Introduction
Sorry for the delay (I'm sure you were all upset!) but I feel I should be blogging more now that I have deleted my Facebook account and perhaps make some more useful comment and observations. I was prompted today by the news that streetlend.com was shutting down due to new GDPR regulations that are coming into effect in the EU at the end of May.These have been a long time coming and basically formulate, more specifically, how personal data must be treated by any entity that is based in the EU or has any data from EU citizens in their system. The regulations were announced in 2012, first drafts coming in 2014/2015 and the final draft brought into law in January 2016, with just over 2 years for organisations to become compliant, after which, individual member states Data Protection Authorities can enforce action against individuals or companies who do not conform.
This is quite a long period of time but even large organisations like ICANN who are not based in the EU but process data from EU citizens have recently appeared on the radar for the simple reason that they have ignored the introduction of the regulations, have accepted more recently that they do need to do something and have then come up with the completely unprecedented idea that they can have a further year to sort things out! As far as anyone can see, you cannot have a moratorium on existing regulations (they have been law for 2 years now) and they are in the cross hairs for some large fines!
Streetlend Shutting Down
Anyway, I was reading comments about streetlend.com and why they shut down. Basically, the arguments on their site are that the regulations creates "uncertainty and risk that I can't justify taking". They also complain that GDPR creates the possibility of enormous fines, way above what most small companies could ever afford, that the requirements are ambiguous and that there are legal firms who are waiting to prey on small companies who might make a simple mistake and to end up causing a Court case that would be largely unaffordable for small companies and which therefore favours large companies who can effectively eat up the competition. The front page states that these regulations "add complexity and unintended side-effects for businesses within the EU".Whether these views are genuine or whether they are hyperbole from someone who wants to make a point (anti-EU, anti-regulation, whatever) we will assume for the time being that they are genuine fears, but as the discussion shows, the arguments start becoming conflated and confusing because the reactions are about several different things. I want to look at these separately because, of course, any regulations have positives and negatives, for many companies, the obvious negative is "change" which usually comes at a cost, but ironically for this regulation, not necessarily!
Where did GDPR come from
Firstly, the background of the GDPR is a fleshing out of many existing data protection regulations that exist at national level. In fact, the EU version is based heavily on the existing UK Data Protection Act (DPA) and although it adds some more clauses, if you are already strongly in the spirit of the DPA, you might have very little additional work to perform to be compliant with GDPR. The most likely issue here is that the Data Protection Act, like many laws, appeared serious on paper but was rarely taken that seriously (at least in terms of enforcement), either by organisations or by the Information Commissioners Office (ICO) in the UK (the office who processes complaints about the DPA) and therefore, many companies didn't necessarily really understand or apply the spirit of the DPA, which is largely the same as the GDPR - What are you doing with data, why, how etc.Now, this is very different from the USA, where many online companies are based and where privacy is based on a very fragmented and ad-hoc set of federal and state laws, which provide a very low bar in terms of privacy and data usage. For these organisations, they now need to apply GDPR level controls to their systems - some for the first time - and for smaller companies this is obviously a burden. What we have to remember here, is that the way that GDPR respects personal data is something that should have been happening anyway and if it was, then probably some additional wording on a privacy policy would have been enough, but for the grey companies who illicitly sell your data in a way that you probably wouldn't agree to, they should (rightly imho) have to become transparent. Recruiters, particularly, are very bad at keeping data for too long and 'accidentally' not removing you from lists when you ask for that!
Beware of the fines
People are very nervous about the new maximum fines which are 4% of turnover or 20 million Euros, whichever is greater. This certainly sounds scary but in the DPA, the maximum fine is only about £500K and the largest ever levied was actually £400K for Talk Talk. The reason for the larger maximum is simply that a company like Talk Talk can easily afford a few hundred thousand for a fine (The Chief Executive was paid £550K for 2 months work when she stepped down!). As the ICO have pointed out, the maximum fine is exactly that, a maximum. There is little point and no appetite for making an example out of small companies by bankrupting them with a large fine, unless their crime was deliberate, negligent, has a disproportional effect etc. In other words, the same as any other fine that is levied against a company. The fear that an innocent mistake would cause some large arm of the law to wipe you out is not only paranoia, it is hardly borne out in history. Clearly, if the company is already struggling, it is vulnerable anyway.
On the other hand, we should know that there is a large stick the ICO can use to beat companies with and there are many who have played fast and loose for too long. The likely outcome is that many of these will still evade action rather than the "good guys" all going out of business.
These favour the large companies
Almost without exception, new regulations are always easier to process by large companies because they already have legal teams. This is a reality of the capitalist system and nothing to do with the regulations. It is the same as saying that they "hit the poor the hardest". To balance this view though, larger companies also have much higher overheads, which means they have to either have very high income streams or they have to make higher profit margins on their sales to pay for these overheads. There are plenty of very large companies who have failed and either restructured (with lay offs) or have gone completely bankrupt so let us not fall into the habit of seeing the blessings of large companies without the curses!
A related note is this idea that somehow all large companies are looking to kill off the small companies so they can keep their market share. Of course, to an extent, it is likely that any company would rather not have competition, which makes their job easier, but for most large companies it is much easier to buy out a competitor than try and destroy them. Also, the GDPR doesn't add very much more than already existed to allow it to be used as a corporate weapon. You should be adhering to it regardless of whether someone has their crosshairs set on you.
Complexity
I liked one comment I read on Hacker News, which said that like a lot of Engineers, they had a natural dislike of regulations. We love the idea of the Victorian era where you built a bridge and it might collapse or it might not! We do not live there anymore: the danger we can present by abusing the trust that people put in us means we need to take this seriously and, like the DPA, the GDPR is not really complex at all! Read the principles here: principles and tell me that these principles are complicated?
"But the wording is vague!". Yes, that's always the case in regulations. If you over-prescribe the wording, then it doesn't fit into all the hundreds of thousands of companies that are trying to apply it. "What does lawfully mean?" You should know that for your business already, otherwise what are you doing?
In fact, despite all of the extra guidance, most of us could probably make a good stab at being compliant with these principles just from here.
"Collected for specified, explicit and legitimate purposes" This sounds easy enough, tell them what you are doing and why!
The rest of the principles and these are explained (right to access, right to object etc.) are all fairly easy to understand, their reason is mostly pretty obvious and although some of them might be a pain (you cannot charge for access requests), they are not hard. In fact, they are much harder for larger companies who are likely to have a large number of systems processing data, perhaps many legacy systems that are not easily updated. So we can't really complain about the complexity.
Sticky Bits
There are some additional requirements which are more onerous, but they are still reasonable from the legal point-of-view even if they are a pain.
I sign up to a healthcare provider that takes all my medical data from hospitals and doctors and uses it to provide the service. I then decide that another company offers a better package but the first service has all my data and under the older regulations, that was tough luck! The new regulation is quite heavy on the idea that the first service must allow export in a "reasonable format" (presumably for certain industries this might already exist).
The idea is that it is your data so the service provider should not be allowed to silo it for their own use. Fair idea, understandable, but possibly a real pain for some organisations!
Another principle is that Data Processors are also legally liable for data handling, whereas previously, only the Data Controller is. For example, a company uses another company for storing Backups. The Backup company loses the data, which 'belongs' to the Data Controller, therefore, they are in the firing line. In the new regulations, the Processor (the Backup company) are liable for their own failings. Again, this is reasonable. I assume the Contractors I use are professional and following all the relevant regulations, how can I know if they are doing something dodgy?
Conclusion
Although the GDPR will create work for people who have not previously worked under a Data Protection Act, as regulations go, it is written in clear language that most professionals would understand without specific legal advice.
The idea that there is any risk that is disproportional to other new regulations is also groundless since the ICO have clearly said the higher end of the fines is for persistent and deliberate offenders. The workload for the ICO will be so large in the UK, that it is virtually a given that a small mistake in your system would warrant nothing more than a warning letter (if that).
There are weaknesses in the legal process and it does make legal experts and lawyers lots of money and that is a different problem to solve. If we needed an example to prove these problems in the legal world, however, the GDPR would not be one of them!
