You wouldn’t use a sledgehammer to crack a nut. But that’s exactly what the General Data Protection Regulation (GDPR) has done.
History is replete with examples of law makers cracking down on a perceived problem, only to find the legislation’s impact is negligible at best, or, in some cases, made things even worse. Prohibition anyone?
Introduced in 2018 and trumpeted as a new framework for data protection laws, the General Data GDPR, is arguably another. While no one would seriously compare the resulting fallout from GDPR to the bloody impact of Al Capone’s smuggling operation, the fact remains that, although well intentioned, its usefulness is far from certain.
GDPR applies to ‘personal data’. This could be anything from a person’s name, location, IP address, email addresses, and the content generated by them too.
Designed to see off the abuses of Web 2.0, which have seen the wholesale plunder of our personal data by bad actors, the intentions behind them were arguably pure and the new protections positively received. However, when first unveiled, everyone from online marketers to UX designers let out a collective groan loud enough to shake the snow off the Rockies.
Many marketers felt their hands would be tied, while UX designers were hit with a string of requirements to work around and policies to implement. Copy had to be carefully (and accurately) worded under pain of penalty. Creatives had to start thinking like lawyers.
It also caused sleepless nights for CEOs and CFOs, due to the potential for massive fines in the event of a data breach. These penalties are up to £17.5 million under the UK GDPR, €20 million under the EU GDPR or 4% of annual global turnover. As of April, regulators had fined rule-breakers more than 2.6 billion euros.
While nobody would argue against the need to protect data, the question is, has the cure been worse than the disease?
As far as businesses are concerned it has caused two big problems.
The first is around compliance. Firms suddenly had a huge amount of additional legal leg work to deal with. This led to extra admin and paperwork, extra training for staff and far more of the dreaded ‘red tape’.
It also impacted on businesses’ ability to innovate. Tech companies - especially startups - depend on customer data to hone their products, marketing campaigns, and customer journeys. Fear of censure meant firms are more cautious. Smaller companies don’t have the legal expertise found at the enterprise level needed to navigate complex rules or defend themselves if trouble arises. So, some of them simply give up rather than take a risk.
A report released by the National Bureau of Economic Research found that GDPR had significantly stifled innovation in the app sector. Using data from the Google Play Store, it found GDPR led to the withdrawal of about a third of apps immediately after GDPR’s introduction, and in the quarters after, entry of new apps fell by half.
While some firms have simply started being more cautious or withdrawn from industries altogether, others have handled things – shall we say – a little differently.
A recently published survey of 400 IT and security professionals found that 42% had been told to keep breaches confidential when they knew it should be reported. Nearly one-third (30%) said they actively avoided disclosing a breach themselves despite specific processes being in place.
The second big challenge is around effective enforcement. Can one organisation monitor and enforce legislation which covers such a vast number of companies and individuals?
Data privacy pressure group NOYB (None of Your Business!) has submitted a string of complaints to regulators over alleged breaches of GDPR which are currently part of backlog of investigations, which its programme director claims it is not enforced quickly enough.
A combination of heavy handed regulation coupled with ineffective enforcement, is hampering efforts to achieve what GDPR set out to do; regulate Web 2.0. And if it can’t do that, how can legislation the next phase of progress with tech such as AI?
So, what’s the solution?
To return to the sledgehammer analogy. Instead of using one to crack a nut, why don’t we use a nutcracker instead? A tool that’s designed for the job.
GDRP blankets everyone in the EU and UK, from individual to multinational. But surely it would make more sense for companies, especially tech companies, to be governed by specific, highly targeted rules which protect data while also allowing them to innovate, flourish and keep red tape to a minimum?
A collaborative approach between government and business would be far better for everyone, an approach based around education and support for companies, with punitive measures appropriately administered and enforced with teeth. Such an approach would mean it would free up resources so that the real rule-breakers could be policed and punished.