What are your plans for Friday 25 May 2018? I suggest you take the day off, order a large pizza and a nice bottle of wine, and spend the day going through your rolodex, and all other filing / storage systems you have and start shredding other people’s personal data!
In case you have spent the last 2 years living as a Trappist monk somewhere on a remote mountain top, I am talking about General Data Protection Regulation; GDPR to its friends.
You may or may not be familiar with this seemingly innocent 4-letter acronym but, let me tell you it is a pain in the neck to any organisation trying to do business. Basically, it was introduced two years ago as a replacement to the 1995 Data Protection Directive (DPD) but unlike its predecessor, a ‘Regulation’ must be automatically adopted by the EU member states while the old ‘Directive’ required each country to pass a specific adoption law. The amount of preparation work needed to ensure and prove to the authorities that a company is embracing GDPR by not abusing personal data it happens to hold on ‘individuals’, is enough to give you nightmares. This vicious regulation will officially come into full effect throughout the European Union as of 25 May 2018. Companies who fail to apply it will risk being penalized 4% of their global annual income or €20 million, whichever greater. Ouch!
This regulation will apply to all companies (EU registered or otherwise) who conduct business and happen to hold information about any EU citizen. I can enter a competition and give a company my name and telephone number so that they can call me to tell me I won a microwave oven. However, they cannot call me to ask me if I would like to enter another competition, or if I would like to drive a vintage Rolls Royce for an entire weekend, or to warn me there is a nuclear missile is on its way to my house. In fact, my details must only be stored in one secure place on their data storage systems with limited authorized access. This applies to the humble business card that we so readily exchange with pretty much any and everybody we meet.
This simple and almost redundant piece of paper, measuring around 8.5cm by 5cm, method of telling new acquaintances how to spell our names and how to reach us by phone or mail in the future, holds a hell of a lot of information that is no longer open to anyone and everyone to do what the hell they like with our particulars. Say, you met someone in a bar and he expressed interest in talking to you about possible interest in a life insurance policy. He has given you permission to talk to him about life insurance and nothing else. Neither you, nor any of your colleagues could subsequently call him and talk about anything else at all, except to ask him if you could call him in the future to talk about say, household insurance and if he says yes, then you can approach him.
Hundreds and hundreds of other sub-regulations are embedded in our friend GDPR that ALL staff must be familiar with. All of these little regulations are designed to protect us as individuals from the evil of commerce. Companies of a certain size and above have to employ ‘data protection specialist’ to keep warning us if we stray and file ‘breach reports’ every time we sin, thus increasing bureaucracy and decreasing productivity. However, we can still be legally hacked into, monitored, filmed and pulled into questioning by all government and semi government agencies where they do not know how to spell GDPR, let alone apply it.
Over the last few months, our staff spent an inordinate amount of time and effort learning how to avoid breaking GDPR regulations where the ways of breaking the law are so much more prevalent than not breaking it, with all the mounting anxiety they are loaded with. We all have to question the wisdom of introducing such an overbearing piece of legislation. None of us knows for sure yet but, my guess is that GDPR will actually get in the way of conducting normal business.
Don’t get me wrong, I will do everything within my powers to ensure the full implementation of GDPR but, it does not mean I like it or think it is for the greater good. Gradually, individuals’ right to privacy and anonymity is being strengthened and as an individual who hates intrusion, I support and applaud such a trend. However, from a corporate perspective, this incremental restriction is sweeping away the legitimate business conduct of attempting to connect with willing participants, along with the excessive intrusion of so-called market research, analytics, and targeted profiling.
In the late Nineties, we wasted so much time and resources trying to avoid the “Millennium Bug”, only to find there was no bug to avoid, except in our collective paranoid minds. Twenty or so years down the line, we have found something else to feed our paranoia. At least with the Millennium Bug (how cute it now sounds!), we knew what to do to get rid of the bug should we come across it from the billions of lines of computer code we needed to inspect and then, at one minute past midnight on Saturday 1 January 2000, when the world did not come to a juddering halt, we stopped worrying about the bug and carried on partying for the entire weekend and beyond.
GDPR however, is more of a permanent feature in our lives and we will spend years and years adjusting and adapting to it and by the time we master its many intricacies, the devil will mate with GDPR and deliver a new child called GDPR-II. Oh joy of joys, I cannot wait!