I’ll admit it—I was planning to write something terribly useful about the European Union General Data Protection Regulation (GDPR) that has everyone talking (and worrying). Then I realized that while I’ve been off to GRC 2017 in Amsterdam, several blogs had been added to our GRC Tuesdays site. So if you are looking for a more learned and useful discussion of GDPR, please check out the list at the bottom of this blog. For that matter, just type “GDPR” in Google, although there should be a health warning about the volume of material overloading your brain.
However, since I have been working with GDPR topics lately and I really wanted to write a blog about it, I’ll share a couple of my observations, questions, and musings.
On the very first page of the regulation, it boldly states: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” It goes so far as to state: “The processing of personal data should be designed to serve mankind.” (Emphasis mine)
In the current U.S. political climate (depending upon age, political leanings, and socio-economic status), some will assert as fundamental rights everything from carrying AK-47s to getting free money. But let’s not open that can of worms. My point is that I don’t hear of demonstrations in the streets about the protection of personal data as a fundamental right.
Looking historically, the U.S. Declaration of Independence says, in part, “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.”
There are, of course, discussions of privacy rights in various international declarations, treaties, and conventions, but most references are focused on what governments can or can’t do. Technology advances and proliferation have now made this a topic for our businesses as well. The designers of the GDPR (and the preceding Directive 95/46/EC) assert that this is necessary to ensure free flow of personal information.
It is unknown how well the regulation will be implemented, but just relative to the fundamental rights and desire to serve mankind, I can only offer a heartfelt “WOW!”
Do you read privacy notices?
Changing gears, it’s likely that most companies subject to GDPR will need to update their privacy notices and update the consent function for the data subjects (you and me) to allow the collection and use of our personal data. But I have a silly question: Do YOU ever read the privacy notices that exist now? Do you still click the button that says you’ve read them? How often do you NOT click the accept button?
To me, it’s a little like reading every word on each loan document before getting your home mortgage. I know I need to sign them all or I won’t get the mortgage, so I take a quick look at the terms and then proceed to sign. And I’ll confess that I “power-click” on web pages for the same reason. If I want to buy something online and I cannot do so without accepting the privacy notices, the likelihood of my clicking OK approaches 100%.
So, I’m not saying privacy notices aren’t good to have, but ONLY if the company itself is bound by them and has internal governance, policies, procedures, systems, and actions in place to ensure that they represent what is actually happening within the company.
Revenge for Sarbanes-Oxley?
In some small way, could GDPR be revenge in the EU for the Sarbanes-Oxley Act of 2002 (SOX)? An interesting part of GDPR is that it applies to many countries that do not reside or even have offices in the EU. Yes, to the extent that your company gathers personal data from EU residents, you are also subject to the GDPR. If you intend to sell to data subjects in the EU (online or otherwise), you will also need to comply.
So is it revenge, in some small way (asked in jest)? Remember that SOX applies to companies outside the U.S. that are required to file reports with the SEC (mostly those registered on U.S. stock exchanges). Many non-U.S. companies, in fact, have de-listed their stock to avoid having to comply with SOX.
It’s like my loan document analogy in that I cannot imagine most non-EU companies doing significant business in the EU will walk away from the business just because of the law—but many EU companies DID de-list their stock from U.S. exchanges to avoid having compliance burdens and related costs. So how will non-EU companies respond to GDPR? Only time will tell.
While I’m at it, let me touch on vocabulary and acronyms. As I read various GDPR-related documents, I noted that many of them felt the need to have a glossary of terms. So not only is the regulation itself LONG, but if you don’t first look at a glossary, it may be hard to fully understand it. Some terms are not hard to understand, like “data subjects” (people whose data we need to protect) and “personal data.”
But how easy is it to understand the difference between pseudonymization, anonymization, and minimization? Just try to say pseudonymization three times very fast—I have trouble saying it even once! And do we in the U.S. need to adopt British English spelling for pseudonymisation, especially post-Brexit? (By the way, for now the UK government has confirmed that the decision to leave the EU will not affect commencement of GDPR.)
I hope you enjoyed this tongue-in-cheek look at the General Data Protection Regulation. This is clearly a sweeping regulation that will have companies jumping through a lot of hoops to get ready by May 25, 2018. I will find it interesting to learn how ready companies are on Day 1.
Now I ask you, what do you find interesting or amusing about GDPR compliance?
For more on this topic, please read these posts:
The Ayurvedic Approach to GDPR by Neil Patrick
Big Data Privacy Risks And The Role Of GDPR, Parts 1 and 2, by Evelyne Salie