Personal Data Armageddon
Did you smile when you read that 86% of companies are ready for the GDPR?
I am a fervent believer in data privacy, and I hope that we are at the dawn of a great new era, that will make us proud. A spam-less era. An era where you can drop your e-mail address on a website without double thinking about the consequences.
And Europe said: “Personal data is not for sale and we’ll burn down to the ground any company trying to act otherwise. Take this!”.
But I have bad news.
Either I speak only with the 14% leftovers in the made-up statistic above, either the real meaning of GDPR is that starting tomorrow, all companies except a very few are now outlaws, risking fines that may very well kill them in one shoot.
Headshots are cool in Unreal Tournament. Not in the corporate world.
Businesses will run for cover. That includes SMBs. That includes large corporations which are not software companies. That includes any company that does not have an internal data architects, engineers and similar skills, and/or did not choose to invest a significant amount of energy, for years, on respecting privacy.
Did they read the text? Probably not, or not all of them.
Did anyone ever think that the GDPR would threaten the GAFAs? Even with good faith? They could not be more wrong. The french Secretary of State in charge of Digital Affairs was recently threatening Facebook on TV and Twitter about the fact they’re not ready, but I dare him to find one company in France who is more ready than Facebook, Google or Microsoft. The modern software companies that arose from nothing to hundreds of billions in a few years are the one with the best scientists and engineers on the planet. And the best lawyers too.
Now, I honestly don’t really care about hundred-of-billion-dollar companies paying billion dollar fines. That’d be sad for them, but nothing that threaten their lives. Everybody will keep their jobs (except some board members and the DPO’s team, maybe). Dividends from the indexed companies will be lowered for a bit of time. Pay checks will be frozen. But the corporations will live, and recover.
On the other hand, let’s think a bit about small and medium businesses. Can they hire a full-time DPO and invest in tech and lawyers to build compliant systems? Knowing that it’s something that will bring 0 business, just eventually necessary for their survival? (Yes you can have your salesperson brag about the fact (true or false) that your company is compliant, but expect to hear very soon that “It’s now the standard, I very well hope you’re at least GDPR-compliant if you try to sell me anything. Don’t try to make it an argument for your service.”)
So what is a 20M€ fine for a small or medium business? Well, for most of them, it’s instant bankruptcy, and for the others it may take years to recover …
We begin an era of fear, and secret. An era where GAFAs will be even stronger than before. And where any business will be killable, at will, by the all-powerful data regulators.
Is that any good? Maybe. But most probably, not really. The bad guys will pray more. The good guys will risk the same. Is it protection? Oppression? Hard to tell. But if a european government does not like you, they now have tools to silence you.
Maybe it’s already time to start thinking about the second GDPR version, one that could realistically be applied, and yet still be fearful for all kind of companies. And one hint on writing something that is actually applicable: please bring onboard entrepreneurs, engineers, scientists, craftsmen, doers, data experts … This is not only a topic about the law, and citizens’ protection. It’s a topic about modern companies.
The only (partially) good news for all you fearing the GDPR: 28 organizations are now in charge to control 100% of earth’s internet businesses, and 100% of the european businesses. I bet they’ll have a horsepower problem.
Just for fun…
“The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.”
“Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people’s political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.”
Hopefully, none of those parties took part in the writing of the GDPR, one could have called on conflict of interest otherwise…