The General Data Protection Regulation (GDPR) and ME
I’ll admit it—I was planning to write something terribly useful about the European Union General Data Protection Regulation (GDPR) regulation that has everyone talking (and worrying). Then I realized that while I’ve been off to GRC 2017 in Amsterdam and vacation—both of which were wonderful by the way—several blogs had been added to our GRC Tuesdays site. So, if you are looking for a more learned and useful discussion of GDPR, please check out the list at the bottom of this blog. For that matter, just type “GDPR” in Google, although there should be a health warning about the volume of material overloading your brain.
However, since I have been working a lot with GDPR topics lately and I really wanted to write a blog about it, I’ll share a couple of my observations, questions, and musings.
On the very first page of the regulation, it boldly states: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” They go so far as to state: “The processing of personal data should be designed to serve mankind.” (Emphasis mine)
In the current U.S. political climate (depending upon age, political leanings, and socio-economic status), some will assert as fundamental rights everything from carrying AK-47s to getting free money. But let’s not open that can of worms. My point is that I don’t hear of demonstrations in the streets about the protection of personal data as a fundamental right.
Looking historically, our U.S. Declaration of Independence says, in part, “We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.”
There are, of course, discussions of privacy rights in various international declarations, treaties and conventions, but most references are focused on what governments can or can’t do. Technology advances and proliferation has now made this a topic for our businesses as well. The designers of the GDPR (and the preceding Directive 95/46/EC) assert that this is necessary to ensure free flow of personal information.
It is unknown how well the regulation will be implemented, but just relative to the fundamental rights and desire to serve mankind, I can only offer a heartfelt “WOW!”
Do You Read Privacy Notices?
Changing gears, it’s likely that most companies subject to GDPR will need to update their privacy notices and update the consent function for the data subjects (you and me) to allow the collection and use of our personal data. But I have a silly question: Do YOU ever read the privacy notices that exist now? Do you still click the button that says you’ve read them? How often do you NOT click the accept button?
To me, it’s a little like reading every word on each loan document before getting your home mortgage. I know I need to sign them all or I won’t get the mortgage, so I take a quick look at the terms and then proceed to sign. And I’ll confess that I “power-click” on web pages for the same reason. If I want to buy something online and I cannot do so without accepting the privacy notices, the likelihood of my clicking OK approaches 100%.
So, I’m not saying privacy notices aren’t good to have, but ONLY if the company itself is bound by them and has internal governance, policies, procedures, systems, and actions in place to ensure they represent what is actually happening within the company.
Revenge for Sarbanes-Oxley?
In some small way, could GDPR be revenge in the EU for the Sarbanes-Oxley Act of 2002 (SOX)? An interesting part of GDPR is that it applies to many countries that do not reside or even have offices in the EU. Yes, to the extent that your company gathers personal data from EU residents, you are also subject to the GDPR. If you intend to sell to data subjects in the EU (online or otherwise), you will also need to comply.
So is it revenge, in some small way (asked in jest)? Remember that SOX applies to companies outside the US who are required to file reports with the SEC (mostly those registered on US stock exchanges). Many non-US companies, in fact, have de-listed their stock to avoid having to comply with SOX.
It’s like my loan document analogy in that I cannot imagine most non-EU companies doing significant business in the EU will walk away from the business just because of the law—but many EU companies DID delist their stock from US exchanges to avoid having compliance burdens and related costs. So how will non-EU companies respond to GDPR? Only time will tell.
While I’m at it, let me touch on vocabulary and acronyms. As I read various GDPR-related documents, I noted that many of them felt the need to have a glossary of terms. So not only is the regulation itself LONG, but if you don’t first look at a glossary, it may be hard to fully understand it. Some terms are not hard to understand, like “data subjects” (people whose data we need to protect) and “personal data.”
But how easy is it to understand the difference between pseudonymization, anonymization, and minimization? Just try to say pseudonymization three times very fast—I have trouble saying it even once! And do we in the US need to adopt British English spelling for pseudonymization/pseudonymization especially post-Brexit? (By the way, for now the UK government has confirmed that the decision to leave the EU will not affect commencement of GDPR for them.)
I hope you enjoyed this tongue-in-cheek look at the General Data Protection Regulation. This is clearly a sweeping regulation that will have companies jumping through a lot of hoops to get ready by May 25, 2018. I will find it interesting to learn how ready companies are on Day 1.
Now I ask you, what do you find interesting or amusing about GDPR compliance?
As promised, here are some links to our GRC Tuesdays site and some recent GDPR-related blogs from that site:
- “Ayurvedic” GDPR by Neil Patrick
- Part One—Big Data Privacy Risks and the Role of the GDPR by Evelyne Salie
- Part Two—Big Data Privacy Risks and the Role of the GDPR by Evelyne Salie
- GDPR Is About More than DATA Management, It’s About Governance by Neil Patrick