Part I: Speeding Cars: How to Stop Driving Above the GDPR Speed Limit

With the introduction of the GDPR, the rules of the data privacy road suddenly and significantly changed. Almost overnight, organisations had to consciously think about their proposed collection and use of data, how it could affect their customers, and whether it was lawful and ethical. They also had to suddenly consider whether this data collection and use should even be done at all. The problem is that many companies got so used to processing data how they wanted, that they are now having trouble slowing down. Most companies are driving just above the speed limit when it comes to data protection and privacy: they aren’t going twice as fast as they should be, but they’re not exactly following the rules properly either.

What’s more is that when everyone else is driving fast, we tend to think that we can blend in, and that we can’t be or won’t get caught. The core psychological concept behind this is the theory of deindividuation. This means that in groups we become less aware of our own behaviour, or less critical of ourselves (even if our behaviour is wrong) because we don’t think we can be personally identified. It’s hard to be self-aware and self-critical when you have a false sense of security. This feeling stays until the speed camera goes off, and then you are subject to the full exposure and GDPR penalties that come with your mistakes, which can in many cases be significant, not just financially but also in terms of potential reputational damage.

The challenge that faces the organisation is: How do we unlock data potential to engage in digital transformation and innovation if we cannot collect, share and repurpose the data that will fuel it?

THE CURRENT STATE OF PLAY

Companies in the AdTech, marketing, financial sectors and other areas have mostly settled for what exists now in terms of data protection. Either they:

• Anonymise data in the hopes of taking it out of the GDPR, losing valuable data utility.
• Delete the data because it becomes too hard to use.
• Continue to use the data, knowing or suspecting that their behaviour is not GDPR-compliant.

The third category is what we need to consider: how are organisations acting when they know that they cannot or do not want to comply with regulation? In addition, if they want to comply but they see it as too difficult, how can they get there? If there seems to be no real oversight, why should companies change?

While there are Data Protection Authorities (DPAs) tasked with enforcing compliance in each jurisdiction, it is hard to reconcile country-by-country approaches with the overall rules in the GDPR. The purpose of the in-country DPAs is to act as independent authorities that provide advice and guidance on compliance, promote public awareness, provide information to data subjects, and handle complaints. Their stated purpose under the GDPR is to “protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data.” The rate of fines imposed by these DPAs in each country rapidly ramped up throughout 2019, indicating that they will begin “cracking the whip” a bit more when it comes to GDPR enforcement.

However, some of the reasons why businesses and organisations struggle with compliance are:

• Anonymisation is difficult to carry out, and even businesses who are trying to do the right thing are failing in some cases. This leaves them subject to GDPR rules, even though they think they have stepped outside the regulatory framework.
• Many companies have collected huge amounts of data that would give them a competitive advantage, and they are hesitant to lose this.
• Use of Big Data analytics, AI, ML is now widespread, and provides significant benefits for organisations.
• Industry practices are slow to change, and companies do not want to be the only one following the rules if it means that they lose revenue or competitive advantage because of it. 
• There is not enough coherent or clear guidance across the EU (and sometimes guidance varies country-by-country) on how companies can lawfully use data.
• Even if a company wants to comply, in some cases they vastly underestimate how long it takes to establish robust and effective organisational policies and procedures. 
• The GDPR is just hard: many organisations don’t know that their compliance efforts are not good enough.

CATCHING SPEEDING CARS

Many organisations have continued with business-as-usual, but have not considered that at some point a greater GDPR crackdown will apply to them.

However, when “speed cameras” have been switched off for so long (inadequate oversight), and then suddenly they are turned on, the processes and systems that are built to handle this are inadequate, because everyone is speeding. Handling thousands of cases of non-compliance puts pressure on regulators, and companies are forced to very quickly rethink their approaches, and re-configure their ethical compasses.

A number of large companies have been caught out by regulators in the past year, which can serve as examples for smaller companies seeing some of the issues. For example, even corporate giants are struggling to comply with the GDPR: in 2018 Google was fined €50 million by the French Data Protection Authority, CNIL. The fine was because Google had not been sufficiently transparent with customers, nor had they provided enough information about how personal data would be processed to personalise ads. In response, Google noted in a statement that they are “deeply committed to meeting ... expectations and the consent requirements of the GDPR.” However, it was also clear that the remedy was not immediately obvious, as they responded that they “studying the decision to determine ... next steps.”

Another large fine was levied against British Airways in 2019, after a data breach left the data of customers exposed. This fine was a record-breaking $230 million from the ICO in the UK, which stated that all companies must take, “appropriate steps to protect fundamental privacy rights.” The breach primarily occurred because of poor security arrangements, which left identifying customer data vulnerable to exposure.

Finally, Pricewaterhouse Coopers was also subject to a fine from the Greek HDPA (Hellenic Data Protection Authority) after they unlawfully processed the data of their employees. The processing was unlawful because they had informed the employees that they were processing under the grounds of consent, when they were actually processing under another ground (contract and legitimate interests). The Greek DPA also noted that the consent could not be “freely given” because of “the clear imbalance between the parties.” 

When these large companies are being caught out, despite the huge resources (legal, technical, and financial) at their disposal, small- and medium-size businesses have a much lower chance of meeting the compliance requirements. 

In addition, when smaller companies see that larger organisations continue to process in a “business as usual” manner, why should they take on the huge costs of compliance when large market competitors do not? The issue that many are facing is that without secondary data processing or repurposing, companies simply cannot compete, and compliance problems loom large. 

When those issues are combined with a general feeling of “everyone else is doing it,” the incentive to comply with the GDPR is low. However, in the past year a large number of actions have been taken by DPAs around the EU, indicating that the speed cameras have been turned on, and a change is coming. The issue is that companies still want and need to make the most out of data, so that they can develop better products, engage on a more personal level with customers, and stay competitive in their industries. Looking at solutions to unlock this data potential will become vital, within the new GDPR rules of the road. 

In Part II of this article we will cover the example of the AdTech industry, and the core solution that Anonos has proposed for shifting towards GDPR compliance in a way that allows businesses to still move fast, but without the potential risks that come with speeding.