You may have noticed a mountain of spam over the past month, telling you in breathless terms how the privacy rules are changing on every website you’ve ever visited. That’s the most obviously noticeable part of the GDPR.
GDPR — it stands for General Data Protection Regulation — is the European Commission’s way of starting to ensure (or at least, to marginally address) that the data of European Union citizens is not abused by companies. It involves specific steps meant to assure that data is handled securely, transparently, fairly, and minimally.
I was particularly amused at those who sent out their notification emails on the 25th of May — the last possible moment. I’m talking about you, New York Times. And it was unintentionally hilarious indeed when the New York Times sent me, along with hundreds of other freelance writers whom they’ve paid in the past, an email that cc’d all of us. Oh, the hi-jinx we had when we discovered inadvertently that replying-all meant that we truly replied to every New York Times freelancer and vendor!
A similarly daft breach was created by, ironically, privacy maven Ghostery, which sent hundreds of us a note that included the actual email of each recipient in the cc: field — at least the New York Times had the decency to simply mis-configure a group!
My friend Peter said he loves GDPR, because it finally gave him a chance to get off some of the hundreds of lists he’s been on and can’t get off .
What The Hell Is It?
GDPR is the Sarbanes-Oxley of the late twenty-teens: a regulation with highly specific rules whose infringement is theoretically punished by theoretically terrifying consequences, to wit: the penalties for infringement of the rules, or failure to comply can mean, in the words of the European Commission — an organization with hardly any sense of humor at all:
…a reprimand [or] a temporary or definitive ban on processing and a fine of the greater of up to €20 million, or 4% of the business’s total annual worldwide turnover.
“Turnover,” in the ways of those quaint Europeans, means “gross revenues.” Not profit…Revenues. That’s pretty steep.
Remember, though, the theoretical punishment for breach of Section 404 of the Sarbanes Oxley legislation included the CEO being led out of the building in handcuffs. This threat gave birth to an entire industry of breathless vendors selling “compliance tools” for a set of rules that turned out to be absolutely toothless, reduced to a couple of lines in the annual report by despicable and soulless attorneys who charge $1,500 an hour or more to tell their clients that they’re in technical compliance with SOX, while their clients continue the same slipshod practices that led to Enron and similar outrages in the early naughties.
So forgive me if I am not leaping about in terror of four percent of my gross revenues being seized by some garlic-reeking Eurocrat; it’s left to be seen whether this actually gets enforced against anyone.
Morally, however, the GDPR comprises a set of things are are just the right thing to do. When you look at the regulation itself, every single thing is just plain decent. If you are a business dealing with personally identifiable data of a customer who resides in the EU:
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing;
- you must have specific purposes for processing the data and you must indicate those purposes to individuals when collecting their personal data. You can’t simply collect personal data for undefined purposes;
- you must collect and process only the personal data that is necessary to fulfill that purpose;
- you must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not;
- you can’t further use the personal data for other purposes that aren’t compatible with the original purpose of collection;
- you must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected; and
- you must install appropriate technical and organizational safeguards that ensure the security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.
I’ve helped our European brethren by changing their ‘s’s to ‘z’s, and adding an ‘l’. Honestly, get over it.
Will GDPR make a difference? I’m quite naive, actually, so I believe that it may. By raising the bar about how we handle personal information, the European Commission is creating, for the first time, incentives for businesses to consider better prophylactic security measures, better segregation, minimization, destruction, and handling of sensitive personal information.
For the next couple of years, as we see how any enforcement actions shake out, companies will be afraid enough to up their game.
Sure, it might all fall apart after we discover that the Commission actually doesn’t have teeth (in the past, they’ve shown some remarkable toothiness, though).
But all in all, I’d say that GDPR will do a hell of a lot for actually protecting data than the previous standard: the hypocritical, cynical, less-than-worthless drivel cooked up by the Payment Card Industry to transfer the risk of card processors down to the merchants.
For with GDPR, the onus is finally placed upon the companies that hold, and make decisions regarding, our private information.
It’s a start.