GDPR: painting a target?
The recent National Data Protection Conference in Croke Park showed there is still much to be done on the topic, as a strong attendance and keen questioning of the broad range of expertise present demonstrated continued levels of interest.
“We stand now, some 110 days from the compliance deadline of 25 May 2018. For most organisations, the journey of compliance should not only have been well begun, but to follow the old axiom, be half done”
However, as I sat listening to the assembled experts, many of whom I had seen previously with such luminaries as Anne Marie Bohan of Mathesons, Aoife Sexton of Frontier Privacy and Sheila Fitzpatrick of Fitzpatrick and Associates, I was struck by a somewhat contrarian view on what was being presented.
To put this into context, we stand now, some 110 days from the compliance deadline of 25 May 2018. For most organisations, the journey of compliance should not only have been well begun, but to follow the old axiom, be half done. So, to hear questions being asked form the floor that covered how to classify certain types of unstructured data, were, to say the least, not reassuring.
However, the focus of the event was as much for post the 25th, as it was pre, and so several of the presenters, including John Keyes, assistant data commissioner, were emphasising that compliance with the regulation would demonstrate good data protection and privacy practice and serve to distinguish organisations from those that could not meet such standards, becoming a competitive advantage.
Despite initially agreeing with this viewpoint, my natural scepticism, began to surface and I wondered, will any organisation be brave enough to claim GDPR compliance as a badge of distinction with which to compete for business?
In the past, organisations that have trumpeted their security and inviolability have tended to become the target of unwanted attention, and in some cases, have been hacked.
By making claims of security and protection of its data, will an organisation claiming such under GDPR simply become a point of attention for malcontents, hackers and script kiddies with a point to prove?
While it might be an extreme case, the questionable hook-up site Ashley Madison claimed various standards and levels of security that were clearly inflated, if not outright false, and then backed them up with equally questionable data handling practices. This was a contributory factor in its being hacked.
It has been speculated upon, by more than this hack, that a form of activism may emerge after the GDPR deadline of subject access request storms.
This stems from the Article 12 stipulations around the rights of the data subject, and access requests.
Article 13 part 3 states:
“The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.”
It is thought that coordinated requests for data access might be used as a form of denial of service, as a storm of requests is aimed to paralyse an organisation as it dedicates resources to meeting such requests “without undue delay”.
However, the ambiguity around “taking into account the complexity and number of the requests” might be interpreted as a mitigation for this, particularly where a nuisance element can be identified.
Taking all of this together, will leading with GDPR compliance, or indeed excellence, attract the attention of hackers on the one hand, or the (perceived) righteous indignation of activists on the other, to take down those who would set themselves up as exemplars?
As with much of the speculation for the post-deadline reality, it is hard to say. But it will certainly be interesting to see if, as is being predicted, organisations will view compliance as a distinguishing mark, conferring advantage — and whether that will trigger the customary response.