The weeks leading up to 25th May 2018 were characterised in the digital world by a growing sense of unease over the looming implementation of GDPR (General Data Protection Regulation).
Urgent board meetings were convened as company directors suddenly woke up to the situation, and its potential impact on the bottom line. Specialist GDPR consultants sprang into existence to tout their newly-minted expertise and capitalise on fears of corporate Armageddon.
Finally the day came, and… nothing. Websites ramped-up their intrusive demands that visitors accept cookies, and email lists became ever more desperate in their pleas for re-consent – but today, well over half a year later, there have been no high-profile prosecutions. In fact, there have hardly been any low-profile ones either. The occasional cease-and-desist demand has been issued to data processors, and that’s about it.
Even the most recent of the Information Commissioner’s Office’s legal actions, such as the well-publicised £15,000 fine to the parent company of Cambridge Analytica, were made under the old 1998 Data Protection Act. The same legislation was used to impose a £500,000 fine on American credit rating agency Equifax in September. Was GDPR merely a phantom, a bit scary but ultimately harmless?
Data protection specialists are in broad agreement that we are currently in a ‘phoney war’ phase of the legislation, waiting for the first batch of prosecutions – and when that happens, it will feel like spring 2018 all over again.
Unnecessary pop-ups
Take those irritating web pop-ups, demanding that visitors click to indicate that they consent to having cookies placed on their device. Renzo Marchini, a specialist data protection lawyer with Fieldfisher and author of Cloud Computing: A practical introduction to the legal issues, says that these are not only unnecessary, they are probably illegal. “You can’t actually have a consent wall, but we know they exist.” Bryan Betts, an industry analyst with Freeform Dynamics, agrees: “We need a test case to show that pressing a button does not indicate informed consent.”
Both were speaking at a round table event in December, looking at the implications of GDPR to date, which The Interface also attended.
GDPR and CIOs
GDPR case law is eagerly awaited, not just by lawyers, but also by CIOs, data storage experts, and digital infrastructure providers. Alex McDonald, vice chair of the Storage Networking Industry Association SNIA and industry evangelist at NetApp, says that “GDPR is fundamentally about storage.”
Hand in hand with storage is the sensitive issue of data deletion and the much-mooted ‘right to be forgotten’. Mr Marchini observes that this is taken to be complete with the erasure of personal data. “But what if the data is encrypted and the key is thrown away – is that the same thing? If it is beyond use can it be considered to be deleted? What if it could be restored from a back-up?”
He points out that the right to be forgotten only applies if the company has no further legitimate need for the data, but this – like so many detail points around GDPR – remains untested in the courts.
The point is taken up by Joe Garber, enterprise software strategy executive at Micro Focus: “The more regulated industries are more fearful about prosecutions, because they’ve had to deal with these things before. Unregulated industries don’t know what’s going to hit them. We’re just waiting for case law.”
He says he regularly asks CIOs if they think GDPR is too prescriptive or not prescriptive enough. “They usually say too prescriptive, but really that isn’t the case.” The legislation is primarily descriptive, with few hard ‘must-do’ clauses.
Data ownership
One of those is the data protection impact assessment (DPIA), which is a mandatory process if an operation presents a high risk to the rights and freedoms of individuals. In the case of a job application, a candidate will submit a CV which contains some very specific and potentially sensitive information. A company has a legitimate need to store and transmit this, but at some point that legitimate need may stop. “When does the data ownership transfer? Nobody really knows, until there is some legal action” says Johan Dreyer, director of sales engineering at cybersecurity provider Mimecast.
A key element of GDPR is the philosophy of ‘privacy by design’, and there is broad agreement that that has yet to percolate into corporate thinking. Renzo Marchini suggests this requires a fundamental reappraisal of the digital creation process. “To get the tech right, it means thinking about privacy even at an initial brainstorming session, not adding it on later. Companies should set up a privacy department, which should be present at all those meetings.”
Privacy first?
Recent years have seen more than a few initiatives on new ways of thinking – things such as Six Sigma, digital first, agile companies, and so on. It’s doubtful whether any companies have yet adopted a mantra of privacy first, but that day may not be far off.
And that’s because, if GDPR has yet had any impact on corporate life, it has been to make companies aware of the value of their data. On one hand this is the revenue that can be earned from it, and on the other, it is the potential penalties for mishandling.
That Equifax case mentioned earlier showed that the ICO is quite prepared to use its teeth when abuses are uncovered. Because the prosecution came under the 20-year-old Data Protection Act, the maximum fine was £500,000. If it were to be prosecuted under GDPR, the penalty could be up to four per cent of global company turnover – in this case, a little over £100 million.
When the legal hammer finally drops, privacy will once again be the topic of urgent boardroom discussion.
