Alright son, you know what you are don’t you?
A data subject… Or a natural person. That’s ‘GDPR speak’ for you and I. We’re all data subjects and natural persons now. That’s us.
GDPR is the new EU data protection regulation which will take affect EU wide on 25th of May. GDPR stands for General Data Protection Regulation. And it might not be quite what you think it is.
It’s not easy to write interesting articles on dry old subjects like regulation. All I can do is promise you, it’s interesting, so keep reading. Then at the end, if you feel I’ve let down you never have to read anything I’ve written… ever again. It’s a free market and all that.
So, what is interesting about GDPR which makes it worth writing about? Here it is, this is it, most of what you’ve read or heard about GDPR is total bullshit.
As is the case with many new pieces of regulation, it spawns a new generation of ‘quack-doctor consultants’ who have no idea what they’re talking about but will happily trouser your shilling in return for explaining how to be compliant. Many of the websites I’ve visited and scrolled through are recycling the same misleading excerpts from the regulations. So far off the mark they are; it’s like watching England trying to get a ball in the net at an international penalty shoot-out.
Why have they got it so wrong you ask. Well let’s begin with the fact that it’s 88 pages of mind numbing, brain tangling inanity. Magna Carta would be about 7 pages, the United States Constitution would be about 6. Ironically, GDPR calls for use of plain, easily understandable language when dealing with us natural persons but falls well short of that itself. A case of do as I say, not as I do.
The second common mistake people make is to misunderstand the motivation underpinning the regulations. This is the important bit. It is the common misconception that the EU mandarins have provided this regulation out of the goodness of their hearts to help free us forever from emails about PPI, new ways to stay harder for longer and that accident you never had.
WRONG. That’s not it.
How do you arrive at that conclusion? It’s simple, read the list of exemptions from the regulations. You can do this yourself if you have a few spare hours. There isn’t space and they aren’t sufficiently interesting to list them all. But let me give you an idea of what we’re looking at.
Firstly, the regulation is very inferior. Meaning member state regulation can be implemented (at the members discretion) which can override GDPR in sector specific areas in many ways. For instance, if a member state, like the UK perhaps, had legitimate interests in financial services, the UK could make exemptions or adjustments to GDPR in line with those interests by introducing its own regulation above GDPR.
Briefly, there are exemptions for public health, all government business, the security services, scientific research, historical archive, clubs and societies, organisations with fewer than 250 employees, non-indexed paper records, EU foreign policy, household activity, the judiciary, the deceased, child protection, preparation of contracts and servicing of the same, humanitarian purposes, IT work such as data backup or virus scanning, all domestic household business, fraud prevention, preparation and execution of legal proceedings. Also, the church and political parties may act in the public interest and gain exemption like that. That’s a brief list. Phew!
As you can see, if you’re not asleep already, pretty much all day-to-day areas of life are exempt. Even direct marketing. Provided they’ve acquired the data in the correct way they can still molest the hell out of your inbox.
So let’s turn our attention to what hasn’t been mentioned. Can you think of anything missed off the list?
If you guessed ‘social media’ then give yourself a pat on the back! There are various ways the big social media outfits can mitigate against the effects GDPR on their operating model. And I believe the regulations were constructed with that in mind. But what will definitely not be allowed will be the non-consensual transfer of your information to a third party. For example, Cambridge Analyatica, or other data processors of their ilk. This is one of the few areas where GDPR does not have exemptions. There are stiff penalties as well. 20 million euros or 4% of your annual turnover, whichever is the greater.
As an interesting side note, just to prove this regulation was written recently by trendy liberals, a data collecting exercise can exclude gathering information on the gender of a data subject. However, the data controller who collected the information is prohibited from citing lack of information if accused of gender discrimination. Furthermore, if a data subject supplies gender data, the data controller has no right to refuse to record it.
So upon closer inspection, you can see GDPR is mostly hot air. It’s designed to effect large non-governmental organisations that have access to a lot of personal data. You do the math (as they say) and think about which organisations fit into that bracket. The EU is practicing the art of controlled opposition, same as communist Russia. Such is the strength and power held within social media systems it has the potential to undermine the European government, something they’re clearly very worried about.
Before I finish, a word of caution, this is only my interpretation, this article isn’t meant as a replacement for legal advice. If you think GDPR may affect your organisation pointing the regulators to this article isn’t going to get you off the hook. Ask a professional, just bear in mind, the take away message is that if you’re not Mark Zuckerberg it probably doesn’t apply to you.