The Evolution of Data Protection: 3 simple Rules for Long term Success — and why GDPR is bad for you
My son is 4 years old. I’m teaching him not to call his friends bad names, not to blame his little brother when toys break and to apologise if he hurts someone.
I encourage him to share his thoughts and ideas, but I also teach him that it’s ok to not share everything with everyone. I teach him that some important things we keep as secrets, and if we are entrusted a secret, it’s important to honour that confidence.
My son asks why? a million times a day. And I don’t have a rule book to refer to for simple, yet fundamental questions like:
- Why do I have to be honest? or,
- Why should I keep a secret?
In the end, the only answer I can give is ‘because it’s the right thing to do’.
And he gets that.
If we apply this logic data protection (and grownup terms), this can be seen as the basics of data ethics.
The beautiful part is that they are easy to understand, and applying them can ensure long-term success for your business.
You don’t need rules to do the right thing. You need to use the common sense that you already have.
Before we move on to what I believe are the 3 most important rules for a long term successful data protection strategy, let’s take a look at the evolution of data protection.
My point is this:
GDPR and other regulations are not the problem, and they’re not the solution. They are needed to address challenges in our society, but there are other and better ways to address the root cause of the problem.
The real problem is the gap in understanding between businesses and data subjects, and of course — irresponsible data processing.
This gap causes concerns. It causes damaged relationships, bad reputation, lost business, and sometime intrusions of integrity. It’s a lose-lose.
Regulations are trying to address the gap and manage the consequences. But you can do even better.
You can bridge the gap — by doing the right thing.
In doing so, you will have a far better chance of being prepared for future regulations, and you will for sure have better relationships with the world around you.
So how do I bridge the gap?
Simple, learn 3 simple rules.
#1 Don’t be Evil
Ok, I stole this one (thank you Google), but it’s spot on. Don’t use personal data to harass, discriminate or trick people. Be honest. Don’t lie to people. It’s not right.
Even kids can tell right from wrong. And you’re probably a grownup if you’re reading this.
#2 Don’t be Negligent
Being deliberately evil is really bad. Being negligent is pretty much equally bad, because it can have the same effects for the people who deserves not be harassed, discriminated or tricked. Take responsibility, and don’t blame others.
#3 Be Transparent
If you can’t or don’t want to explain how you’re using personal data, you have a serious problem. If you’re responsible in your processing, you shouldn’t have a problem telling the people affected about it.
I suggest using the following transparency test: Are you comfortable explaining to the data subject exactly how and why their data is used?
If the answer is yes, great! Keep walking the walk and communicating so they truly understand it.
If the answer is no, dig deeper.
- Too hard to explain? Try harder!
- Not allowed because of the law? (Ok, you’re excused.)
- Not sure they would be comfortable with what you’re doing? Then don’t do it — you’re probably breaking rule 1 or 2.
- You don’t think it’s their business to know? Think again, or you’re probably breaking rule 1 or 2. Or you just haven’t understood what data ethics is all about.
Why GDPR is bad for you
If we don’t understand these principles, GDPR might not make sense, and becomes no more than an expensive problem.
You might have seen the risk of big fines, and decided to take action because of that. Or worse, you calculated the risk of fines and concluded that ‘we will wait and see’.
Diving into GDPR without understanding the basics, makes implementation much more painful than it has to be.
“You want us to delete the data we paid millions for? And you want us to send our data to a competitor just because a customers asked us to?”
These are difficult questions to deal with if the only answer we have is ‘because it says so’.
GDPR is good because it helps you get the details right. But you shouldn’t start there. You are better off, and will ensure a better long term strategy by starting with the basics of data ethics.
So what will applying these rules mean in practice?
For example, to make sure you’re not evil or negligent, you need to be in control of what you’re doing and think carefully about what you want to do next. And to be transparent you need to tell people what you do. If it’s complicated or sensitive you really need to make sure they understand it.
See where this is going? Yep, you’re now well on your way to complying with GDPR.
Your strategy should start — and end — with data ethics. Not with the law.
Why start? Because it’s the basics, the most important stuff, and it will make other details of the law make sense. It can bring less friction into the organisation when implementing changes.
Why end? Because the law is changing. Not because the legislator enjoys writing new laws, but because society changes, and you as a business will want to continue processing data.
So, stay on top of your customers’ and employees’ expectations. Be transparent. Be responsible. Don’t be evil. Do the right thing.
