Data security, data protection and GDPR – can we gather data anymore?

Data security, data protection and collecting personal data are hot topics for many public and third sector organizations. But the message Samu Hautala, CTO of Wondershop, and Juho Roimaa, our expert on data protection, want to share is clear: you can and should collect personal data.

What do data security and data protection really mean? What should we know about them if we want to measure social impact? And what do changes in EU’s legislation and GDPR have to do with them? We sat down for a chat with Samu Hautala, co-founder of Wondershop, the tech studio developing our technology, and Juho Roimaa, the lawyer in charge of We Foundation’s data protection matters.

Think of data security as a bank vault 

Data security and data protection are terms that get mixed up easily and often you see them used interchangeably. So if you’ve gotten them mixed up, worry not! Data security and data protection are not synonymous but refer to two different things. Samu and Juho use money and banks as an example to clarify: 

“Think of personal data as money in a bank and data security as the bank vault where the money is kept. Data security is how the personal data is kept safe, just as the vault keeps physical money safe. In my role it’s my responsibility to ensure that our social impact measuring tool has an unbreachable vault - strong data protection, so that all personal data is safe”, explains Samu.

Juho nods and continues: 

“Exactly. And to add, data protection is the understanding of who is allowed to enter the vault and has access to the money. As the lawyer in charge of our data protection I work to ensure that all legal aspects of data protection are covered and in top shape, and that we talk about these topics as understandably as possible. But to sum up, data security is the umbrella term that also encompasses data protection.”

Samu Hautala thinks that one of the most common misconceptions is that data security and data protection are either or -questions, that organizations deal with either perfectly or completely wrong: 

“Instead there are many different banks in the world with different vaults protected in different ways and on different levels. The type of vault and level of protection are defined by how valuable the contents of the vault are.”

“And even the most perfect vault in the world is still guarded by imperfect people”, adds Juho. 

One of the most important steps to planning good data security and data protection is defining the level of sensitivity of the data. Are you collecting data on a low sensitivity level, such as name and address, or highly sensitive data such as information on health? Our tech development team has made a conscious decision to only collect low sensitivity data and made sure that the questions don’t lead participants to give out information on for example their children’s allergies. This kind of health information is considered highly sensitive data that needs to be protected diligently.

GDPR brings unity and transparency to personal data collection 

In 2018 the EU’s new General Data Protection Regulation (GDPR) was implemented and raised a lot of discussion. But what should one think about it all?  

“GDPR is meant to unify protection of personal information and especially the rules of commercial transactions where personal data is used in the EU. The regulation strengthened transparency and individual rights. We already had good data protection legislation in Finland, so to us the change was mostly in accountability and defining clear procedures for cases of breaches”, Juho sums up.

Accountability means that organizations have a duty to demonstrate compliance with data protection regulation. For example, individuals have the right to know when their data is gathered and the right to decide what data is gathered.

Samu compares clear procedures for cases of breaches to laws regulating consumer affairs:

“GDPR is like a consumer protection policy on the internet that focuses on personal data. If you receive a faulty product you have a clear, predetermined right to return the product or have it repaired. Consumer protection regulations don’t guarantee that products never get broken, but before regulations all you could do was live with your disappointment and broken product. GDPR aims to do the same with personal data by keeping the rights of the individual at the center.

Information must benefit both parties 

So GDPR has unified the use of personal data in the EU and catalyzed active and systematic development of data security. Juho explains:

“Data security is no longer a matter of opinion but something all organizations aiming to strengthen individual rights and democracy in the EU need to take into account and advance.”

At the same time it is good to acknowledge that all things that produce value always have a market - this is also the case with personal data. This is precisely why the individual has to also benefit from allowing the use of their data, as Samu emphasizes: 

“Disclosure of personal information and collecting it is a transaction that has to create value for both parties involved. For example, those disclosing personal information in the social impact measuring tool that We Foundation has developed benefit in the form of services better suited to their individual needs.”

The main priority in developing the data security and data protection of We Foundation is to create and nurture trusting relationships with both the individual disclosing information and the organization using the social impact measuring tool. The process of collecting data has been developed to benefit the individual and data protection is the cornerstone of all technical developments. Our technology has also been audited by a third party. With regular audits we can ensure that our system is safe and low risk. 

”At the moment we see our systems’ comprehensive coverage of data protection and highly developed data security as its unique features, which we hope to see become everyday features in all products in the future”, says Samu.

So, should you collect and disclose personal information?

“You should, without a worry”, smiles Juho. 

Three tips from Samu and Juho for developing data protection and data security: 
  1. Start by figuring out what kind of data you are collecting. Is it personal data? If it is, what level of data? Do you need classified information or low sensitivity data? How should it be protected in accordance to regulations? We help our partners figure these things out before implementing our impact measurement tool.
  2. Make use of data security auditing. Would you trust your bank more if they assure you everything is fine, or if a third party finance auditor proves their claim to be true? Data security is a specialty subject and you should listen to what experts on the field have to say. 
  3. Take human factors into account. Data security is more than a technical process, it involves humans producing and risking data. Try to identify potential potholes and places where human errors are possible and take them into account when developing your data security. 

Here you can read more about our social impact measuring tool and its data security that Samu and Juho helped develop.

In the next part of our data security, data protection and GDPR blog series we talk about what organizations should especially focus on when collecting personal information on children.