GDPR: Four letters that put fear into firms' hearts in 2018

If dictionaries awarded an acronym of the year as well as a word, we'd put our money on it being GDPR.

At the start of 2018, these four letters generally only signalled you were about to get a very smelly sales pitch, an annoying email or a "computer sez no" style excuse.

But as the year progressed, a data harvesting scandal brewed and breach after breach hit the headlines, the EU's General Data Protection Regulation came into its own.

Not only did it offer a useful peg on which European lawmakers could hang their sweeping statements about taking the fight to big tech, it was also embraced by some of their peers on the other side of the Atlantic.

"The California Consumer Privacy Act is perhaps the most important result of the GDPR, which despite its weaknesses has brought the omnibus notion of personal data from both the EU and many other countries onto the US statute books," said Michael Veale, an academic at University College London.

Of course it isn't simply that policymakers in the US saw GDPR and decided that data on its own shores could do with some stronger protections.

Rather, these discussions have been spurred on by real-life examples of the effect big tech can have on society. Not to mention growing public pressure to take action against the digital giants they are slowly realising aren't run by geeks in jeans, but rather ruthless businesspeople.

This is probably best exemplified by a statement Mark Zuckerberg made in the internal emails released by British MPs in December about the best way for the network's users to share stuff on Facebook. The idea was floated to have a software maker build a special purpose app that Facebook would then plug into. He said of the idea "that may be good for the world but it's not good for us... unless people also share back to Facebook and that content increases the value of our network."

At the same time, it has slowly dawned on people just how much information companies – from the corporate data-slurpers to the retailers they use every day – have on them, and how it is used to make money. The already tired adage "if you're not paying, you're the product" has been so over-used this year it must be fit for retirement.

"The profile of data protection has never been as high as it is now… more people are thinking about data protection and privacy than ever before," said consultant Tim Turner.

This doesn't translate into a deep understanding – few people could claim detailed knowledge of the adtech or data brokering industries – or even good practice, but it is a foundation.

"People who care about data protection and privacy have something to build on and we should all chase that opportunity," said Turner.

In the business world, companies are facing up to the realities of this greater public awareness, or "techlash" (which made it on to the Oxford Dictionaries' shortlist for word of the year), and some have coped better than others.

Heather Burns, an internet law expert who helps firms work towards compliance, said that GDPR has drawn a stark line in the sand between certain kinds of businesses.

"It's made it clear which companies have awakened to privacy-by-design as a powerful tool for user empowerment, and are using GDPR as a launchpad for innovation – and which were only ever interested in using GDPR as a marketing angle for PR campaigns that ended on 26 May," she said. "I know which companies will still be around five years from now."

By the power of GDPR – I command you!

Zooming in on the legislation itself, GDPR provides a handful of rights to the individual, some of which already existed, and grants new powers to the regulators.

Before GDPR came into force, doomsayers claimed there would be a deluge of Subject Access Requests (SARs) – which are now free under the new regulation – that could cripple companies and encourage "ambulance chasers".

Although some cases have come about – Facebook is being investigated by the Irish Data Protection Commissioner for refusing to hand over data on users' web activity – in reality, the focus has been on data breaches.

Much of this is because of the blockbuster fines that can be levied on organisations that break the rules, rising from £500,000 to up to £17m (€20m), or 4 per cent of annual turnover.

The figure makes great headlines, but so far, only three nations have made public fines under the new regime: Germany (€20,000 to a chat app), Austria (€4,800 for unlawful use of CCTV) and Portugal (€400,000 to a hospital for allowing staff to gain unlawful access to data).

The UK's first enforcement notice under the GDPR, meanwhile, was a something of a damp squib. It aimed to get Canadian data-slurpers AIQ to wipe UK data from its systems, but the wording had to be revised after the biz appealed, pointing out that it was under investigation by the Canadian data protection agency and probably shouldn't delete anything until that was over.

"I'm staggered that such a landmark as the first GDPR enforcement notice was so half-baked," said Turner.

But regulators had made it clear from the outset that they wanted to use the carrot before the stick, so no one really expected to see €20m fines handed out within the first nine months.

And of course many of the fines issued this year – and some of the most high-profile investigations, like Facebook and Equifax – relate to incidents that happened before 25 May 2018.

However, Veale said this focus on data breaches, rather than the other strengthened rights and obligations under GDPR, has "largely limited the transformative effect so far to dodgy, dusty data controllers such as airlines or hotels who have long been haemorrhaging data".

The big platforms tend to be a bit more secure against data breaches – but Veale said he hopes that 2019 will see a shift towards the parts of GDPR that affect them, such as the right to access, objection and fair and lawful processing.

Turner agreed that these subject rights "haven't remotely been explored" yet.

"We had all the hype about the SARmaggedon, but we don't know how portability works, we've got no interesting right to be forgotten cases yet, and the extent to which people can use GDPR to explore how automatic decisions about them are made is untested," he said.

"It's like a bomb that didn't go off, and we don't know whether it's still ticking or if it's a dud."

The Anti-Social Network

One company, and its rapid descent from hero to zero, has dominated headlines about data protection and privacy this year.

Facebook's demise may have been precipitated by revelations about data harvesting, but mealy-mouthed micro-apologies and Zuckerberg's refusal to give anyone a straight answer meant it was unable to pull itself back from the edge.

Things got worse as numerous bugs, breaches and data deals kept rolling in throughout the year, resulting in government investigations and boycotts by civil rights groups.

Meanwhile, Facebook's efforts to keep painting itself as a company with a simple mission to connect people now look increasingly desperate and hypocritical, as it admitted its role in the Myanmar genocide and details of the inner workings of the Social Network came out.

The firm was accused of hypocrisy as it leant on the message that it hadn't and wouldn't sell user data, while evidence trickled out about how it planned to use data to win deals and bring devs to the platform.

For many, though, Facebook's apparent lack of a moral compass was the final nail in the coffin, amid allegations it had hired a PR that used antisemitic narratives to silence critics like George Soros.

Facebook's proclaimed social mission, Zuck's self-styled innocent-geek-accidental-CEO image and the platform's immense popularity might have secured its place as 2018's privacy villain, but it is far from the only company wheeling and dealing data.

Data brokers, credit checking agencies and marketeers have all come under the spotlight this year, and efforts to open people's eyes to the data that is held on them by firms they may never have heard of are well under way.

Tech giants are also braced for impact. Microsoft is in the dog house for "large scale and covert" slurping of private data through its Office apps. And Google was confirmed to still track users' locations, even when they switched off their Android-based handsets.

On top of that is the litany of other data breaches that have been reported throughout the year – from small fry to Marriott's Starwood hotels' breach of half a billion guest details.

Regulators in the spotlight

The knock-on effect of the GDPR, whether that's greater public awareness of data rights or an increase in data breach reports from concerned citizens or companies taking a belt-and-braces approach, is increased pressure on data protection authorities.

There are varied approaches to data protection across that group – something activists use to their advantage when choosing where to lodge an appeal – but UCL academic Veale said the main point to watch would be joint work.

"Different authorities care about different things, but serious change is only likely when issues get passed to the new transnational European Data Protection Board," he said.

"But I'm also expecting to see a few wildcards, particularly as fresh blood enters different regulators seeking to make a difference and take complaints forwards that usually would have fallen by the wayside."

One regulator that is unlikely to be at that table (assuming Brexit goes ahead) is the UK's Information Commissioner's Office, which is already experiencing the greater publicity and scrutiny that comes with being a data watchdog in the GDPR age.

Some have criticised it for a supposed lack of technical know-how, others question whether it is spending enough time enforcing the GDPR.

With just under 700 staff, the ICO isn't a small outfit – the Irish Data Protection Commissioner, home regulator for various tech giants headquartered in the nation, is about a fifth of the size – and it has recently been awarded extra cash, in the form of increased data protection fees, so it can meet its income requirements, set at £30m for 2017-18.

But its resources aren't infinite, and up to 29 October 2018, it had spent about £2.5m on – and diverted 40 or so staff to – the Facebook and Cambridge Analytica probe.

ICO commissioner, Elizabeth Denham, has also come under fire for some unusual PR tactics during the investigation: she announced a raid of Cambridge Analytica's offices before it had a warrant and made the unprecedented move of pre-announcing plans to fine Facebook before the firm made any representations.

"GDPR is the biggest change to data protection in 20 years, but Denham's priority has been events took place three or four years ago," said Turner.

"I think unless we have a commissioner who is interested in the nuts and bolts of GDPR compliance rather than headlines about politics, GDPR's impact will be blunted." ®