GDPR - Diary of a Data Champion: Chapter 1
Chapter 1 – from the Cold War to Mark Zuckerberg’s appearance before the USA Senate and Congress in April 2018.
In a board role for a non-profit coaching community, I have the lead for legal and regulation, which includes GDPR. As we have fewer than 250 employees, we don’t need a ‘Data Protection Officer’ however we do need a board member to lead on GDPR so I’ve taken on the role of ‘Data Champion’. I’ve had to get up to speed quickly and I’m still working through policies and procedures. To start with, I found it helpful to reflect on the changing context of data protection as seen through changes in legislation and attitudes.
During the Cold War (late 1940s-1990), the focus was on keeping official secrets and the mantra was ‘need to know’. The issue wasn’t privacy, it was secrecy.
In the noughties, Freedom of Information changed the mantra to ‘need to share’. The issue changed from secrecy to transparency.
On 25 May 2018, GDPR (General Data Protection Regulations) come into effect in the EU and the mantra changes to, ‘privacy by design’. The issue has changed again, this time from transparency to privacy.
The rapid development of ICT (information communications technology) and the use of social media have created near perfect conditions for our personal data to be used and abused by others without us even knowing it. The intention of social media such as Facebook could be described as, ‘connecting and sharing by design’. Facebook co-founder Chris Hughes (Mark Zuckerberg’s room-mate at Harvard) has said that Facebook and other tech firms are experiencing “a kind of reckoning.” In an interview published in The Sunday Times on 15 April 2018, he commented that tech firms are having to face up to how “a lot of idealistic goals, a lot of idealistic thinking about how these platforms should work is all well and good, but not without attention to the nefarious ways, the malicious ways, they can be abused.” The potential for conflict with the GDPR mantra of ‘privacy by design’ is obvious.
At the time of writing (April 2018) Facebook announced a data breach affecting 1 million UK users and an astonishing 50 million users worldwide – the figure subsequently rose to 87 million users. This came about due to 270,000 FB users completing a personality profiling assessment, which accessed and stored not only their personal data but that of their FB friends and their FB friends’ friends. This data was then sold to a third party, Cambridge Analytics, who exploited this big data for profit such as advising companies on targeted advertising. Chris Hughes again: “the fact that Facebook users don’t, I think, fundamentally understand how much data they are creating, who has access to it and whether they can leave Facebook with it has been a problem from the beginning. Mark [Zuckerberg] is talking a lot about users’ trust these days. I think it is important to talk about, but trust involves people really understanding what they can rely on Facebook to do and what Facebook is relying on them to do.”
More worryingly, FB embedded staff with the campaign headquarters of some political parties to advise on targeted support during elections – Chris Hughes himself worked on Barak Obama’s presidential campaign, which leveraged social media so effectively. Additionally, there is concern that foreign states have weaponised big data to influence the outcome of democratic elections in the USA and Europe, which has been called ‘information war’.
All these unauthorised uses and abuses of our personal data undermine trust in business and politics and provide a strong justification for enhancing our privacy online through regulations such as GDPR. Mark Zuckerberg’s appearance before the USA Senate and Congress in April 2018 highlights that privacy regulation in the USA is relatively weak. The EU’s GDPR are much more stringent than anything in the USA so Facebook must be concerned that tighter regulation will follow. Chris Hughes welcomes the congressional scrutiny of Facebook but doesn’t believe this is enough. “This has to be a much broader cultural conversation that [tech] company leaders have to participate in with journalists, academics, policy makers and people in government.”
I found this reflection helped me to put GDPR in context so that I could see the bigger picture. I also found myself agreeing with the purpose of GDPR and the need for it, which made it more real and relevant, and not simply another bit of ‘red tape’ to be complied with for no obvious benefit.
In Chapter 2, I’ll talk about how I got to grips with GDPR.