10 things I hate about the GDPR…. a view on why some ambiguities in GDPR could present issues for business – from a lawyer who advises on it
Implementation of the GDPR was a landmark moment for lawyers working within the data protection sphere. Never before, in my time of practising law anyway, had I come across a new piece of legislation that clients had not only heard about, but were proactively contacting me about.
There are many merits to the GDPR. Some of the well-publicised abuses of personal data that have been reported on recently show that an overhaul to data protection legislation was overdue. For example, changes like requiring individuals to expressly opt in to marketing communications seem sensible and proportionate, and give us back some control over our personal data and how and when we are contacted.
That said, in true Northern Irish style, the aim of this article is to have a good moan about some of the, more painful, aspects of the GDPR (or the way it has been interpreted) now that the dust has settled on the mad rush to “GDPR deadline day”.
- Y2K Cliff Edge: Unlike anything else before it in my lifetime, except perhaps Y2K, GDPR has struck terror into the hearts of CEOs and business owners across the country. Coming up to the 25 May it was incredible how many people were scrambling to issue their hastily cobbled together privacy policies before midnight on the deadline day in fear of the looming threat of fines of up to €20 million or 4% of annual global turnover. Whilst the reality is fines of anything like that magnitude are likely to be reserved for the worst offenders, a little more nuance in the drafting of the legislation wouldn’t have hurt – 4% of annual turnover is more than many businesses earn in profit.
- Bad Advice: The GDPR seems to have had a unique ability to attract a swarming cottage industry of overnight experts (sometimes with little to no background advising on the law), who have expanded their burgeoning service offering to cover GDPR compliance advice when they saw that there was money to be made. That’s obviously the nature of business, but has meant many clients have received questionable advice from consultants lacking in a detailed understanding of the legislation. One example is a client that held clearly signed consent forms with opt-ins to marketing communications, who had been told that they had to send out a “double opt in” email to everyone on their marketing database. What better way to decimate your mailing lists overnight?
- Proportionality: As drafted, GDPR applies equally to all processing of personal data, at any level. This seems to have some fairly bizarre implications when you play it out, such as, on a literal reading, a strict requirement for you to recite a short form privacy notice every time someone hands you a business card at a networking event.
- Business Value: As a predominantly Contracts and IP focussed lawyer who also works in data protection, my main aim has always been to try and use the law in ways that help clients to make money or properly protect themselves, whether that’s assisting with trade mark registrations to develop an IP portfolio, drafting sub-licensing terms to help a client monetise their software or reviewing contracts to prepare for investment.
With the GDPR, I’ve found myself having to help organisations wade through detailed questionnaires or assist them in producing vast spreadsheets listing and mapping the processing of every item of personal data within the organisation. Is this really the best use of time or money for EU based companies who are struggling to compete in a truly global economy?
- Poor Drafting: The GDPR is, speaking personally, probably one of the most complex and inaccessible pieces of legislation I’ve looked at since starting out as a lawyer. The language doesn’t help, especially when the GDPR encourages clients to use clear and precise language in their own privacy policies. Non-specific requirements, such as the obligation to take “reasonable steps” to protect the security of personal data (whilst partly understandable given the rapidly changing security landscape), have caused massive headaches for those working in the information security sector trying to decide just how secure their systems need to be to comply, particularly in the absence of clear guidance from regulatory bodies. The costs of dealing with these issues have fallen on businesses, who are required to spend significant amounts of time and money on compliance measures with little to no tangible impact on privacy.
- Notification: The GDPR mandates organisations to inform regulators about a data breach within 72 hours. Yet a survey undertaken just prior to implementation showed that less than two-thirds (63%) of global organisations claimed they have notification process in place for their customers, while a fifth (21%) said they are able to inform their data protection authority but not customers contravening a key requirement of the regulation.
- Unintended Consequences: One of GDPR’s requirements is that a data processor is not allowed to engage another sub-processor without authorisation from the data controller. Absent any provisos around the reasonableness of withholding authorisation, this could give rise to issues like a controller vetoing any of their processors changing providers in the event of a dispute, or a situation where the controller has a vested interest in their processor using a specific provider.
- Impact on EU Processors with non-EU Clients: Because the GDPR can regulate the processing of personal data originating outside the EU by processors within the EU, the use of EU-based processors can cause problems for non-EU clients. So, a non-EU processor may be preferred over an EU processor even where the EU based processor offers a better and more competitive service. This was probably an unintended consequence of the legislation.
- Information Overload: In my view, the GDPR also focuses too much on information overload when it comes to notification. Whilst I (sadly) draft them for a living, I think most people aren’t concerned with the fine print of privacy policies, hearing lengthy data protection notices recited at the start of routine business calls or receiving the vast tidal wave of increasingly desperate sounded opt in emails that hit our inboxes throughout May. Whilst privacy notices are important, and keep a business accountable, the requirements of the GDPR in this regard impose perhaps too much of a burden.
- Data as a Liability rather than an Asset: As almost any business owner will know, customer data is one of the most valuable assets that a business can hold, helping to reduce operational costs, drive demand and improve innovation. The GDPR seems to shift the paradigm towards a view of data as a potential liability, with strict requirements not to hold it for any longer than necessary. This in turn may chill data-driven innovation, as companies hold back on accessing or storing data for fear of prosecution.
Like it or not, the GDPR looks like it’s here to stay, even in a post-Brexit world. Businesses will have to tread a fine line to ensure that they balance commercial pragmatism with staying compliant with this piece of vague, and as yet entirely untested, legislation.
If you or your business requires further advice or assistance navigating any of the above, please contact:
Director – Contracts and Technology Department
Tel: +44 (0) 28 9055 3306
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.