“GDPR Myth and Fear”… When it is designed for good, what is all this noise about?

As we chase the countdown of EU GDPR - I am constantly reminded of few lines published few years back by - Maggie Koerth , an American science journalist . It very well tries to define my objective for this article if not the entire substance of it.

"Back in the 19th century, practitioners of phrenology traveled the country toting white, ceramic head models. Instead of hair on top, the bald mannequins sported a grid of lines and labels — like a “cuts of beef” chart for the brain. Scanning the head, phrenologists could easily see which parts of the brain were responsible for destructiveness, benevolence, wonder, or even weight.

Naturally, it all turned out to be bunk. But the idea that you can trace an abstract emotion or type of thought to activity in one specific corner of the brain is still very much with us. If you’ve read anything at all about neuroscience in the last few years, you’ve been introduced to chemicals that cause love, a hemisphere of the brain responsible for creativity, and the part of the brain that creates the sense of fear. Unlike phrenology, this isn’t bunk, but such pronouncements are oversimplified to the point that they mislead us about what’s actually going on in our heads."

The roar and hush around the threat the European General Data Protection Regulation poses to outsourcing industry , big data , digital publishers, ad tech companies and marketers is getting louder as the 2018 deadline for enforcement approaches. With best breeding conditions this has resulted into , a flurry of “GDPR experts” — some of them helpful, others compounding the confusion — have surfaced over the last year to help businesses navigate the challenges.

However is this really that bad at surface or its just too much of hype around it ? We will try to explore this and view the dissections via various lenses.

Nobody at-least outside EU is taking it as a measure to boost the human rights value, or quality of living and related choices. People across globe are worried for their normal operations of business , its related attributes and fear of loosing certain clientele. Everything in business world resonates to MOOLA, and in case of GDPR its the possibility of being exposed to the Eye-watering fines. Its very clear and internet is full of supporting content that illustrates - that for all those companies that don’t comply with the new laws will face fines of up to 4 percent of their revenues or a maximum 20 million, but these kinds of fines will be rare. They will only be applied to companies that flout the laws or fail to notify the supervisory authorities of data-privacy breaches that “affect people’s rights and freedoms.

Definitely it is just not an IT problem, and its not to blame since GDPR is heavily linked with personal data, the word “data” often signals that this is some kind of IT issue. But what is lagging in understanding by large is the very fact that, #GDPR is a cultural change in terms of how organisations process personal data throughout the organisation – where personal data is obtained from, how it is used, where it is stored, who it is passed to and how those parties use that data. And at the hindsight its awareness of your rights to exercise privacy as a data subject. A controller or processor needs to think very much like a data subject while designing and managing privacy system.

Everyone is trying to reinvent the wheel and for some unknown logic it seems that‘Consent’ is the only way to process data.The GDPR’s more stringent rules around companies obtaining explicit consent for collecting and processing customer data have caused a fair amount of hand-wringing across the ad market. The new array of adjectives used to describe different forms of consumer consent — “explicit,” “unambiguous,” “informed” — are enough to make hearts race. But as with most things, there are more ways to skin a cat. Consent is the most viable and perhaps only option when it comes to some aspects of collecting and using personal data for digital advertising purposes. But, importantly, there are other ways, which may work for other aspects of data use. For example, before ascertaining what legal basis they have to process the data, companies need to know what partners they’re working with, and where and how the data is shared and traded by those partners.

A significant portion of business community is under impression that since they are US-based company so the GDPR doesn’t apply to us.In short, the GDPR will apply to US-based companies that offer goods or services to individuals in the European Union (EU) or monitor the behavior of individuals if the behavior occurs in the EU. Even US-based companies that have no physical presence in the EU will be subject to the GDPR if they process an EU resident or visitor’s personal data in connection with goods or services offered to those individuals or if those companies monitor the behavior of EU residents or visitors while those individuals are within the EU. The GDPR could apply, for example, if a US citizen visits a US-based website while vacationing in Spain and that website monitors that citizen’s behavior while in Spain.

Apparently there is no shortcut here , and since its a cultural change Compliance can't be achieved very quickly – The way the GDPR obliges organisations to take another look at how they process personal data, such as their customer database, will need significant organisational work, involving departments including Sales and marketing, finance, HR, IT and legal. Given the GDPR comes into force in May 2018, this does not leave a lot of time for an organisation to become GDPR compliant.

Brexit will save us from GDPR, a cautious note of reality is that GDPR enforcement will begin a good ten months before Brexit occurs. And, even after the UK leaves the EU, there is still a very high probability UK businesses will be subject to GDPR compliance requirements because the GDPR applies to the personal data of all EU residents. Given the current arrangement and that there are many EU residents living in the UK and UK businesses will continue to do business with residents of EU countries, the GDPR requirements will still apply to UK businesses long after Brexit is completed.

Lobbying benefit the need of this regulation was in the heart of cultural value system and derived business benefits. So anyone who believes their lobbyists’ myth that privacy regulation will only help Google and Facebook is having the wool pulled over their eyes.

So while all this was initiated for betterment of human rights - there are considerable business operations risks from GDPR , however this shouldn't be dealt with hammer of Thor- its definitely not a Y2K BUG syndrome as few internet article claim it to be. Its not time bound risk, its a progressive transitional change and No one will get fined mindset is just not enough to push the envelope !

GDPR Compliance General Data Protection Regulation IT GDPR experts GDPR Consent

About the author

Rakesh Jha

Data & Information - Privacy Engineering


FIP CIPP/E RAKESH JHA FIP CIPP Co-Founder of Privacy Virtuoso Advisory GDPR, PIPEDA, HIPAA and ISO27001

Read my other blogs


Leave a Comment: