Now, even Facebook’s is calling for GDPR-like national data regulations. Mark Zuckerberg His goals are laudable. He wants to give consumers more rights to control and protect their information. Yet his comments do not fully consider an often-invisible group in the world of data regulations. These are small- and medium-sized enterprises (SMEs), such as startups. Without armies of lawyers to hire, they to follow complicated laws. Some even shut . States that stifle SMEs lose out on , , and . struggle down innovation jobs inclusive growth I urge lawmakers to not forget about this group. Data leaders should learn from conversations happening around the world, not just the E.U. Look at the Asian Pacific Economic Cooperation (“APEC”), for instance. Its Business Advisory Council’s Data Expert Roundtable, at which I participated a few weekends ago, evinced a stark concern for SMEs. As one discussant asked, “How do we help not just the big banks, but also the fintechs?” There, I listened to how SMEs were struggling — just like the companies I work with through , where I help scale compliant, ethical data analytics. (“Ethical” is a mouthful. Ethical companies, I believe, look out for their customers’ best interests even when they’re not looking — by weaving data protection principles into the very fabric of their infrastructure and business strategies). Immuta Three takeaways stood out. While I draw these lessons from the roundtable, they can apply to any effort to impose new data regulations: Amplify existing efforts to make compliant, ethical data governance cheaper; Promote a data sharing standard; and Embrace privacy-enhancing technologies. Amplify efforts to make ethical data governance cheaper Right now, companies with the largest compliance teams — not SMEs — are , as I discuss in TechCrunch. Citigroup, for instance, reportedly hired lawyers, auditors and compliance officers in 2014. set up to win 30,000 New technologies help companies navigate rules embedded in text. Technology easing regulatory compliance is “regtech,” while those helping with contracts and litigation is “legaltech.” These embed best practices into their design, no longer relying on static word processing tools. For instance, Turbo-tax-like forms or drop-down menus help SMEs make good corporate policy or contract decisions. Natural language processing highlights risky provisions quickly. APEC has an amazing opportunity to amplify leaders in its own backyard. Singapore, for instance, announced a nationwide “Legal Tech Vision Roadmap.” Even the country’s has called for lawyers to further embrace technology. Due to such efforts, experts have Singapore and Hong Kong leaders in the space. Chief Justice named , , , , and to share and test best practices are a few ways APEC can amplify existing efforts. This is regulatory innovation that both boosts its smallest players and protects its citizens. Forums ecosystem investments techsprints sandboxes pilots Promote the adoption of a data sharing standard SMEs, as participants highlighted, struggle with ambiguity. They desire specifics, often because they lack the lawyers to guide them. Yet, being too specific risk policies becoming irrelevant or misused. Instead, APEC can lead by working with industry professionals to develop standards. This policy model is called “co-production” or “ .” co-regulation In highly-technical fields with big money at play, such models may be necessary. For instance, the Environmental Protection Agency (“EPA”) used this model in the late 1970s. The EPA could not meet stringent for toxic substances. Congress’ failure to define “unreasonable” toxic risk, furthermore, paralyzed the EPA. To protect consumers, the EPA had to rely, perhaps dangerously, on corporate voluntarism. testing requirements The state, instead, can lead. Learning from the U.S. Core Data for Interoperability (“ ”) for healthcare data, APEC can invest in discussions about a “Core Data” standard. It may identify data to share, key metadata, and protective measures, such as deadlines for data breaches. These standards evolve as technologies and new risks do. To promote adoption, APEC might provide a limited safe harbor for SMEs who comply. Healthcare data experts the same for the USCDI. USCDI advocate These are broad sketches on a very complex topic. But with APEC’s leadership, SMEs can start getting the guidance they’re looking for — and safely serve their customers better. Vet privacy enhancing technologies (“PETs”) As participants discussed, best practices for protecting data should not be binary choices — encrypt your data or not at all. In fact, privacy practices like these hurt SMEs the most, who lack data. To keep up, SMEs want to share, collect, or use lots of data. But binary tools tempt SMEs to remove protections. And SMEs that leak unprotected sensitive biometric data may go bankrupt soon after. Instead, SMEs can also gain more data by using PETs like differential privacy. Differential privacy limits users’ access to summaries of data, such as averages. It then injects noise into those summaries to create . Ethical SMEs can use differential privacy to , helping them overcome data scarcity. Yet, they can also prevent scenarios where malicious parties sensitive data. For these reasons, it’s a staple of toolkit. provable guarantees of privacy pool and share data safely reverse-engineer Apple’s APEC can consider incentivizing PETs, perhaps as part of its standards. If all a company’s data was differentially private by default, stolen data would hurt consumers less. Noisy data summaries are difficult, if not impossible, to link to specific individuals. Once APEC vets these tools, innovators will spend more to put such PETs into practice. And as the use of PETs becomes more common, more SMEs will understand how to use them — and, ultimately, escape Catch-22’s that harm innovation and privacy alike. An opportunity for data leaders to lead the pack APEC can ensure SMEs thrive, and not become stifled, in the emerging data ecosystem. So amplify existing efforts. Promote data standards. Vet PETs. APEC has an exciting opportunity to distinguish itself in a . rapidly changing landscape It must protect its citizens and boost its smallest, often-forgotten, players — who help their economies thrive. To stay ahead of this rapidly changing data landscape, take a look at my white paper “ ” I compare regulations not just from the EU, but also from California, China, and India to sketch trending data protection principles. GDPR Is Just The Beginning: 7 Principles To Stay Ahead of the Curve. is a Privacy Counsel & Legal Engineer at , a leader in Data Management for Data Science. He holds a J.D. from Harvard University and is a Ph.D. candidate for Social Policy and Sociology at The Harvard Kennedy School. Dan Wu Immuta
