GDPR: where did it all go wrong?

May 2021 marks the third anniversary of the official introduction of the EU’s General Data Protection Regulation now firmly ensconced in public and corporate conscience as “GDPR”.  There have been many news headlines about enforcement actions and multi-million pound fines since its inception but it is unclear what its true impact and value has been. By Rupert Brown at CTO Evidology Systems.

Fortunately there is a useful website that gives details of all the public judgements made so far, but even a brief scan of its contents suggests that there is little or no consistency in the way GDPR is interpreted and enforced.

Top of the enforcement league is Spain which at time of writing had issued 215 fines worth €25m, there is then a large gap to second place and Italy who have issued 67 fines to date but with three times the total value at €76m. The UK however is a significant outlier having issued only four fines but totalling €44m, to the casual observer it would seem highly unlikely though that UK firms are really behaving any better than their EU counterparts in their handling of consumers personal data especially in the wake of the PPI mis-selling scandals of the past decade.

If we dig a little deeper into this data it can been seen that Spain, Italy and most of the other EU countries have conducted enforcement actions across all parts of the legislation whereas the UK Information Commissioner's Office (ICO) has only fined companies it believes have “insufficient technical and organisational measures to ensure information security”, the most notable of these being British Airways and Marriott International whose fines comprise over 9/10ths of the ICO’s levies.

At the heart of this variability is the challenge that the GDPR legal text poses to companies, technology suppliers and regulators; anyone who reads through it will notice that it refers only to data in abstract or “logical” terms – it has been carefully designed to be agnostic to data formats, platforms and transmission standards so as not to be rendered obsolete by the march of technical innovations. This challenge has become particularly pertinent in the past decade as technology platforms have consolidated around a small and arguably decreasing set of major vendors for both on premise and cloud infrastructure.

Technology vendors are still struggling to design and build products that are truly useful as general purpose GDPR compliance enablement and reporting capabilities, most of them will claim a degree of sufficient operational compliance with one or two paragraphs of the text.  At a conference just prior to the enactment of the legislation one presenter claimed that more than 40 different types of technology components would be needed to achieve compliance.

The Cambridge Analytica scandal also added to the confusion as to how GDPR was being enforced in the UK and EU and to their citizens abroad where it also has jurisdiction, in the hubris following Donald Trump’s election victory in 2016 many people were convinced that much stronger enforcement action could have been made but forgot that this would have been retrospective and so only fines of around £100,000 could be levied which was the previous ceiling.

Brexit of course has added another layer of complication – the UK’s current Data Protection Act is a direct derivation of GDPR but in future the UK is free to diverge provided it maintains sufficient “equivalence” with the EU where necessary. We can be sure that this nebulous term will be tested multiple times in the future.

So legislators across the world seem to have got themselves into a growing muddle of overly abstract terminology, inconsistent enforcement and whenever tested in the courts a series of rulings that have cast doubt on the credibility of national regulators by slashing the initial fines levied.  There is clearly a growing need fuelled in no small part by the pandemic and the need to have accurate portable personal health data for something better to be done.

Perhaps legislators should consider splitting the current scope of GDPR in to three future pillars of legislation namely:

• Data Security:  Ensuring companies secure their data rigorously – most of the larger GDPR fines have focussed on this as it has been the most tangible issue of concern and easiest to prove.
• Data Management: The contractual and operational processes that govern how companies acquire, store and manage their data contents and lifecycle. The notions of Data Controller and Processor are still a source of much confusion.
• Data Processing: How companies actually extract “meaning” and “value” from the data they manipulate. The EU has already begun to make proposals in this area. The rate of growth of “AI” related products suggests this will be a long and complex journey.

As well as taking a more focussed approach to the intent of the legislation more thought needs to be given to ensuring it is more consistently enforced.  There really should be no wriggle room for any form of appeal about failures of data security – the recent Solarwinds scandal and the hurried patching of Microsoft Exchange servers around the world in its wake show that time is of the essence and technical debts can be addressed quickly when necessary.

Regulatory competency and funding are also issues that need to be “levelled up”, should regulators be especially rewarded for diligent work which is really part of their day job and should they have the power to levy a private “tax” on businesses such as the attempts by the ICO in the UK.

The first three years of GDPR can probably best be described as “well intentioned confusion”, at times its threat of fines up to 4% of turnover has served as a useful deterrent against some of the more far-fetched aspirations of the major US Internet platforms to monetise the data that they have harvested.  However for consumers and civil libertarians it has done nothing to dispel suspicions of greater intrusions of privacy and nor has it given businesses any clarity as to best practises. Perhaps the fact that it has fostered a number of other pieces of data privacy legislation elsewhere in the world such as CCPA in the US and revisions to existing laws that will be its lasting legacy.