GDPR is in force now. And my opinion of it, in isolation, as a piece of legislation, is mostly positive. It does provide better protection of people’s data and gives people rights in regard to their data.
Yes, there are a bunch of aspects that could’ve been done better — it could’ve been easier to read, it could’ve been clearer, it could’ve followed the good legislative practice of not having multiple use cases (hypotheses) in a single sentence, it could’ve been explicit about some important aspects rather than leaving them at the end of long recitals (my favourite — the last sentences of Recital 26), and it could’ve not left countries to decide on where the line between journalism and data protection lies (because, hint, countries with worse press freedom will now have things even worse).
But these are things that can be corrected, some are technicalities, and they are not the biggest problem of the Regulation. The biggest problem actually lies outside of the Regulation, so it’s not technically its fault. But it doesn’t exist in isolation.
The great sin here is that nobody cared to explain in simple terms and in practical examples what the hell does it mean. Opportunistic consultants took their chance and scared the shit out of everyone that they will be fined 20 million euro literally on the 26th if they are not compliant. Some were more friendly and less scary, but cared to point out that, you see, the fines are 20 MILLION EURO (or 4% of the annual turnover).
Articles and websites that should’ve been informative, actually weren’t, and perpetuated many myths, or at least weren’t explicit enough about certain things, e.g. when is consent needed, which contributed to the many myths.
When I wrote GDPR — a practical guide last autumn I didn’t realize how valuable a resource that would be. Many people in comments, on reddit and hacker news (submitted multiple times) said roughly this: “Finally this Regulation makes sense to me”. Because I cared to go into the detail of practical situations and clarify what the Regulation means there.
But why should a software guy with just a year and a half of legislative experience, be the one to explain things. People (rightly so) should not take my positions as authoritative — yes, I’m a consultant, but I’m neither a lawyer, nor a supervisory authority, not the European Commission. Just some guy who happens to know both technology and law.
“Oh, but the WP29 has put out a lot of useful information”. WP29. Working party 29. Why 29? Article 29 from the previous Directive. How would anyone that’s not a GDPR or personal data expert know what WP29 is. But let’s assume you somehow learn that the group responsible for the old regulation will be writing guidelines for the new one. You google it, go on the website…and you’re lost. You realize maybe “Guidelines” is the right menu, so here you are — staring at a list of ugly items, which lead to pages with links to PDFs. Awesome. In the great bureaucratic tradition, the useful information is “in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.” (per Douglas Adams).
There’s also the EDPS, and the new Data Protection Board (which doesn’t have a website, of course). And the European Commission itself. And the national supervisory authorities. And nobody thought it might be worth putting any explanation for standard, typical usecases, in a human-readable, easy to understand way. (ICO, the British authority, has, in fairness, tried to do that and there are many useful answers there, but it’s still far from perfect)
What we were left was a bunch of consultants and lawyers who had a vested interest in creating a panic around the regulation and nobody to tell small businesses (and even big businesses) what’s the right way to read the Regulation.
And they shouldn’t worry. Really. I’ve been trying to explain to as many people as I had the chance to, that it’s not forbidden to process personal data, that the guidance prescribes a process of recommendations before going to an actual fine, that you don’t need to pay thousands of euros to consultants. That their small website is low risk, with little (if any) personal data and there’s nothing to worry about. But no. Somebody said that “if you store IP addresses, you can be fined”. And people incorrectly calculate the risk for themselves as high. And kill their projects.
Small businesses can’t and won’t pay the consultants, so they’re left with breadcrumbs they can find online, and there’s a loooot of noise. And they’ll do unnecessary things and won’t do the necessary things because they don’t know.
GDPR itself is fine. So the “sin” lies not with the regulation itself, but with everything that surrounds it. And with time this chaos will settle. But this is not an ordinary piece of legislation that’s important for a certain branch and lawyers are the only ones that have to understand it. And I hope this is a lesson for bureaucrats that when you do a change that impacts so many businesses and activities, you should also make sure that change is well understood. Otherwise you are creating more problems, at least in the short term, than you intended to solve.
Put up a website of the data protection board. A small, clear website that has an easy to navigate list of frequently asked questions. What should I do if I store IPs in the logs? Do I have to do something if I have a mailing list? What if I have a public forum or IRC channel? What should I do with my Facebook and Google plugins that bring tracking cookies with them? Should I ask for consent and when? How do I implement this data subject right in an online shop?
These things that many, many people have asked. And no authority has given an answer. The answer is left to speculation, which has led to negative effects.
Again, I’m sure this smoke will clear soon. But my urge for easy to use, accessible resources remain. They will surely help people understand the regulation and be less scared and panicked of processing personal data.