How many updated policies for use of personal data did you sign off the last couple days? As I had observed the EU procrastinating on their compliance for General Data Protection Regulations, (GDPR) until December of 2016, (it went into effect in April, 2014 with a deadline in the EU of December, 2016) I wasn’t surprised that we’re seeing a flurry of requests to sign off on data usage this week. The deadline is tomorrow, May 25th for non-EU and as expected, here we are.
I’ve been talking about GDPR for over two years now and I’m far from the only one. I’m still surprised how few were focused on it other than a known buzzword. A buzzword it has become and I think as other buzzwords like “machine learning” and “AI”, it can begin to just be white noise in the background, like a slight humming in the background of our daily technical demands. News has been notifying us about the looming deadline since it went into effect, yet so few were actually pro-active about it. Even with all the recent policy updates, no matter website, company or application, a policy shouldn’t be confused with compliance.
GDPR compliance requires you to not only notify the users that you have their data and what you’ll be using it for. You also have to possess an ongoing way of auditing usage, locating the data, updating the data and if requested by the user, REMOVE the data from your system. Yes, there are caveats surrounding historical and ongoing compliance for those dealing with credit, banking and government data. It’s not like you can send an email to the credit card company you didn’t pay off and demand they remove you from their system to escape responsibility. The company simply has to justify how and why they use your personal information. You can reject their desire to sell your data to another company for marketing purposes and such, but the data about your credit history or similar data will remain.
As I’ve discussed in previous posts, GDPR effects just about every business and type of business on the planet. You can claim you don’t have any European customers, but if you have a retail website, you have to be GDPR compliant as a user in the EU can access it. If you have a website that tracks data about users that view it, log into it or data such as IP addresses and cookies, you are subject to GDPR. If you have any data in your system that is of an EU citizen and keep in mind, I said CITIZEN, no EU address or EU IP address, you are expected to be compliant. Unless you’re collecting passport data that lists where the customer is a citizen of, you won’t know until someone complains and its too late.
I have a promise from Brent Ozar that a year from now, we’ll revisit the idea that companies and entrepreneurs will see opportunities with GDPR in place. We both agree that the EU will most likely make a few, large companies into examples, charging them the 4% annual revenue fine for GDPR non-compliance, but I fore see this growing into a real business sector. I expect third parties to take advantage of the opportunity to be partners to the EU government, working hand-in-hand to identify, investigate, audit and fine companies for non-compliance, taking a percentage of the fine off the top as revenue after serving as the resources the government won’t have to pursue individual businesses. This will require a more American capitalism-like venture, but in the latest issue of Time just named France’s Emmanuel Macron as the leader of the world’s free market, so sit back and watch as EU companies spring up and American companies follow suit. I do see a change coming with the EU being more aggressive in the way they do business.
In the meantime, I actually created a filter to send all but those that match a list of applications and sites I use regularly to spam. Yep, if I didn’t even know I had an account with you, then most likely I don’t want you to have access to my data. To do this, I created a global rule on emails with filtered search terms and then built a second one that looks for keywords from a list and pushes them back from spam to inbox.
Automation is the only way I’m going to survive this life and if I miss something, well, I guess I’ll sign off on the data usage policy like a newbie when it happens and enjoy reaping the benefits already in place for EU citizens. I think we’re all sick of hearing GDPR, but no matter what, it’s here to stay.