By far the most common answers to the questions; “Are you worried about GDPR?” and “If yes, why?”, are, in this order:
- The fines;
- Possible loss of reputation;
- What’s GDPR again? (no, unfortunately I’m not joking)
- The cost / complexity; and
- Board-level accountability (a.k.a. it’s a law now).
While from a business perspective I can empathise with most of these, I have zero empathy for 3. That’s not really the point though, which is that not one person I have ever spoken to about GDPR got anywhere near touching on the actual reason GDPR is here in the first place;
It protects a human right.
If you haven’t read the Universal Declaration of Human Rights, and surprisingly few seem to have done so, it forms what I will call a code of conduct for what the United Nations calls the ‘human family’. So while it’s not a global law (per se), and somewhat impractical taken in its entirety, you have to be something of a sociopath not to recognise its basic goodness. It just fits. For example, and most relevant to this blog:
UDHR Article 12
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Fair enough, right?
Therefore, the GDPR starts out of the gate with:
GDPR Recital 1
“The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of theTreaty on the Functioning of the European Union(TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
And while the GDPR does go on to say things like; “The right to the protection of personal data is not an absolute right because it must be considered in relation to its function in society and be balanced against other fundamental rights... (Recital 4)”, it’s meaning and intent remain both clear and unwavering.
So if you want to know why fines are in place, why loss of reputation is such a big deal, and why infringements will be breaking the law, look no further. Compliance should go way beyond being just another consideration in your effort to demonstrate corporate social responsibility. This is not just some PR exercise you can fake your way through.
On the other hand, why is this so one sided against businesses? Why do they have to do all the work? I have made no secret of my disdain for people who don’t take responsibility for their own lives and actions. People who blame retailers for using personal data in ways they resent when they were the ones who gave it away without question. Even people who blame criminals for stealing their identity when it’s the victim themselves who made it possible by posting their entire life on social media.
When was the last time you read Google’s T&Cs? Or iTunes? Or anyones? No, I haven’t either.
I have long contended that your privacy is a currency that you spend for the conveniences you crave. GDPR is there to make the risks of spending it far more transparent. Or as a privacy lawyer / DPO I know puts it; “What GDPR intends is to put the choice of ‘if’ and ‘to what extent’ back in the hands of the data subject.“
So while organisations will have a lot more responsibility moving forward, you should still do your homework before sharing personal data.
But in the end, the main reasons it’s the businesses who are now [mostly] responsible for protecting people from themselves are clear. For years, many businesses who should have been guarding your privacy, weren’t. And those businesses who were supposed to protect the data they had, weren’t. Not even close. This will all change under GDPR.
In theory however, the businesses who were already doing the right thing are [for all intents and purposes] GDPR compliant, it’s only those described in the paragraph above who now have a really tough time ahead. GDPR is and extension of, and replaces the Data Protection Directive (Directive 95/46/EC) which has been out for 22 years! You really should not be starting from scratch here.
Depending on your business, GDPR might get tricky as you progress through it, but every organisation starts out the exact same way: By mapping your business processes (at both the individual asset and ‘asset interdependency’ level). This does not require a lawyer, and isn’t something you should notalready be doing. If you don’t even have this in place, you will likely never be able to demonstrate the appropriateness of the ‘extent and proportionality’ of your data processing should things go wrong.
If I was a supervisory authority (e.g. the ICO here in the UK) I would reserve my biggest penalties not for those who aren’t compliant, or even necessarily those guilty of a minor infringement, it would be for those who have done nothing.
If that’s you, you’ve already wasted ~13 months of the 2 year run-up to GDPR’s application. There will be no ‘grace period’ after May 25th 2018, you’re IN the final stage. So you only have ~11 months left before the penalties can be applied. You must start asking the right questions of the right people now, and if you don’t know what and who they are, I suggest that’s where you start.
This is very basic, but it’s a beginning; Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now