The GDPR should enhance the protection of personal data across the EU and beyond. That’s one of the core functions of the legislation – along with improved harmonisation of data protection law within the EU. However, having spent much of the last 9 months helping clients to prepare for the GDPR, I’m concerned that the new law may have some material negative effects on privacy protection.
In this post I highlight some of these unintended consequences.
Bringing data protection into disrepute
Of all the pieces of legislation I’ve advised upon over the past 18 years, the GDPR is in many respects the worst. The increasingly vital principles of privacy protection are utterly compromised by excessive complexity, petty bureaucratic requirements and interpretative problems. The rebarbative and robotic language (of the English text, at least) doesn’t help, especially alongside injunctions for organisations to use clear and plain language in their own data protection documents. Most seriously, many fairly typical business situations do not fit easily, or at all, into the scheme of the legislation.
The immediate costs of dealing with this mess fall upon businesses. They are having to expend significant resources to comply, to re-engineer their businesses in ways which have little or no obvious privacy benefits, and they are not impressed.
Big business > small business
Complex legislation designed to regulate big business can mean big problems for SMEs. In the case of micro-businesses, the choice may be between operating in breach of the legislation and not operating at all. Smaller businesses which cannot demonstrate compliance are less likely to be selected as suppliers to larger businesses. Although many SMEs have weak IT security, it is big business which usually present the bigger risks, simply because they have the big data.
Insofar as the legislation helps big business at the expense of SMEs, it may hinder privacy protection.
New records, new services
The petty bureaucratic requirements include record-keeping obligations. Insofar as the additional records contain personal data, they present an additional security risk. In addition, some businesses are using third party services providers to help with compliance. For example, an industry has sprung up to help websites verify that their users are not children, or that users who are children have parental consent to their activities. Verification services need to operate at scale, resulting in large databases of potentially sensitive information. The operators of some of these services do not themselves have good security records.
EU customers and non-EU suppliers
The international transfer rules governing the transfer of personal data from within the EU can be difficult to comply with, for example with respect to transfers from an EU processor to a sub-processor that is outside the EU and not in a country with an “adequacy ruling” from the Commission. There will be situations where EU customers choose EU-based suppliers over suppliers outside the EU even where the latter have better security arrangements and/or lower overall risks.
I don’t know if this consequence was unintended.
Non-EU customers and EU suppliers
Because the GDPR can regulate the processing of personal data originating outside the EU by a processor situated within the EU, the use of EU-based processors can cause problems for non-EU customers. So, a non-EU processor may be preferred over an EU processor even where the latter wins on security. I know of several companies that are, or are considering, setting up US subsidiaries to handle their US-based clients, and the GDPR is one important driver of this trend.
I’m guessing that this consequence was unintended.
Put simply, money which could be spent improving security is being spent completing detailed questionnaires and producing vast spreadsheets listing and mapping the processing of every item of data processed by an organisation. Perhaps some of the blame for this falls on lawyers and consultants who are making money out of the process, but the GDPR’s philosophy of compliance (it’s de facto impossible, but if you try really really hard you’ll probably be OK) is one fundamental reason for this wastage.
I’m expecting that the massive maximum fines, combined with the difficulty of achieving cast-iron compliance, will lend further impetus to the already thriving ransomware industry.