Tuesday, May 22, 2018

10 reasons why GDPR is a Kafkaesque mess….

I use the word ‘Kafkaesque’ deliberately, as in Kafka’s novel The Castle, the unknown authorities engage K in a never-ending, futile, bureaucratic process where he never really knows why he is being asked to do anything or by whom. So it is with GDPR. Organisations are sending out zillions of emails, just because they think someone told them to. Millions are receiving these emails, many unnecessary. Some may even be illegal breaking the very rules they are meant to be enforcing. Ironically GDPR phishing scams are already hitting our mailboxes, which spread malware or steal personal dataEmails containing other people's email addresses are being sent out. Some US newspapers have closed down access from EU. Tsunamis of emails are being sent out (and largely ignored), ironically to prevent emails being sent out.
GDPR is an EU regulation ((EU) 2016/679) and one of the worst regulations The EU Castle has ever come up with. In a typical top-down, centralised fashion, shaped by lobbyists and not common-sense, the EU has managed to turn what should have been a practical, workable idea into a bureaucratic nightmare. It must be the first law where the majority of organisations will be in breach of that law on the day it is implemented - on Friday!
1. Ambitious
The New York Times interviewed a range of data experts and found that even these experts found the regulations incomprehensible. It’s a massive tangle of badly worded regulation, completely over-engineered. The consequences for organisations of all sizes are horrific. More compulsory processes, more mandatory documentation, in some cases Data Protection Officers (DPO) and, of course, a slew of useless courses. It is the blind leading the blind.
2. Ambiguous
Worse still many experts warned that it was flawed. Its ambiguities are already being exposed. The badly written Eurospeak regulations are typically vague, written by people who have given little thought to its implementation; "undue delay", “likelihood of (high) risk to rights and freedoms" and "disproportionate effort" are just a few examples of the vagueness. This is a boon for lawyers and the vagueness will be played out in an ever-increasing Kafkaesque game played for years through the European Courts. Kafka’s The Trial will be the manual for this particular charade.
4. Myopic
Rather than work back from what is actually needed, based on user needs, actual structures and practical measures, they’ve gone for blanket fixes based on old assumptions. These are laws written by people who don’t really understand what data is, how it is stored and its use in leading edge technology. They see data as being stored like furniture in a storage facility. They ask for clear specifications on use, insensitive to how it is used in machine learning and more contemporary forms of AI, where the outputs may not be clear. We saw this gulf when Zuckerberg was interviewed by US Senators. This time, the gulf is written into bad law.
5. Massive hit for organisations
Organisations have to see this as a ‘project’ using real staff to create milestones for oodles of documentation and process that will not only incur a large initial cost but also on-going costs. Many people, who wouldn’t know a database if it were in their soup will become Data Tsars. Many organisations will not have data management clauses in contracts with subcontractors. Education is just one example, where most institutions are not ready and many are simply ignoring the problem as they don't have the resources to cope. This is a big problem. Expect some wildfires here. This is all real time and real money.
6. Small companies will suffer
The big boys will be fine. They have the resources to handle this hammer blow but small businesses will not. It will break many on the back of increased costs and fear of illegality. In a laughable exception the EU decided to exempt small businesses from having to hire a Data Protection Officer – really!
7. Hits on revenue
One unexpected consequence is the hit on revenues for charities who may not get reconsent replies. This may apply to all sorts of businesses, an unforeseen consequence of an ill-defined regulation. The effects on revenues have, I suspect been underestimated.
8. Users flooded
On the client side, users are receiving a ton of emails, most of which are being ignored, not because people are indifferent, but because they don’t have the time or inclination to respond. Rather than focussing on reconsent, the legislation would have been better formed if it simply informed existing users. Many organisations are being panicked into demanding actual consent when it is not necessary.
9. Fines
Fines of up to EUR 20,000,000 or 4% of the total worldwide turnover are payable (whichever is bigger), yet it is not clear how lenient or harsh they will be. Organisations are petrified and don’t really know how to quantify the risks. I can understand using this level of threat with the big boys, who will have the best of lawyers but what about the little companies who will read this stuff and have to live with the risks. The truth is, they really don’t actually know what it means and how to eliminate the risks. We’ve already had prosecutions bought against companies, by oddballs like Max Schrems. This could be a legislative nightmare with thousands of cases being brought to the courts.
10. Unforeseen consequences
It all comes into force on 25 May 2018. Of course, many are unprepared, many lack the resources to do what is demanded of them and some will suffer – badly. The suffering will be extra costs, lost revenues, lost opportunities and possibly going under. It should never have been like this. I can also see small-scale data theft as a tactic to put competitors out of business, as the reporting rules are draconian. I can see companies lose revenues through consent failure by lazy users. I can see a lot of problems here.

Everyone agrees that we need some consumer protection. You need a visible opt-in box, if I unsubscribe I want to know that you’ve done it. I don’t want you misusing my data. But that’s not what this ended up being. It’s ended up as a mess. Rather than KISS (Keep It Simple Stupid) they’ve gone for KICK (Keep it Complicated and Kafkaesque). Kafka died before he could finish The Castle – and many will certainly lose the will to live or be beaten into submission as this stupid piece of regulation exhausts us with it’s bureaucratic blunt-force.


Anonymous said...

We've been reading different laws then, I guess.

Donald Clark said...


Robert Cosgrave said...

I am working in a GDPR compliance project for a large organisation. What we are trying to achieve has very clear objectives vis a vis the law. There is nothing vague, and it is a logical progression from existing law in force. There is a big positive side effect in terms of tidying up how we handle and secure personal information. Tidying that up is useful and takes a lot of risk of data breach or misuse away. I have also run a small business and the effect on us there would have been negligable. Like most businesses we had one system containing customer information and that was that. I know your schtick is curmudgeonly lists of why whatever is in fashion is awful, but in this case, the shot is wide.

Donald Clark said...

Glad to see you're one of the many vultures making money from GDPR. I run a business, am a Director in several others. Unlike you, I'm on the receiving end. As you offer no real arguments other than a cheap, personal shot, get back in your tick-box..