GDPR – Gigantically Dull Privacy Rubbish, or vital for the greater good?
Yes, I know, yet another blog post about GDPR. I’ve spent a ridiculous amount of time and effort on reading, understanding and implementing the new regulations over the last 12 months, and like anyone else in that position I’m pretty thoroughly sick of it. So I completely get it if you want to stop reading now, and go and do anything else instead.
In addition to sorting out the data that we collect as an organisation, at Freshleaf we also had to consider that - as a Data Processor for other people’s data - we would have new obligations and responsibilities under the new regs. Since most of our websites deal with some kind of personal data, there was clearly going to be a lot of work to do – starting with figuring out what had to change. The entire process has been lengthy, but we have learned a thing or two along the way.
So, has GDPR been a force for good; or just a huge pain in the behind?
Let’s get the bad out of the way first. Firstly, let’s be honest – GPDR is really tough to understand. There were paragraphs that I had to read multiple times, because although all the words are all in English (I checked), it’s dense and hard to process. In addition to reading the actual text of the regulations, it was also necessary to consult any number of guides attempting to offer a digest of the regulations as well as – in a lot of cases – taking advice from legal teams, HR advisors and training organisations offering GDPR workshops. I’m quite sure it isn’t easy to create a set of regulations as far-reaching as the GDPR. But being that it was seven years in the making, would a little more clarity be too much to hope for?
To add to the complexity of grasping exactly what it is one needs to do in order to comply, the GDPR is also intentionally vague and non-specific, leaving lots of room for interpretation. This was probably not helped by the fact that its companion law, the ePrivacy Regulation, has been delayed. The ePR will address online privacy in more detail, but although it was originally intended go hand-in-hand with the GDPR, it has yet to put in an appearance - leaving the GDPR with an ‘unfinished’ feel to it. Things like cookies, for instance, have been victim to this uncertainty. The GDPR makes clear and definitive statements about the fact that any cookie with a unique identifier counts as personal data… and then goes on to lapse into complete silence on the subject. “But what are we supposed to do about cookies??” you yell at the screen, but there are no clear answers – and no release date yet for ePR. The only consolation is that everyone else is equally confused about most elements of the legislation as you are.
In addition to being complicated and vexing, the GDPR has also been a huge burden on small businesses – and probably also to larger ones. One study reckoned the cost of GDPR implementation to be £300 - £450 per employee (consistent across company size and sector), but to me that feels conservative. Taking into account the time spent understanding the requirements, the admin involved, the legal advice sought, I reckon the bill would be higher than that for a lot of organisations. Of course, a small handful of businesses were in a position to increase their revenue off the back of GDPR, offering GDPR-driven services - but even then my guess is that most have struggled to cover their costs.
So what was the point of all this? Has any good come of the GDPR? Well, for a start it’s hard to argue that the Data Protection Act (1998) didn’t need some updating. A twenty-year old piece of legislation, it was struggling to keep up with the changes to the way we live our lives. It wasn’t prepared for the era of Big Data, and it was - certainly in comparison to GDPR - a bit toothless.
The changes to the digital and data landscape in twenty years have been enormous. To put that in context, Google was founded in 1998 (and had some way to go before it became the data monster it is today) and Facebook – another huge consumer of personal data - wasn’t founded until 2004. A whole industry has grown up around data in a way that the nice folks in 1998 probably couldn’t have imagined. Scary fact (albeit from 2015) – more data has been created in the last two years than in the entire pervious history of the human race. So yes, we needed updated legislation for the Big Data age.
We also needed legislation that had enough clout to make organisations sit up and pay attention to cyber security. The issue of privacy and what data organisations should be allowed to collect is one thing. But the cavalier attitude of many organisations to protecting that data is quite another. We’ve become a bit inured to stories of data leaks, but almost every day there are large organisations (which should know better) - spilling customer data like so many leaky sieves, and that’s really not okay. The Big Data analyst Bernard Marr wrote a piece for Forbes looking at the fines that GDPR would have levied against the big data breaches of recent years, including Equifax in 2017 (personal info of 143 million consumers), and Yahoo in 2013 (3bn user accounts breached). It makes for interesting reading. Whether implementation of the GDPR will see a reduction in data breaches remains to be seen, but the headline fines (£20m or 4% of annual global turnover, in case you’ve been living under a rock recently) should bring some focus to ensuring that suitable technical protection is in place for all this data.
But does anyone care?
The GDPR is a very user-centric law – that is to say, it places the rights of the individual squarely ahead of those of business. But do the individuals that the regulations protect actually care about what happens to their personal data? Obviously, nobody wants their credit card details and their passwords leaked and published. But equally very few of us wanted to receive a hundred identikit emails asking if we’d like to “keep in touch”, or to set our cookie preferences before we can interact with every damn website.
To begin with, I was firmly in the “I don’t care” camp when it came to personal data. I don’t want it leaked and I don’t want it sold to the highest bidder (yes, Facebook, I’m looking at you), but beyond that I find it hard to get excited about what happens to my personal data. And that’s pretty typical. People are increasingly willing to hand over their personal data, especially in return for products and services that they want. In as far as anyone thinks about it, personal data is just currency in a data economy. And the more time goes on, and the more we live with the status quo, the less we object to it. One report suggests that the proportion of UK society who are blissfully unconcerned about privacy has increased from 16% in 2012 to 25% in 2018. Turn that on its head, of course, and you can see that 75% of us are still concerned about privacy.
And the more I’ve worked on understanding GDPR, the more I’ve really considered my position. Because technology got way ahead of legislation, we ended up in a situation where not only do we collect personal data because we can - we don’t even think there’s anything wrong with that. But do I want to be tracked everywhere I go online? Do I want faceless – and sometimes ethically questionable – organisations to know everything there is to know about me; and have carte blanche to do as they will with that information? And more to the point, do I want that situation to be the default? I don’t think I do.
So where does that leave us? The GDPR has forced upon us better cyber security, and more awareness that we can’t just collect personal data because we want to. It’s forced organisations to do a bit of badly overdue housekeeping and to think about the way that they collect and process personal information – all of which is no bad thing. Will it change the world, redefine marketing, kill the data economy and mean the end of free services? Will users rise up and seize control of their data? Probably not. In the end we’ll all just carry on very much as before. But for all the headaches it’s caused me, personally I’m glad that there are regulations and checks & balances in place to help guide the handling of personal data.