If you could claim airmiles for every GDPR seminar attended, I’d be lazing on a beach somewhere in the Indian Ocean instead of reading on my office screen about Jan Koum resigning from Facebook. Jan Koum and I have very little in common. When it comes to personal wealth, for example, I am still working on plans to match his share of the $22 billion he and co-founder Brian Action received from selling WhatsApp to Facebook. But we do share one preoccupation – data privacy. Press rumours suggest that his departure may have less to do with “taking some time off to do things I enjoy outside of technology” than with his disagreement with how Facebook is using WhatsApp’s personal data and changing its encryption standards. At a much humbler level, my concern is how to respond to the new data privacy environment that comes into force in a few weeks’ time on May 25 when GDPR, the Beast from the East (Brussels), finally arrives.
Let’s be frank. GDPR preparation has been a grind. GDPR seminars haven’t been much fun (does anyone know any GDPR jokes, let alone good ones?) and often confusing. I have attended at least two in which lawyers from the same firm have disagreed with each other on stage. And it has become clear that GDPR advice is often coloured by its source – legal firm, consultancy or software provider. And just when you think you have sorted out what your own firm must do, you are inundated by clients and suppliers expecting you to agree to their often-contradictory interpretations of the regulation. And, to cap it all, almost everyone involved whispers that none of it will make any sense until the lawyers come up with enough (expensive) case law to help us all navigate the new landscape.
So, is GDPR a puritanical piece of legislation incapable of being applied in the real world? Or is it an intelligent and prescient means to control the potentially limitless power of, among others, tech giants (and governments) to invade, steal, kidnap or sell our privacy?
My own opinion is that GDPR is an accidental work of genius. That’s the only way I can explain how an enormously complex piece of legislation (173 ‘recitals’) agreed in principle in June 2015 just happens to come into force only a few weeks after the Facebook/Cambridge Analytica debacle has radically reshaped how individual citizens and governments – and don’t forget tech shareholders - value data privacy.
And what is equally clear to me is that the issue of privacy is not confined to battles with and between governments and big tech. My own very small firm’s preparation for GDPR has, like everyone else’s, involved a substantial amount of thinking, writing, project management and system modifications. But the danger of all the changes in process and procedure is that they turn GDPR and its implementation into nothing more than an administrative marathon – a compliance rather than behavioural issue.
This danger struck me forcefully when I went on a tour of our offices in Manchester, Glasgow and Edinburgh armed with a PowerPoint presentation of GDPR do’s and don’ts. Less than two minutes into my first presentation, I abandoned it. I could see that me and my presentation were being greeted with all the interest and attention of schoolkids in Friday after-school detention.
So, I swapped my telescope for a microscope. Instead of focussing on the big and distant landscape of rules and regulation, I turned my gaze to the smaller and closer world of personal privacy. I simply asked one of our recruitment consultants (we are a recruitment consultancy) what she would, and would not, want done with her CV if she decided to look for a new job. The employee numbers in our offices outside London are relatively small. And this worked in my favour. It meant that, instead of a lecture from the CEO, the presentation turned into a discussion of what privacy meant in reality, rather than theoretically, to the consultants in the room. The discussion was both revealing and reassuring. It emerged that our consultants’ concerns about privacy and their own personal data actually mapped closely to the principles influencing our firm’s implementation of GDPR.
The overall message that has come through to me is the success of GDPR will not come from the soulless implementation of processes and systems. They are a necessary but not sufficient condition for implementing “privacy by design”. The real success will come from focussing on – and communicating – the reasonable privacy concerns of individuals and how these are what GDPR intends to address. If these can be embedded into a company culture of privacy, GDPR becomes part of the furniture – albeit flat-packed and with confusing instructions.
I am loath to advise others on how do things. But what I do recommend is that GDPR awareness / training should, if possible, be attempted interactively in smaller groups. What became clear from my own experience of discussion in such groups is that in the three years since GDPR was formulated there has been a shift in attitude towards data privacy. Where there once prevailed an attitude of automatically checking (or not unchecking) the box and “liking”, a greater, and healthier, degree of hesitation to share information automatically has emerged.
But what is also clear is that this has been accompanied by a mature and balanced view of the data privacy versus data sharing debate. Our internal discussions revealed no one who didn’t recognise the benefits of our new digital world, including social media. So, my GDPR road trip was not spent battling privacy ninjas.
My overall conclusion is that the issue of data privacy in general, and GDPR in particular, is necessarily complex and problematical. Accordingly, GDPR will best achieve its goals by being interpreted with sympathy for all parties, and implemented equitably and reasonably. And, most importantly, success will come from building a culture, rather than a regime, of privacy.
Privacy purists may of course disagree. I suspect Jan Koum does. But I also suspect that if I had just a few of his billions, I might be thinking more like him.