Debunking the GDPR in 10 blog posts

I love data, always have, always will. From my first math lessons to statistics and econometrics at university up to fancy bubbles supported by a good story!

My 20 year long data career can be summed up in three The Economist covers:

Economist covers,
  1. going through the excitement and hope for a more “just” way of life (pre-Internet boom & bust),
  2. accepting the disappointment of corporate incentives (+ start-up and M&A flawed rationals) &
  3. moving onto fear for opaque and unchallengeable decisions about people’s lives (questioning data quality and hedging for risk on the personal side).

5 years ago, I turned to the privacy pros to better understand what was cooking with this piece of legislation called GDPR. My professional network (of friends) continued to explore and measure rapidly evolving data journeys, questioning my new path. I marveled at lawyers being able to cite legislation by heart and learned that shades of grey abound when trying to bridge data practices with the letter of the law!

Reading and using the definitive GDPR text since last year, I keep discovering new aspects, supported by a fascinating Twitter network (grateful while we agree do disagree). I’ve increasingly worked on helping companies bridge the gaps with their existing data set-ups. Over the last 2 years, I’ve developed a 5+5 Pillar framework to support GDPR alignment and attribute cross-functional accountability. Today I watch the various actors fret around ePrivacy while wondering about new business development opportunities brought about by these new laws.

In the mean time, ad tech actors in the EU are taking stances while the same cannot be said on the other side of the pond. I was asked to write for some of them, among which AT Internet and Piwik. For Piwik Pro we decided to go through the GDPR, commenting on the different aspects as highlighted by the infographic at the top of this article.

Below is the list of articles written, where they can be found and which articles within the GDPR are covered. Note that I tried to keep it simple — ad tech KISS style like.

  1. Why the GDPR Applies Even If Your Company Is Not Based in the EU — art. 3, Territorial Scope
  2. Does “We Don’t Collect PII” Still Work? — art. 6, 8, 35, Lawfulness of Processing
  3. Sensitive Data and Teaching Kids How to Lie on the Internet — art. 8, 9
  4. How to Make Digital Analytics Processing Lawful Under GDPR and ePrivacy? — art. 4, 5, 6, 7, 8
  5. 5 GDPR Rights With Serious Technical Consequences — art. 12, 13, 14, 15, 16, 17, 18, 19, 20, 22, Chapter III Rights of the Data Subject
  6. 3 Security Procedures GDPR Requires Companies to Set Up — art. 32, 33, 34, 35, 36, Section 2 Security of Processing + Section 3 Data Protection Impact Assessment (DPIA) and Prior Consultation
  7. The Story Behind Safe Harbor and Privacy Shield — art. 45, 46, 49
  8. To Appoint a DPO — Data Protection Officer — or Not? — art. 37, 38, 39, Section 4 Data Protection Officer
  9. Tout savoir sur le RGPD: questions réponses avec Aurélie Pols (1ère partie)
  10. Tout savoir sur le RGPD: questions réponses avec Aurélie Pols (2ième partie)

There is no specific call to action here as I’m almost afraid to write “feel free to comment”: comments when it comes to privacy remain challenging as I’m often reminded.

Yet if you are in the data “business” and are still wondering about what the GDPR might mean for you, I invite you to read the blog posts listed here. It will give you a good idea of what to tackle while we wait for the dust to settle (and parties to agree?) on ePrivacy.

Madrid, September 2017