Among the out-takes on the virtual floor of our virtual video editing room are several clips of me interrupting interviews when people talk about the GDPR fines of up to 4% of global turnover. They are, I have to say, slightly embarrassing to watch as I lay into people to ask if they have something more constructive to talk about, and I apologise to them. They are not the real targets of what have, with some justification, been called my “GDPR rants”.
As I have observed here before, I have been known when moderating panels in the US to ask the audience to name the first thing that comes to mind when the GDPR is mentioned. Always it is the fines. It is time to move the discussion to the actual likely effect on businesses large and small, not ignoring the fines, but equally not implying that every organisation is at risk of being handed fines at the maximum level for the slightest default.
At Legaltech, I was invited to go and talk to Rob Robinson, Doug Austin and others from CloudNine. I don’t usually agree to such invitations from non-sponsors because they take me out of an already overflowing stream of things to do at Legaltech, but I have known Rob Robinson for many years and he gave me my first introduction to US eDiscovery writing. There was also an invitation to be interviewed by Doug Austin whose eDiscovery Daily Blog came top of the recent list of Top 60 eDiscovery Blogs and Websites for eDiscovery Professionals assembled by Feedspot (I wrote about it here) and I welcomed the opportunity to reach his wide audience.
We never actually got to the interview. I had just come from delivering one of my “rants” about GDPR marketing, and carried on with it at our meeting – to be fair, that was what they asked about.
A few days ago, Doug Austin sent me what is effectively a transcript of my rant. I generally reject written versions of spontaneous (as opposed to planned) discussions because one phrases things differently when speaking informally and when writing. The stream of consciousness outpourings were not quite as I wanted to be seen in print.
There is too much else going on for me to stop and rewrite it and, anyway, that would have seemed rude. Instead, I asked Doug Austin to make it clear at the top of the article that it was a rough transcript of our discussion, made a few minor corrections where either I had been misheard or really did repent of my choice of words, and authorised publication. It was published with the title Chris Dale of the eDisclosure Information Project: eDiscovery Trends 2018.
At one extreme we have good and authoritative people who, to my eye, have merely got that emphasis wrong; at the other we have what I am quoted as having impolitely called the “pig ignorance” of the many non-experts who have climbed on the GDPR bandwagon. There was, for example, a heavily-promoted tweet in my Twitter timeline recently for an outfit previously unknown to me who were touting their GDPR expertise; the first paragraph of their home page contained a gross error. There is another one whose get up and url are cunningly designed to look like a an official EU website; if you have to resort to such near-fraudulent means to gain an audience, the content is unlikely to be impressive
By chance, on the same day that Doug Austin released this interview, I came across a tweet from the respected commentator @PrivacyMatters (Pat Walshe) which echoed my own thoughts:
That lead me to something I had missed, a speech by the UK Information Commissioner Elizabeth Denham at the Data Protection Practitioners Conference on 9 April. Her speech included a section on enforcement which it is worth quoting from rather than merely linking to:
Anyway, I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.
Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action.
It’s not just about fines though, is it? The GDPR has handed the ICO a whole new set of tools to motivate organisations towards compliance. Privacy by default and design, codes of practice, privacy seals, Data Protection Impact Assessments, accountability mechanisms, data protection officers …all these things – and more – form an integrated package.
All of them are necessary; none of them is sufficient on their own.
And when we do need to apply a sanction, fines will not always be the most appropriate or effective choice.
Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data.
None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line.
Elizabeth Denham’s speech in fact opened with a reference to Facebook and Cambridge Analytica. As I write, Cambridge Analytica is busy sending threatening letters to those who write about it, and Mark Zuckerberg of Facebook has been carefully running rings round some old people at the US Senate. Substantial litigation is threatened against more than one player here.
Let’s take a parallel from, say, driving. Imagine a road safety campaign which was targeted at those who are caught for the third time driving at 100 miles an hour in a built-up area, without tax, insurance or road-worthiness certificate while fuelled by drink and drugs. That is likely to pass right over the heads of the vast majority of drivers who would dismiss the campaign as being of no relevance to them. Meanwhile, in the last few days, an English journalist was whining on Twitter about being fined for driving at 36 mph on a rural road for which the limit was 30 mph. The tweet attracted a hail of complaints, not least because rural roads are the scene of most accidents. The audience for “marketing” against this sort of conduct is many times greater than that for the very serious offences.
The challenge for GDPR marketers is this: what can you say to that much wider audience about the services you can offer without waving the very big stick relevant only to a handful? Further, have you anything positive to say, any suggestions about how businesses might be better run, attract more customers and investors, and make more money, by initiating policies which comply with the GDPR?
You might get some idea from my recent interview with Hal Marcus of OpenText which focuses on the information governance opportunities given by GDPR compliance and on how the GDPR is “is forcing an overarching review and pointing up the need for a comprehensive strategy”.