The 1-year anniversary of the GDPR has not really flooded the media the same way as it did at the launch.
And I’m not sure what I should think about it today. Mixed feelings, mixed results, because the GDPR sets a consolidated baseline for privacy protection on the EU level but also worldwide, while lots of companies are still in bad shape for their privacy practice, and some old, unacceptable habits are still alive, or even getting worse. So where are we exactly with the GDPR, mid-2019, you think?
1-year baby, growing teenager or grumpy toothless?
First of all, allow me to take a step back: The GDPR is not ‘new’ – check the GDPR History published by the EDPS. The GDPR applies since May 2018; has been ratified since 2016 has gained political consensus since December 2015; the European Parliament adopted it in 2014, and the data protection proposal was presented in 2012. And actually, the GDPR has replaced the European Data Protection Directive 95/46/EC, 23 years later, after its approval in 1995.
An important achievement of the GDPR is that it has (finally) set out the boundaries on a large scale, with a global impact. It has also triggered other nations to align with the new regulations, and that’s good news. In contrast to a lot of other legislations, the GDPR is fairly intelligible and readable, so you could guess it would be implemented fairly smoothly.
Still not mature?
Of course, privacy has always been balanced against commercial profit or public ‘profit’, when talking about governments. For a long time, the weight was rather on the side of commercial profit and performance.
But what is way more important, and where the GDPR is way more distinct than before, is the drive to a practical, reasonable balance between usability and security. You can never secure your data 100%, but you can do your best (‘state of the art’). When looking at the GDPR history, you would expect that organizations (including governments) had enough time to get GDPRready before the 25th of May last year. Instead, lots of them got barely compliant and a significant part of them didn’t even make it to be compliant. You remember the countdown stress and drama stories, right?
Reality one year later
In practice, many companies didn’t see the GDPR coming, or didn’t want to see it. They only started to think about the GDPR due to the massive airplay and marketing when the regulation came into force. But even a basic implementation of a security and privacy management system (like the ISO/IEC 27001 or ISO/IEC 29100 style of management) takes at least a year, even for SMEs.
So they have cut corners because of the predicted GDPR fines, the consent-driven marketing and commercial quick wins (“implement this tech and you’re compliant”), and totally forgot about the in-depth quality approach. There was no time left for privacy-by-design or rather security-by-design, with focus on the subject.
Now, one year later they realize that GDPR compliance is not only about the assignment of a DPO, establishing a processing register, publishing a privacy notice, handling consent and so on. Some companies got bad luck. Now, they know all about handling data breaches, incident management and responsibility vs, accountability of the management team.
Sadly enough, there are still a lot of companies that stay below radar. They don’t care and still practice old habits like scraping search results from search engines, dumping personal data from public sources to use for bulk mail and marketing, neglecting subject access requests or minimizing SAR responses like ‘we don’t process your data’. You can ponder about the reasoning behind it, but it essentially comes down to the idea of getting away with it. Taking into account that the privacy legislation has been there for more than a decade and also the feedback of various data protection authorities have provided (that they would not be too strict on enforcing the GDPR), that’s a fail.
Proactive control
From the GDPR side, it would be great to have a more proactive control from EU or data protection authorities and to put more pressure on the compliance of the data controllers. This is sanctioned in the GDPR, e.g. with articles 42 and 43 on certification. But the EU did not provide a ready-to-use system to prove that a company has the minimum precautions and management systems in place to comply with the GDPR requirements. As we see with other legislations and best practices, getting a certification takes time. Now the certification and accreditation battle has only begun, and almost nothing is ready yet. And before you know it, the certification and accreditation will be guided by commercial interest.
I sincerely hope that the EU will guide us with an open system, based on best practices and standards. The EDPB (European Data Protection Board, a.k.a. WP29) already set the guidelines [check the Guidelines 1/2018 (May 2018) on certification and 4/2018 on accreditation (Dec 2018)]. Get ready!
Privacy/security by design
If you wonder what best practices and guidelines could get you on track, you really should look into the established best practices, for example:
- ISO/IEC 27001 & ISO/IEC 27002 for managing your Information Security Management System
- ISO/IEC 27005 for Risk Management
- ISO/IEC 29100 series (privacy framework, publicly available)
- ISO/IEC 29134 for (D)PIA
- ISO/IEC 27035 for incident management (or NIST Incident response).
Further, there are two ISO standards under development for the support of Privacy Information Management (ISO/IEC 27552), and privacy engineering (ISO/IEC 27550).
Referencing to the frameworks and standards, one of the implementation blockers is the lack of free access to the relevant ISO standards (mentioned before). On the other hand, the NIST is providing free access to its framework, but it’s US-based and not in sync with GDPR, while the NIST privacy framework is anticipated to be published on October 2019.
The future, new threats & new technology
You don’t need to look hard. Even on the regular news (outside the privacy expert channels), you’re confronted with decisions, news and activity that puts privacy protection (seriously) under pressure. In many cases, physical threats and cybercrime are the drivers to a very broad ‘public protection’ or mass surveillance. And in many cases, it’s the government taking the lead, while there is very low resistance and reasoning to keep it within an acceptable scale. Camera surveillance, ANPR systems, facial recognition, biometric registration, social media surveillance. In the majority of cases, the impact of a crime is significantly inflated to argue the benefits of mass surveillance and to minimize the impact on the general audience.
This approach makes it extremely hard to have a balanced discussion and choose the right level of protection. Just a look at a few recent news items, just to name a few that passed by on my privacy feeds:
“If you’ve got nothing to hide, you’ve got nothing to fear: fingerprints on Belgian eID cards.”
(BELGIUM, 15 JANUARY 2019, KU LEUVEN)
Facial recognition system in the UK: legal case against police
(BBC, 21 MAY 2019)
Civilian protest against cameras
(DAILY MAIL, 16 MAY 2019)
Just as an example, as of the 1st of July, the Belgian police will not use the ANPR system only ‘against terrorists’, but will use it to detect traffic offense. So, we are well on our way for Big Brother 1984. Moreover, how do you balance privacy against a visa application demanding for all of the social media profiles plus the 5-year-history of your mail and phone contacts? (Source: BBC, 1 June 2019). Don’t say it could not happen to you in the EU. It only requires a new election of the president, prime minister or change of government to start a short term political change.
You need to set the bar on your privacy
The GDPR has provided the baseline to get the data protection you deserve. But the bottom line is: you’ll only get the privacy when you demand it. (“Fight for you right.”) And more importantly, companies, governments, any data controller, any person will only respect your privacy if it really can hurt them. You must be part of their risk management. Some EU countries already incorporated the GDPR in their national legislation a while ago. Leading by example, they brought some companies to court. On a European level, wider scale enforcement of the GDPR is slowly warming up. The Belgian DPA only applied their first fine a few weeks ago to a mayor using emails for the past EU elections.
So where to go from here?
As a company, instill the GDPR in your DNA – in everything you do. It’s never too late to do it right. As a person, you can enforce the adoption of data protection step by step. Don’t wait for someone else to speak out for you. The best advice I’ve taken, was 2 months ago from a television broadcast on the abuse of personal data – (Translated quote):
Every time you give away a piece of your personal data, just think it’s € 50 you give away.
That is a great tip to let go your timidity and be more assertive. Be careful what you share, and use the rights that the GDPR grants you to stay in control. Actively. And if you don’t know what the GDPR can do for you, dive into it. It’s never too late.