GDPR: The Good, the Bad & the Ugly

GDPR, the new EU General Data Protection Regulation comes into force on the 25th May 2018.

It brings in some fundamental changes to the laws protecting personal information of EU citizens.

In this short article I’m going to discuss some of the good points, some of the bad points and some of the potential dangers of GDPR.

The Good

On the surface, GDPR is a good idea – after all who doesn’t want more protection for our data and our privacy in the modern and increasingly connected works?

It brings into line the data protection and privacy laws for all EU citizens.  It solidifies the requirements on businesses for handling, storing and processing personal information and sets out the penalties for fundamental and systemic failures that we see all too often.

GDPR essentially puts the responsibility, and some might say burden, on organisations to protect personal information, especially information of a sensitive nature including medical records, financial data, political and religious beliefs, sexual orientation, union memberships and so on.

It gives individuals the right to question the information held about them by companies and organisations, and formally introduces the right to be forgotten – to have your data removed from their systems and databases should you ask.

Whilst this may be challenging for some organisations to implement, it is great news for all of us as individuals.

The Bad

There are two main areas where I see the implementation of GDPR being problematic.

The first is in the interpretation of what is required by businesses to comply. Many large multinational organisations will be able to throw significant sums and resources at being compliant. But as we know, all too often compliance doesn’t equate to secure.

In these circumstances I think we’ll see many legal battles coming, where organisations handling our personal information have security breaches but attempt to avoid being penalised by proving they were compliant and that it wasn’t their fault or area of responsibility.

I also think we’ll see varying degrees of slopy shouldering by organisations trying to avoid dealing with queries from individuals whilst also trying to blame processors and sub-processors for any breaches.

The second area I have concerns over is in the massively lucrative FUD market.  Fear Uncertainty and Doubt is a great marketing tool for the unscrupulous to leverage in order to get small and medium businesses to part with hard earned cash in order to ensure their “compliance” with GDPR.

I have already seen many businesses trying to leverage the fear around GDPR in order to make a fast buck.

I’m not saying by any stretch that all organisations offering support and advice to those trying to implement the changes required by GDPR are sharlatans, but there are plenty of them out there offering dodgy advice on the back of the worries smaller businesses have around this new legislation.

My advice here is don’t believe any advice that isn’t practical, pragmatic and from trustworthy sources.

The Ugly

Then I come to a genuine worry I have with the changes being advised to businesses large and small.

As individuals, we’re going to be bombarded with a stream of ever more emails and communications from companies that hold any personal information about us.

This is going to be confusing, with every one being different to the last and all of them talking in potentially confusing terms around what the organisations in question are going to do with the information they hold.

This environment of mass communication and mass confusion is ripe for exploitation by hackers, phishers and other ne’er-do-wells looking to gain access to our personal information for malicious purposes.

This means that as while dealing with all of these communications, we as individuals need to be extra vigilant to ensure that in responding to genuine GDPR policy updates we watch out for the inevitable scams that will enter our inboxes.