I use the word ‘Kafkaesque’ deliberately, as in Kafka’s novel The Castle, the unknown authorities engage K in a never-ending, futile, bureaucratic process where he never really knows why he is being asked to do anything or by whom. So it is with GDPR. Organisations are sending out zillions of emails, just because they think someone told them to. Millions are receiving these emails, many unnecessary. Some may even be illegal breaking the very rules they are meant to be enforcing. Ironically GDPR phishing scams are already hitting our mailboxes, which spread malware or steal personal data. Emails containing other people's email addresses are being sent out. Some US newspapers have closed down access from EU. Tsunamis of emails are being sent out (and largely ignored), ironically to prevent emails being sent out.
GDPR is an EU regulation (
The New York Times interviewed a range of data experts and found that even these experts found the regulations incomprehensible. It’s a massive tangle of badly worded regulation, completely over-engineered.organisations of all sizes are horrific. More compulsory processes, more mandatory documentation, in some cases Data Protection Officers (DPO) and, of course, a slew of useless courses. It is the blind leading the blind.
Worse still many experts warned that it was flawed. Its ambiguities are already being exposed."undue delay", “likelihood of (high) risk to rights and freedoms" and "disproportionate effort" are just a few examples of the vagueness. This is a boon for lawyers and the vagueness will be played out in an ever-increasing Kafkaesque game played for years through the European Courts. Kafka’s The Trial will be the manual for this particular charade.
Rather than work back from what is actually needed, based on user needs, actual structures and practical measures, they’ve gone for blanket fixes based on old assumptions. These are laws written by people who don’t really understand what data is, how it is stored and its use in leading edge technology. They see data as being stored like furniture in a storage facility. They ask for clear specifications on use, insensitive to how it is used in machine learning and more contemporary forms of AI, where the outputs may not be clear. We saw this gulf when Zuckerberg was interviewed by US Senators. This time, the gulf is written into bad law.
5. Massive hit for organisations
Organisations have to see this as a ‘project’ using real staff to create milestones for oodles of documentation and process that will not only incur a large initial cost but also on-going costs. Many people, who wouldn’t know a database if it were in their soup will become Data Tsars. Many organisations will not have data management clauses in contracts with subcontractors. Education is just one example, where most institutions are not ready and many are simply ignoring the problem as they don't have the resources to cope. This is a big problem. Expect some wildfires here. This is all real time and real money.
6. Small companies will suffer
The big boys will be fine. They have the resources to handle this hammer blow but small businesses will not. It will break many on the back of increased costs and fear of illegality. In a laughable exception the EU decided to exempt small businesses from having to hire a Data Protection Officer – really!
7. Hits on revenue
One unexpected consequence is the hit on revenues for charities who may not get reconsent replies. This may apply to all sorts of businesses, an unforeseen consequence of an ill-defined regulation. The effects on revenues have, I suspect been underestimated.
8. Users flooded
On the client side, users are receiving a ton of emails, most of which are being ignored, not because people are indifferent, but because they don’t have the time or inclination to respond. Rather than focussing on reconsent, the legislation would have been better formed if it simply informed existing users. Many organisations are being panicked into demanding actual consent when it is not necessary.
Fines of up to EUR 20,000,000 or 4% of the total worldwide turnover are payable (whichever is bigger), yet it is not clear how lenient or harsh they will be. Organisations are petrified and don’t really know how to quantify the risks. I can understand using this level of threat with the big boys, who will have the best of lawyers but what about the little companies who will read this stuff and have to live with the risks. The truth is, they really don’t actually know what it means and how to eliminate the risks. We’ve already had prosecutions bought against companies, by oddballs like Max Schrems. This could be a legislative nightmare with thousands of cases being brought to the courts.
10. Unforeseen consequences
It all comes into force on 25 May 2018. Of course, many are unprepared, many lack the resources to do what is demanded of them and some will suffer – badly. The suffering will be extra costs, lost revenues, lost opportunities and possibly going under. It should never have been like this. I can also see small-scale data theft as a tactic to put competitors out of business, as the reporting rules are draconian. I can see companies lose revenues through consent failure by lazy users. I can see a lot of problems here.
Everyone agrees that we need some consumer protection. You need a visible opt-in box, if I unsubscribe I want to know that you’ve done it. I don’t want you misusing my data. But that’s not what this ended up being. It’s ended up as a mess. Rather than KISS (Keep It Simple Stupid) they’ve gone for KICK (Keep it Complicated and Kafkaesque). Kafka died before he could finish The Castle – and many will certainly lose the will to live or be beaten into submission as this stupid piece of regulation exhausts us with it’s bureaucratic blunt-force.