How the GDPR will damage personal data security

The GDPR should enhance the protection of personal data across the EU and beyond. That's one of the core functions of the legislation - along with improved harmonisation of data protection law within the EU. However, having spent much of the last 9 months helping clients to prepare for the GDPR, I'm concerned that the new law may have some material negative effects on privacy protection.

In this post I highlight some of these unintended consequences.

Bringing data protection into disrepute

Of all the pieces of legislation I've advised upon over the past 18 years, the GDPR is in many respects the worst. The increasingly vital principles of privacy protection are utterly compromised by excessive complexity, petty bureaucratic requirements and interpretative problems. The rebarbative and robotic language (of the English text, at least) doesn't help, especially alongside injunctions for organisations to use clear and plain language in their own data protection documents. Most seriously, many fairly typical business situations do not fit easily, or at all, into the scheme of the legislation.

The immediate costs of dealing with this mess fall upon businesses. They are having to expend significant resources to comply, to re-engineer their businesses in ways which have little or no obvious privacy benefits, and they are not impressed. 

Big business > small business

Complex legislation designed to regulate big business can mean big problems for SMEs. In the case of micro-businesses, the choice may be between operating in breach of the legislation and not operating at all. Smaller businesses which cannot demonstrate compliance are less likely to be selected as suppliers to larger businesses. Although many SMEs have weak IT security, it is big business which usually present the bigger risks, simply because they have the big data.

Insofar as the legislation helps big business at the expense of SMEs, it may hinder privacy protection.

New records, new services

The petty bureaucratic requirements include record-keeping obligations. Insofar as the additional records contain personal data, they present an additional security risk. In addition, some businesses are using third party services providers to help with compliance. For example, an industry has sprung up to help websites verify that their users are not children, or that users who are children have parental consent to their activities. Verification services need to operate at scale, resulting in large databases of potentially sensitive information. The operators of some of these services do not themselves have good security records.

EU customers and non-EU suppliers

The international transfer rules governing the transfer of personal data from within the EU can be difficult to comply with, for example with respect to transfers from an EU processor to a sub-processor that is outside the EU and not in a country with an "adequacy ruling" from the Commission. There will be situations where EU customers choose EU-based suppliers over suppliers outside the EU even where the latter have better security arrangements and/or lower overall risks.

I don't know if this consequence was unintended.

Non-EU customers and EU suppliers

Because the GDPR can regulate the processing of personal data originating outside the EU by a processor situated within the EU, the use of EU-based processors can cause problems for non-EU customers. So, a non-EU processor may be preferred over an EU processor even where the latter wins on security. I know of several companies that are, or are considering, setting up US subsidiaries to handle their US-based clients, and the GDPR is one important driver of this trend.

I'm guessing that this consequence was unintended.

Security budgets

Put simply, money which could be spent improving security is being spent completing detailed questionnaires and producing vast spreadsheets listing and mapping the processing of every item of data processed by an organisation. Perhaps some of the blame for this falls on lawyers and consultants who are making money out of the process, but the GDPR's philosophy of compliance (it's de facto impossible, but if you try really really hard you'll probably be OK) is one fundamental reason for this wastage.

Ransomer's delight

I'm expecting that the massive maximum fines, combined with the difficulty of achieving cast-iron compliance, will lend further impetus to the already thriving ransomware industry.

Comments

Hi Alasdair. I have been following your posts about GDPR during the exhausting update and application of the law changes. I completely agree when you argue that for medium size businesses it's been tremendously challenging to avoid to operate in breach of the legislation due to the demanding and complex changes that must be carried out. In the transportation sector where I belong this has been particularly sensitive. Last years, we kept data protected following the essential law principles within our field which could be easily found everywhere. Now we have been struggling with everything and as you say, this stuggle can lead to deficiencies applying GDPR which is the last thing we want. It is hard to navigate among all the data. 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Thanks to these publication we are able to keep up with big organizations and with plenty of resources. Keep the good work Alasdair. 

Nelson P.R. 

Add new comment