Earlier this week I attended a lively GDPR conference organized by a group called Wisdom of Crowds (link link). One of the most common sentiments that I heard from attendees was surprise at the large number of organizations that, with GDPR enforcement only 7 months away, have still done little or nothing to move toward compliance.
While I do not claim to have a comprehensive insight into this insouciance by large data controllers, I have the feeling that part of the reason is that, in many organizations, no individual will be significantly penalized personally in the case of a privacy-related problem. This is clearly the case with public-sector data controllers, given that in most Western countries public employees are protected from dismissal as long as they show up for work. In theory, they can be dismissed, but it usually requires a court case, and in fact very few such employees are dismissed.
Given that the public sector accounts for a large proportion of personal-data processing, the prospect of a bad audit report, a fine, or even a data breach is not likely to frighten a decision-maker. It’s one thing to assess a fine, for example, but who pays it? If the organization is your local government (e.g., link, link, link, link), then presumably you pay the fine through either higher taxes or decreased public services. In other words, you pay the fine for having your own data breached.
Consider the case of Sweden, whose transport authority exposed the personal data of its entire vehicle registry, including police, soldiers, and protected witnesses (link). What would the Swedish data-protection authority do under GDPR, fine the Swedish transport authority? (As it happened, the transport director, who had ordered the information to be sent to an outsource company, was fined 2 weeks’ pay.)
The situation is little different for private companies which cannot be allowed to fail for practical or political reasons, such as banks, utilities, transport, or even companies with thousands of employees. No such organization will be hit with anything approaching a crippling fine; after all, the host government would be forced to intervene.
As a practical matter, such a fine would never be attempted in the first place, and everyone who is in a position to make decisions about the company’s GDPR readiness knows it. An executive has much more to fear, for example, if she misses her revenue targets, or the promised software application is badly behind schedule or over budget than if there’s a privacy problem.
This effect was famously noted by John Maynard Keynes in his book, The General Theory of Employment, Interest, and Money, Keynes notes the following about portfolio managers, those who invest money on behalf of other people
Worldly wisdom teaches that it is better for reputation to fail conventionally than to succeed unconventionally.
In other words, it is better to fail in a crowd than to succeed in a novel way. Better for whom, you might ask; clearly not for the investor whose funds are being managed, but for the portfolio manager, who wants to keep her job. Your incentives depend on your position in the system. This is the essence of the problem; in most situations, we have official concerns (personal privacy, protecting my company) and personal concerns (keeping my job, getting a raise). (The primary exception is the self-employed entrepreneur, whose company’s fate is also the fate of her wealth.)
So it is as well for a large class of data controllers, who will not, often cannot, be penalized for decisions which make privacy problems more likely. Budgets are limited, headcount is limited, current systems were built without privacy constraints in mind. There is a deep well of excuses to draw from, and these excuses will be plausible enough to provide an effective defense.
What about those data controllers who are not explicitly or implicitly protected? Here I would include medium-sized private companies within the EU, and large organizations outside the EU (especially social media, cloud vendors, or data-driven advertisers such as Google) that are likely to be the first targets of fines and court cases. Any significant privacy sanction against a major data controller or processor will be a political decision as well as a regulatory one.
I don’t know where this leaves us, but I hope that that the EU has a plan, should next May come and go without much compliance in place.