacy programs etc. We can also advise you which technical and organizational measures you should take to secure your platform data. Furthermore, we can help you to seize opportunities that arise from the increased amount of platform data.
Author of this blog is Josephine Veerman, consultant Digital Advisory at KPMG. If you require any further information on this topic, please do not hesitate to contact Josephine on +31 20 656 8158.
© 2020 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ('KPMG International'), a Swiss entity. All rights reserved. KPMG International Cooperative ('KPMG International') is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.