GDPR and the End of the World

By the time you read this, it will be apparent that the EU's General Data Protection Regulation (GDPR) didn't cause a global calamity when the calendar reached the May 25 deadline for compliance. It didn't knock humanity back to the dark ages any more than Y2K did 18 years ago.

Back then, thanks to the work of thousands of IT professionals -- plus the ongoing migration to more modern IT systems with four-digit year fields built in -- New Year's Day in 2000 didn't see travel reservation, communication, and financial systems falling apart.

Now, despite the ominous warnings from marketers throughout the tech sector, the EU's privacy police won't be executing SWAT-team style raids on innocent businesses this weekend, seizing computers and freezing bank accounts. Companies won't be laying off thousands of workers because GDPR put them out of business.

To be honest, I would be thrilled if I never again saw the words "a fine up to €20 million or up to 4% of the annual worldwide revenue." In recent months, not a day has gone by when I didn't get a marketing email with that phrase and today's date in the first two paragraphs.

Some observations on the rush to the deadline:

Face it, GDPR is long overdue, and I hope that even companies that have no presence in Europe or data about EU residents will adopt its concepts. About a year ago I interviewed some GDPR experts, and their advice to non-EU companies was simple: Being able to say that you are GDPR compliant, even if you don't have to be, is one heck of a good branding tool. It tells your customers that you care about their privacy.

Those same experts explained that for all of the fear about huge fines for violations, the key for regulators will be evidence on whether companies are making good faith efforts and progress to protect private information. As lawyers like to say, there is the letter of the law and the spirit of the law. Respect the spirit, and do the best you can with the letter.

Of course, what has been tough about GDPR is that it came about after decades when many organizations got sloppy in terms of how they protected data, and how they used/abused that data. So, it has meant looking not only at privacy policies but security, business processes, and even services offered. Under GDPR, companies are expected to honor privacy requests, be open about how they use citizens' data, and protect that data. Is there anything in those three requirements that doesn't make sense.

Consider the causes of the most infamous data breaches of recent years. Would anyone argue that it makes sense to design a network that is shared by the HVAC system and the consumer-facing point of sale system? Would you say it's OK to neglect to install patches to credit reporting systems that hold the life stories of millions of people?

Is there any excuse today for systems that allow people to use "password" as a password?

Consider the marketing people -- found in every organization -- who live by the motto "let them opt out if they need, but just don't make it too easy." GDPR says that the motto should be more along the lines of "invite them to opt in." Big difference in mindsets.

GDPR says that privacy policies have to be easy to understand. Go ahead, read the terms of service and privacy notices for Google and other "search" firms, Facebook and other social media companies, Microsoft, and other tech or cloud providers. Explain to a coworker what all that legaleze says about what those companies can do with your data. Go ahead, explain it in 25 words or less.

In fact, they aren't just tech companies these days, they are data companies, making more money off what they learn about us than on any technology that they sell. (Note, I work in an industry where we collect and utilize data as well).

Somehow we have lost sight of how businesses need to build good products and offer good services. Maybe the issue is rooted in the tired saying, "data is the new oil."

There's nothing in GDPR that says companies cannot use data for marketing and sales, to better support customers, to understand what their competitors are doing, or to design and build better products and services. GDPR shifts the fulcrum point just a bit, giving primacy to privacy over profit. How can that be a bad thing?

In the past two days I've received three GDPR-related notices from EU-based companies that I've never done business with, at least that I can recall. They could have acquired my contact information from any number of sources. Their message was simple: If you don't respond we won't bother you again. You have to admit, there's something refreshing about that.

Today doesn't mark the end of GDPR preparations; compliance will be an ongoing thing. Today certainly doesn't mark the end of privacy concerns, whether in the EU or Anywhere USA. Maybe today is just about recognition that it's time to reflect on what makes sense when it comes to privacy and a reminder that business people across any organization need to give privacy the respect that it deserves.