Well, here we are, close of business May 25th, and oh look!, the sun is still shining, the world is still spinning, and no one [decent] went out of business.
What we do have however is an indication of who the world’s biggest muppets are. For example:
…and the list goes on and on.
As if the barrage of ridiculous and utterly meaningless emails over the last few months wasn’t enough, the spectacular ignorance shown by these and many other organisations defies belief. The only good thing I can say about these weapons grade plums is that they are actually taking GDPR seriously. They DID something. The fact that they are needlessly damaging their reputations is apparently beside the point.
If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.
I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.
Therefore both of the following are true:
- The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
- The providers of the guidance had no clue what they were doing
I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.
Here are some of my favourite vendor emails [paraphrased]:
- “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
- “Unless you read and sign our new terms and conditions we will cease all communication.”;
- “Our database of customers’ email addresses, including yours, will be deleted.”
- “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
- “Our website is not available to any European member state…”
Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.
All, that is, with the exception of Recital 80 / Article 27 – Representatives.
I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.
My English translation (i.e. not legalese) of Recital 80 is:
Any controller or processor not established in EU, but who:
1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.
…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:
- is occasional;
- does not include processing on a large scale of special categories of personal data;
- does not include processing of data relating to criminal convictions and offences;
- is assessed as low risk; or
- is performed by a public authority or body
If you’re reading this, you likely fall into 1 of 3 camps:
- You are horrified at the concept and can’t wait to tear me a new one;
- You actually think I may be able to help you make lot of money; or
- You know me and realise that the title is nothing but click-bait
If 1., then good for you, I would do the same. If 2., then you’ve come to the wrong place unless you’re prepared to put in significant effort. If 3., then you’re right! 🙂
However, the fact is that there is a lot of money to be made in GDPR, but you only deserve it if you are providing true, long-term, benefit to your clients. Otherwise, kindly stay away. This goes for consultants and product vendors alike; do business with integrity, there’s simply no need to exploit those less knowledgeable. Unfortunately, the vast majority of people with whom I come into contact still haven’t even read it, leaving the door wide open for those intent on exploitation.
So where is this money I’m talking about? Where is it all going to come from? Simple, almost every organisation doing business in, and with the EU will have to make adjustments of some sort. Some more than others if you’re following the whole Facebook scenario. There are some that think by ‘hiding’ the data overseas that they have avoided the issue, but these people are naive in the extreme.
This is the final part in my GDPR Step-by-Step series, and one that, in my cynicism, I see very few organisations even trying to attempt. I have lost count of the number of companies with whom I have tried to implement a continuous compliance program, only to have them stop once they received their initial ‘certification’. In this respect, GDPR will be no different from something like PCI.
But for GDPR, if you don’t build the necessary knowledge / processes into everyone’s day jobs, your compliance program will falter. While data protection and privacy are everyone’s responsibility, they cannot, and will not be at the forefront of everyone’s mind as they work through an ordinary day.
There are some who are convinced that you can ‘operationalise’ the entirety of GDPR with ISO 27001. This is, of course, nonsense. However, the concept is perfectly valid in that ISO 27001’s goals are to:
- Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a comprehensive suite of information security controls and/or other forms of risk treatment;
- Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs