Risk – “flouting the law was too much of a risk”
“Act in such a way as to bring about the possibility of (an unpleasant or unwelcome event)”
GDPR is rushing forward at a fever pitch with software suppliers shouting catastrophe, and business leaders talking of yet further gross intrusions into their business ethics (or a lack of!); while for the majority we drift generally into something more of a bored tedium on the subject!
As an interested party to GDPR, it seems the majority of senior people still have no idea that GDPR exists, yet alone the need to do anything about it. Too many other distractions currently I suggest. Those who do know, have dropped into the ‘same old same old’ mind set, now jogging to meet their commitments with much puffing and panting, though with little attention as to the outcome of their race.
For the majority, the previous DPA legislation inconvenienced business little, and they carried-on with a light-touch management attitude towards their customers data. Not perfect but far from abusive. With that past shared experience, the risk from GDPR is perceived as no greater than from current legislation, as in effectively zero.
Is this true? Let us pause for a moment and reflect on the magnitude of our GDPR risk, might a mechanistic view be helpful. We have 28 national authorities, with 200 productive working days a year on average, assuming a staff of 100 in each handling investigations and proceedings, giving 560,000 days of resource to pursue those breaching the regulations. Our next assumption is that a major infringement consumes 1,000 resource-days, alternatively, a minor infringement some 10 resource-days. Overall, the EU could possibly investigate 560 major or 56,000 minor infringements across the whole of Europe each year.
Our next set of assumptions is how many businesses trade within the EU. Eurostat gives around 26 million businesses across the 28 nations with about 75% providing services. I’ve focused on service businesses as being more likely to utilise personal data than trading companies. Being prudent, 19.5m businesses with core personal data is probably on the high side for GDPR, its still useful for gauging our magnitude of risk.
Plunging perilously into the statistics, we have our polar extremes as 35,000 business could be investigated for minor or 350 for major infringements each year. The reality will be somewhere in between as countries will vary in enforcement commitments. I’ve also assumed Parkinson’s Law will apply and pursuing smaller infringements will be of preference to fill the resources available.
Clearly, matters will vary from country to country, bureaucratic effriciency and the motivation of the authorities concerned, political imperatives, with other such variables conveniently ignored here. There is no intent to be accurate, simply to gauge the chances of our ‘getting away with it’. All this suggests minor infringements are almost guaranteed to be investigated, with the potential to lead to a major investigation if the regulator finds all is not well. Smaller will drive the larger.
The nature of this is that minor infringements from data-subject complaints, will open a large can of worms for those businesses that are hiding their lack of compliance or malpractice. Intuition suggests that a national authority will only investigate a major infringement upfront, if a serious loss of data occurs publicly (as in Sony, Equifax and similar). Ultimately, only time will tell in this respect, yet it’s a good place to build our thinking upon.
On balance, from these assumptions and guess-timates (even being over the top), it is reasonable to conclude that GDPR risk is real to all businesses given the scale of the national authorities involved. Chances are over three years you won’t get away with it.
Data privacy and security specialists, can I’m sure point to more accurate profiles for risk and breach, yet such detail brings their own risks in we can lose sight of the objective – reasonable compliance – then let’s consider a qualitative alternative to the quantitative.
Coming from the school of experience that demonstrates risk is either great or small but never zero, and the risks that hurt badly are those no one foresaw, I’m concerned that such GDPR risks may be lurking out of sight and waiting for the unfortunate.
What are some of the less obvious risk factors:
You can argue that the operational risk is simply the risk of completing a few activities. It’s the emerging case law, national politics and guidance, that bring the real uncertainties and with them risks. Question – we can’t anticipate everything legally so should we design processes to react fast to circumstance? Is operational flexibility a better insurance policy than constructing a straight-jacket that may unwittingly prove false.
What will be the timescales to the first interventions by national authorities, will they be driven by a need to pluck those low hanging fruits and prove their capacity? Achieving this by targeting known and deserving abusers of data subjects’ rights identified over the last few years.
The National Authorities will inevitably have to be more joined up as non-EU businesses work across countries, this may prove to be more effective, or may bring miss understanding and gaps if they fail to communicate consistently?
No doubting a few businesses will try exploit early loopholes in regulations and law, which may bring consequences that spill over to others in their industry.
From a homeland perspective, the Commission and Council of Ministers could bring an added political dimension to GDPR as it flexes their international muscles. With regulations this strongly structured, data privacy rights are clearly intended to be upheld. Possibly, becoming something of a human rights crusade?
Within the EU, public purchasing has been regulated for many years, and remains rather old-school in its approaches. Across the board the EU has enforced anti-fraud, tax evasion and similar professional malpractice conditions to public tendering exercises. Then it’s a reasonable assumption that under the more rigorous GDPR regime, data privacy malpractice or an assertion of compliance, will become a pre-qualification condition for public sector projects and purchasing.
We can make a reasonable assumption that fines will be heavier and more frequent after the first few years as the authorities gain confidence, linked to a political drive to make their operations self-funding and avoid a drain on the public purse. In the UK, it appears that the ICO has begun to adopt heavier fines showing an upward curve to their fines and costs. Consequential costs would rise noticeably by this outcome.
National authorities will make mistakes as they are also on a learning curve, a fast learning curve. Mistakes potentially remaining in force for extended periods of time while they are overturned or resolved.
Management attitudes vary greatly across the world, with most countries operating in splendid ignorance, while a few, primarily the United States of America considering the protection of personal data an expensive inconvenience. Good GDPR practices will only derive from good leadership one that empathises with customers or data subjects. Optimism bias is well understood in risk circles, and executives can believe far too strongly that it won’t affect them. My own belief is that management attitude is the single biggest risk to a business and its customers or data subjects.
National Authorities are already diverging in their approaches, compare France with the UK for example, simple guidance versus something more prescriptive. More significant to non-EU businesses, yet something to be aware of when information notices are flying around.
Reflecting back to the risk gauge discussed earlier; the whole thing goes out the window if national authorities automate their processes to monitor record keeping, DPO activity and auditing. How’s that for a real risk, potentially 100% surveillance of business practices.
Businesses processing data from many customers may have to adopt stricter Data-In-Data-Out regimes, such as manufacturers employ to track goods-in and goods-out. This approach brings control, though could significantly restrict how businesses receive and send personal data from third parties. In extremes, this might curtail API streaming of data from customers so that incoming data can be monitored for unexpected personal data, data that doesn’t take us unawares.
With GDPR driving emergent behaviours from the various and possibly conflicting aspects of multi-national businesses, historically, business process and policy tends to become frozen under a compliance regime. This is primarily so that costs can be constrained, further disruption minimised and staff resources allocated to other now more important tasks. Does this mean businesses must be more flexible towards compliance, and enjoy less of an ability to audit and move on?
The inevitable Brexit negotiations ultimately puts the UK outside of the GDPR inner circle. Does this mean the UK becomes a trusted ally or just another equivalence? That the Government is currently driving hard for being a trusted ally, the EU may see the UK as a valuable partner, and every little helps in respect of those Brexit negotiations. Either outcome brings differing problems and hidden risks longer term to UK located businesses.
Some of the early drafting of GDPR regs sought lesser conditions on small businesses, by virtue of revenue or employee numbers. Thankfully for the data subject, but less so for the business, those involved in the drafting understood that any business working with subject data within a data supply chain, that was exempted, was a serious weak-link to protection. Could this squeeze out micro businesses from participating in much larger data supply chains?
Watch those Commissioners in their early days looking for low hanging fruit; even sending out blanket default notices to all business for them to prove they will comply by May next. Self-incrimination could be highly effective as a weapon by their bureaucracies as the cost is so low.
As haphazard as this look-see has been, in an ideal world all executives should adopt positive and constructive attitudes towards customer data and their formulation of policy and practice. Bite that bullet and do the best they can! Sadly, the psychology of organisations, especially large organisations, means that most mental efforts will go into avoiding GDPR commitments. It’s almost expected to show you can beat the system!
The real risk, I propose, is that GDPR effectively mandates a fully joined up ICT governance regime from all. Inevitably that ICT regime links to governance and policy, creating a governance chain that while not explicit from GDPR texts and guidance, it creates consequences where policy gaps might create contradictory practices where no-one truly understand what is going on.
Perhaps the greatest risk is not to business or governments, it’s to the individual. Or is this stating the somewhat obvious! If we don’t act now then continuous ongoing losses of personal data combined with criminal data brokers, brings the tangible risk that the benefits of computing and online systems will be lost. Meaning we are faced with a return to physical postal and paper systems, the consequence of losing the security the majority of customer facing businesses now trade upon.
First published and Copyright 2018
 Verb, OED Online
 For simplicity I have ignored the rest of the world, risky but easier to think about!
 Excludes Norway and still includes UK
 A proverb coined by the twentieth-century British scholar C. Northcote Parkinson, known as Parkinson’s Law. It points out that people usually take all the time allotted (and frequently more) to accomplish any task – source Dictionary.com
 Application Programme Interfaces like RESTful and others where systems, cloud or otherwise, continuously pass data between them ‘hidden from sight’ and might contain unexpected personal data items.