And They're Off ! GDPR Goes LIVE
So, as expected, the runners have been chomping at their bits and within seven days of Live Date, they’re off. Racing vernacular I am aware, but as it has been Derby week and we are about to go into Royal Ascot, so I figured it was appropriate.
Already, we have seen two major events. First came TSB, who seem to be able to make a drama out of a crisis and then turn it in to another crisis. We have all read about TSB’s woes with its core banking system change and how most of its customers were left unable to pay bills, access accounts etc. You would think this was bad enough, but the bank that likes to say “Err, Um, I am sure you will get access soon” has decided to send private details of its customers to all its other customers, often referencing account details.
The story goes that TSB, in its haste to communicate with its customers, managed to copy everyone to everyone. John Mann, part of a UK parliament committee investigating the first debacle has stated "They've breached the law (GDPR) and there'll be consequences from it. This information could be used by fraudsters and it will undoubtedly cause people distress.
"The fact this is happening six weeks on from their initial problem is very concerning. How long is it going to take for them to fix this?"
There is no-one that does indignance better than the politicos; expect fines to be punitive.
Next comes the news that NOYB have decided to file massive class action lawsuits at Google and Facebook. NOYB - or “None of Your Business” - is a non-profit organisation privacy activism organisation, headed up by Max Schrems, an Austrian lawyer. The compliant stems from the lack of transparency in these consent forms/privacy statements. By the end of GDPR live day - Friday, 25 May - NOYB sued global platforms with multibillion-euro complaints. 3 complaints against Facebook and two subsidiaries said to be valued at €3.9 billion were filed in the early hours of the morning after GDPR went live, via data regulators in Austria, Belgium and Germany. Another complaint valued at €3.7 billion was lodged with France’s CNIL in the case of Google’s Android operating system.
GDPR is the classic example of the law of “unintended” consequences. Let’s assume that the EU commission set out to define a law that would protect private citizen’s data. Would it have gone about it in this way? You could sum up what was needed in two sentences:
1. Make it illegal to share private personal data to anyone else without express consent;
2. Protect private data by keeping it in a separate system encrypted and allow reference to this data only when necessary.
This would afford us all with the ability to see that we need to take things seriously, that we need to treat private personal data differently and we would know what we have to do about it, so why was it necessary to have 88 pages and 89 articles stuff full of obscure rules that most of them don’t even understand?
In the UK we also have the Data Protection Bill 2018, (which does a good job of telling anyone in law enforcement and public bodies what they need to do) but almost completely avoids talking about commercial business because it wasn’t part of anything that the UK could change through derogations.
The worst thing about this is that, judging by the cooing from the media, GDPR or something similar will end up being the standard for the world (bar the US). Governments around the world apparently cannot wait to tell corporate giants how to do their business and fine them when they don’t do as they are told, which begs the question as to whether this is about private personal data or just another big stick for Big Government to throw at Big Business. If the latter is the case, why not regulate big business behaviour instead? Why all this fuss and obfuscation? In my opinion, the answer is that they can’t be seen to be against big business because they are the people they support and support them. So, it is done via the back door. If it is not the case that this about controlling big data providers, most of which are US based companies, then someone needs to make a better argument than the ones I have found.
What Comes Next?
In essence, chaos and confusion. The data privacy experts with political or social objections to profit makers are already licking their lips at the thought of tying up enterprise with law suits that would two weeks ago have been seen as utterly frivolous. Lawyers will begin filing Subject Access Requests on everything and anything, hoping to catch someone off guard; the public will sit back and watch with bemusement, until such times as the lawyers start using legitimate interest rules by contacting them direct to ask whether they have received email that they didn’t ask for.
Many good things could come out of this regulation. This is not a snipe at what it is trying to achieve but more the method. At the Infosec conference the main topic of conversation was data privacy and what to do about it. It is a good thing that this is now on the radar for everyone. What is not so good is that the solutions and options that were being recommended were so varied and very often contradictory. The Data Privacy lawyers, the IT consultancies and the business advisories like Eyestorm could not agree on what the issue was, what the solution was and what the next stage should be. They all look at GDPR from a different direction and are reaching different conclusions. If the law was clear we would all meet in the middle.
Hedge Funds: The Next Target?
Probably not, but not far behind. The fact is that the world, whether we like it or not, has painted our industry with a negative view. Banks are already the “Devil Incarnate” and they are going to need to be braced for punitive fines and bad media coverage. TSB seems to have decided it wants to be first. The problems of deep pockets syndrome and unpopular coverage amongst the general public aren’t going to away any time soon. For these reasons alone, the hedge fund industry needs to be very careful.
Be aware that the targeting of any business that the public considers unpopular (or more appropriately the media can paint as such) is where the ICO will start. They will want people to take them seriously and that means targeting all businesses that have seemed to be above the law in the minds of the uninformed. Then add in the potential for lawsuits on top of penal administrative fines and all of a sudden taking the rules seriously doesn’t seem a stretch. The “social justice” advocates will be using this legislation to target anyone they think unworthy, and anyone in our business definitely fits that category for them.
Our advice is simple. Don’t be the one to get caught and do not treat this exercise as something that your business can pay lip-service to. The people on the other side that you are mitigating risk against are not the people you have been led to believe they are. They are not poor Mr. and Mrs. Smith whose data has been lost and has ended up in the hands of a trickster. They are organised, well-funded entities that see GDPR and Data Privacy legislation as a way of either capitalising from our confusion or making sure that we don’t have a business going forward. They are highly motivated, extremely knowledgeable and they will be coming for us. Sooner, rather than later.