It’s been crazy to see the General Data Protection Regulations (something that’s previously been a fairly geeky, fringe subject) hit mainstream news.
Here’s my take:
- The current round of desperation emails is a knee-jerk, bandwagon response from a worried industry that’s suddenly hit a deadline
- If this is their sole gameplan, then their future is going to get very bad indeed
- GDPR is a juggernaut of a thing, and it isn’t just about getting consent to use people’s email addresses (which, by the way, companies should have obtained in the first place, meaning a lot of those desperation emails are actually unnecessary…)
- GDPR also obliges companies to keep people’s data secure. If the likes of TalkTalk, Equifax, LinkedIN, Yahoo, et al can’t manage it, that doesn’t bode well
- If you lose the data or get hacked, the fines can be massive
- But more importantly: if you lose certain kinds of data, you have to inform your customers. Oh shit.
- So you write them a really vague letter, with a few lines about a “data mishandling incident”, and hope they throw it in the bin
- It won’t work, and we know that, because in the US they already have this “mandatory disclosure regime”. And when people get those vague letters, they send them to this guy:
That’s Brian Krebs, a security researcher and journalist who’s played a major part in breaking data breach stories such as TK Maxx, Ashley Madison, etc., partly thanks to tip-offs from those customer letters.
- The Krebs whirlwind is about to hit Europe, and Britain’s data businesses are right in the storm-line
- GDPR also contains a “lift and shift” aspect: the regulations envision that I should be able to take all of my data back from an organisation, and give it to a different outfit
- Do organisations even know where my data is stored? Including all the back-ups? Do they know who they’ve shared it with over the years? How are they going to give it all back to me, and how will they delete their copies?
- And how will this affect businesses like Facebook and Spotify, that have made millions from locking us in, encouraging us to gather our data in one place and making it really hard to pull the data out?
The headlines will die down after today… but GDPR’s consequences will be felt for years to come.