Unintended Consequences of GDPR

First published in Forbes

The looming imposition of a new data protection regulation in the EU is already sending tremors through the legal and IT worlds as organizations wake up to the fact that by May 25, 2018, they have to comply with the most intrusive technology regulation ever.

Law firms and consulting firms are starting to use phrases like “this is Y2K all over again.” You could see it coming for the last two years but nobody did anything about it. My take is that companies are waiting until the deadline is in the same budget year. That means that on January 1, 2018 there will be a mad scramble as executives and boards wake up to the fact that non-compliance could be very expensive.

GDPR applies to any company that collects data on EU residents. That means that if you want to do business in Europe you have to invest in compliance.

Let me recap. The EU General Data Protection Regulation is a 261 page document with 99 articles and 173 “Whereases.” When it goes into effect it will apply to any organization that collects or processes data on people who reside in the 28 member countries of the European Union. Some of the more visible requirements include:

-72 hour breach notification. An organization will have only three days to disclose to the Data Protection Supervisor when they learn of a breach. I don’t know any companies, that can pull their stories together fat enough to comply with this. They have to 1. Determine what happened. 2. Put in controls to stop it from happening again. And 3. Figure out how to message it.

-Hire a Data Protection Officer. This one is causing a lot of debate. Can we just give the CISO the DPO title? (No). Can we outsource the role? (Maybe). Where do we find someone who understand data privacy, security, and all the legal stuff? (Great question.)

-Article 17, the Right to Erasure. Any EU resident can request from any organization a complete list of all the data they have on them. On top of that they can demand that the data be erased. The data collector/processor has 30 days to respond.

One of the overlooked aspects of GDPR is that it has some very loose statements about adequate security around privacy data. Terms like “state of the art” are bandied about, a litigator’s dream.

What about the fines for non-compliance? Think about this: Twenty million euros or four percent of global revenue, whichever is greater. Just to put that in perspective: 4% of Amazon’s revenue(2016) would be $5.44 BILLION, of Google’s $3.6 billion, Facebook $1.1 billion, Netflix, a mere $352 million. You can do the math on your own company.

So what could the unintended consequences be of imposing a massive new regulation on the healthiest component of the global economy, the digital market? For one, expenses go up so profitability goes down. Lower profitability means lower investment, fewer startups, and slower growth.

Another consequence could be that GDPR severely restricts access to technology for EU residents and companies. The technology industry is practically defined by the Two-People-in-a-Garage trope. The vast majority of of the 3,122,110 apps in the iTunes AppStore 1. Are created by small companies and 2. Collect a lot of personal information. Every internet startup dreams of getting their first million users and they get there by going viral with inexpensive, often free software. Their model is collect info and use Big Data to extract value.

But now they will fall under GDPR because they will have personal data on EU residents. The definition of personal data includes IP address, geolocation, home address, email address, and on and on.

One way to avoid the cost of compliance, of hiring a DPO ($150K), building in controls, creating a 72 hour breach notification ability, is just don’t collect data on EU residents. Make them click a button asserting that they do not reside in the EU before installing. Or use geo-location to block them altogether.

This means the EU will be cutting itself off from the latest and greatest technology. Want to install the newest secure communications app? Sorry. How about that new business app for managing contacts, or accounting? Not available in the EU. That new VR/AR game that is taking the world by storm? Sorry, only people outside the EU get to experience it.

I predict even tech startups based in the EU will choose to sell only to foreign markets when they launch.

This is a major problem for the EU. It will be disruptive in the extreme and add new digital borders that the internet does not need. GDPR will accelerate the trend towards digital mercantilism.