I love so many of the underlying principles of GDPR as it relates to protecting our personal data. I love the idea of us providing it for a specific purpose and it not being used beyond that. I love that it seeks to give us more control over access to (and erasure of) our data. I also love that the regulation has the potential to seriously bite organisations that don’t protect it. You’d be hard pressed to find anyone who disagrees with any of that.
However, there are many things I dislike about the narrative around GDPR. I dislike the confusion around so many aspects of the regs. I dislike the barrage of emails I got as we approached (and passed) May 25. And I especially dislike the aggressiveness with which so many people have pushed their interpretation of it. It’s almost as if GDPR is being used as weapon to attack rather than a tool to protect – let me give you a perfect example:
In the final days before the regs hit, Ghostery was trying their utmost to do the right thing yet somehow committed that cardinal sin so many of us have come close to doing before – putting all the recipients in the “to” line instead of “bcc”:
— The Register (@TheRegister) May 25, 2018
An honest (and highly embarrassing) mistake no doubt, but how did a bunch of people react? By jumping up and down and claiming that Ghostery would now be hit with a €20M fine (or 4% of gross annual worldwide turnover, should that be a larger number). Most rational people with an inkling of common sense would know that’s simply not going to happen; an organisation making a simple mistake whilst trying to do the right thing and than handling the subsequent communications in an ethical and responsible fashion is not going to get hit with the full whack of GDPR reserved for the worst offenders.
Here’s another one which invoked a similar set of GDPR-related commentary:
New breach: South African website ViewFines had 934k records breached this month including 778k unique email addresses, names, phone numbers and plain text passwords. 59% were already in @haveibeenpwned. Read more: https://t.co/APKtuI0YC7
— Have I Been Pwned (@haveibeenpwned) May 24, 2018
After the ViewFines data breach, I had a number of people flagging the South African company’s GDPR obligations. Yes, they’re well and truly outside of the EU but hey, they could have some Europeans’ data in there ergo they’ll be pinged under GDPR, right? But think it through: here we have company operating in a (very) foreign jurisdiction whose sole purpose is to process traffic fines. You have to be in the country for them to have your data end up in their system! And just before you shout “but extraterritoriality”, it’s not just whether a legal provision exists (it does), there’s the very important question of whether it has any chance of being enforced. Will a regulatory authority in the EU be able to successfully take action against a company in South Africa if, say, someone from France went on a holiday there and copped themselves a speeding fine? What does common sense tell you?
Which brings me to the new course and I put precisely this question to John Elliott whilst in London last month, only a couple of weeks after GDPR had hit. I’ve known John for a while via Pluralsight channels and we recorded 2 courses together that day, this one and another I’ll announce after it goes live. John is the best possible person I could think of to create a course of this nature: he’s a qualified Data Protection Officer for one of Europe’s largest brands, has a privacy degree and also an infosec background. Plus – and this is the really critical bit – he explains GDPR in a way that makes sense! I expressed my dismay earlier on at how difficult so many people seem to be making a regulation that has such commendable objectives but every time I speak to John about it, he cuts right through to the point and makes it dead simple to understand in ways I’ve just not seen anyone do before.
We talk specifically about cases like ViewFines and a rental car company in New Zealand. We cover how media outlets have been blocking folks from the EU and look at the way various organisations have been tackling their privacy policies. Of course, we also talk about penalties too and what levels will likely apply in what cases, plus how they’ll be enforced in jurisdictions outside the EU too. John also has some great resources to help people understand GDPR and indeed some really neat examples of where communication has been done exceptionally well.
Lastly, as I mentioned last week, I’ve also formally engaged John to help ensure Have I Been Pwned complies with GDPR. Some things are trivial (in fact, things that I didn’t expect would be) and other things require more work. It’s a significant investment on my behalf to do this too but I honestly couldn’t think of anyone better than John to do it. I’ll share a heap more information later on, I’m sure you’ll get a bit of a sense of some of the approaches we’ll be taking after listening to John in this video.
We wanted to produce this course now – after GDPR was in action – so that we could have a narrative on what we’re learning since it’s come into effect. There’s a million resources telling everyone all the things they should and should not do (and a good whack of those disagreeing with each other too), this course is a fresh take on things and is far more focused on what’s actually happening than it is speculating how the regs will be enforced.