Happy GDPR day! It isn’t quite Christmas, but this year you’ll probably get more emails about May 25 than you will December 25. So very many emails. In the two years since Europe’s General Data Protection Regulation (GDPR) was passed, an elaborate web of hype has been constructed. That hype hit its peak this week when GDPR was more popular than Beyonce in Google search volume. It’s been one hell of a ride.
So what lessons can companies learn as they pull the GDPR crackers and gaze glassy-eyed at the star-topped GDPR tree? First up: listen to real experts. Misinformation, misinterpretation and profiteering have led to an unexpected spike in interest, according to weary data protection professionals. Your inbox is likely testament to the growing panic as the special day loomed large.
The barrage of attention even caused the UK data protection regulator, the Information Commissioner’s Office (ICO), to launch a rare campaign of “myth-busting” in August 2017. Now the much-hyped May 25 GDPR implementation date has arrived, the ICO has said people should “do their homework” before taking advice on GPDR and data protection issues.
“There is no need for panic,” a spokesperson for the ICO said. “May 25 is not a deadline – it’s the beginning and we’d expect organisations to continue to assess and review their policies and procedures from now on.”
In the most extreme circumstances, a number of businesses have decided to deal with GDPR by getting rid of European services altogether. Multiplayer game Ragnarok Online announced in April it would be shutting down its servers in Europe and mobile marketing firm Verve also announced an end to operations in the EU, as well as it closing an office in Munich.
Others firms have paused serving European customers until they finishing getting ready for GDPR. The email unsubscription website Unroll.Me said it will “temporarily stop providing service to EU residents on May 23” until it is ready. Similarly, Instapaper has said it will be “temporarily unavailable” because of GDPR. There have also been reports of internet connected lightbulbs not working because of GDPR.
Oath, publisher of TechCrunch, Engadget, Yahoo! and HuffPost, has started blocking European users with a full-page warning. People can click through to an options screen that reveals the huge network of trackers it uses to serve targeted adverts. In a more radical move, the Los Angeles Times has temporarily blocked all European users from accessing its website while it works out what the heck to do about GDPR.
Security researcher Mikko Hypponen has compiled a list of other firms leaving the EU.
The changes introduced by GDPR apply to both individuals and businesses. As part of GDPR’s eight rights for individuals, firms must ensure they can legally use and keep a person’s information and, perhaps most crucially of all, report data breaches within 72 hours. The age of waiting months for companies to come clean about data breaches could well be over.
The alterations are sweeping but largely build upon previous data protection rules. But a raft of new GDPR experts has been created and all the advice that’s been given out hasn’t been entirely accurate.
The fear
For businesses and organisations, GDPR comes with a risk: huge fines. The regulation stipulates that those found to be in breach of GDPR could face financial penalties of €20 million or four per cent of annual global turnover, whichever is greater. There’s no surprise that panic has been created around the figures, as they’re well in excess of the £500,000 maximum penalty that could previously be issued by the ICO. A heavy-handed fine could easily stop a business in its tracks.
But, the ICO has called it “scaremongering” to say it will be issuing massive fines except in the most severe of cases. The claims that fines issued under GDPR would be 79 times higher than under the UK’s previous data protection laws are very unlikely to happen. Other extrapolated estimations have claimed banks could be fined €4.7 billion under GDPR.
But the potential of huge fines hasn’t been the only reason for GDPR mania. There’s also a growing market of people working in data protection and offering dubious services related to GDPR. In the UK there are more than 100 registered companies with the GDPR acronym in their titles – and the vast majority of these were formed after the regulation was approved in 2016. Their purpose? To offer advice on how companies can get their data in order and create products that can help organise information.
“There’s been a real mixed bag,” says Lynn Wyeth of Info Planet Ltd, who also works in information management at a UK council. ”Some of the ones we’ve seen have thought they can just use GDPR on its own, not realising that there’s 20 years of data protection that it’s built on.” Wyeth explains some younger companies she has seen haven’t even published privacy notices on their websites, which is a basic requirement of data rules.
Privacy
What is GDPR? The summary guide to GDPR compliance in the UK
One of GDPR’s big buzzword has been “compliance”. Adverts for GDPR services promise businesses can become “compliant” with the regulation. “Solutions” are offered to help people get inline with what GDPR requires – but things aren’t as straightforward as just being compliant or not. May 25 is when GDPR will be enforced, but it isn’t a strict deadline for everything being perfect. Subject access requests, for example, will become free on this day and security breaches will have to be reported to the ICO within 72 hours.
The information commissioner Elizabeth Denham says companies working towards getting their systems sorted for GDPR won’t be punished as harshly as those that haven’t shown any awareness of the law. “Some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions,” she wrote in a blog post in December.
“It isn’t something you [just] get done,” explains Tim Turner, of 2040 Training, who also used to work at the ICO. He says businesses he has worked with on GDPR have been close to meeting some requirements but there have been some areas that will need a lot of work over several months. “There’s always something else to do and another decision to make.” And the complexity of the regulation means it’s unlikely any company will ever be fully compliant with the law.
The need for companies to purchase new systems or software has also been questioned. “There’s certainly no such thing as software that can do your thinking for you,” says Rowenna Fielding, senior data protection lead at Protecture. “A lot of aligning with the requirements of GDPR is not just about systems – it is about systems and process.” Turner agrees that some software is useful for specific tasks but these may not directly be related to getting systems ready for what GDPR requires.
Getting things muddled
Interpreting GDPR’s 99 articles can be complex. MPs have complained about being given the wrong advice around what they should delete. Documents released by the Department for Environment, Food and Rural Affairs under the Freedom of Information Act showed it not being ready for GDPR in October 2017. It blamed “high priority activities on EU Exit” for not being able to devote enough resources to the EU’s GDPR.
Elsewhere, the crossover between GDPR and separate Privacy and Electronic Communications Regulations have led to hundreds of companies (often needlessly) emailing customers asking for permission to continue sending them messages. One local councillor even claimed he couldn’t get planning documents sent to him because of GDPR.
In Finland, it has been suggested that people remove their names from outside the doors on their flats because of GDPR.
“The whole thing is madness,” Turner says. The mixed messages on some issues of GPDR – the idea that consent is always needed being one of them – have partly arrived due to misinformation and a lack of skilled people.
One data protection expert who has been responsible for hiring data protection officers (one GDPR obligation for some companies) said doing so has been a struggle. “In the last six months, I’ve not interviewed a singled person that I’ve said, ‘Yes, I’d give him or her the job’,” said the expert, who did not wish to be named. “Anyone who is worth their salt was tied up months ago.”
Data
How Apple, Facebook and Google are changing to comply with GDPR
As the May 25 implementation date has neared, there have also been reports of businesses being overcharged for work related to GDPR. “I have seen people charging what I think are outrageous amounts of money for things – where smallish organisations have been quoted £30,000 to do a data audit,” Wyeth says. “I’m like, ‘Guys you could do that in about two days on an Excel Spreadsheet, this is mad.’”
In a post on LinkedIn, George Parapadakis who formerly worked at IBM, wrote that technology wouldn’t solve GDPR issues. “The nonsense that I read on a daily basis, defies belief,” Parapadakis wrote. Turner adds: “Don’t get me wrong, we’re all in it to pay the mortgage but I think as the panic has increased, there is something of a feeding frenzy of, ’Let’s see how much we can get before the momentum goes out of the market.’” This may have peaked when GDPR became more popular than Beyonce.
The ICO has acknowledged the push for people to make money from GDPR – although it does not fall under its remit as a regulator. In another blog post Denham said some of the “misinformation and outright scaremongering” around the rules “seems commercially driven”.
At present, the ICO doesn’t offer any certification scheme or checkmark businesses or organisations can get to indicate they are ‘compliant’ with GDPR or trained in its requirements. An ICO spokesperson confirmed it doesn’t run any accreditation for GDPR consultants. All the people spoken to for this story said businesses should consult with the ICO on advice or issues that are unclear. Fielding says: “Don’t assume that because there’s a shiny brochure that says something, that that something is accurate.”
