May 29, 2019

GDPR: An existential threat to data-collecting businesses?

Duncan Brown

GDPR exists to protect personal data from misuse or loss, and is an update from existing data protection laws. Broadly, the regulation brings about positive change: the feeling was that the existing regulation was very poorly adhered to and the consequences of ignoring it were paltry.

GDPR is based upon the fundamental European human right to privacy and data protection, and gives the regulators teeth to punish those who dismissed data protection as an irrelevance, or considered the fines too small to warrant a change in their approach to managing data.

Over the last ten years, we have seen an enormous rise in enterprises whose very business model is based on the management, sale, or deep understanding of personal data. It is the egregious use of personal data that GDPR is designed to eradicate, and such firms face an existential threat from GDPR.

For example, at its most basic, a search engine doesn’t need to capture personal data. If however you want to tailor results based on previous information and history, that’s a different matter. And if you base your business model on knowing your customers and delivering tailored adverts: then you have to track personal information and you have to pass that information in some form onto your advertiser customers.

Social media also uses personal data to drive business, and, operating within the law and the terms and conditions of the service, has sold on data or behavioural patterns to advertisers and other targeting groups. With GDPR now in place, all those enterprises managing and selling on data must closely examine their business models to ensure they are fully compliant. Importantly, GDPR does not prohibit this activity, but it does place obligations on the provider to be transparent about the process, and to protect the data under their control. But I’m not sure that these companies fully understand the existential threat they face.

It’s not quite fair to say that this data management model (whom some call the Surveillance Capitalism model) crept up on people by stealth, but the Facebook/Cambridge Analytica certainly did a lot to draw mainstream attention to it. Questions have been raised at a governmental level about the moral and ethical approach we should take towards the management and monetisation of people’s personal data.

It’s clear now that Facebook understands that privacy is an issue, but they face a tough challenge in modifying their business model sufficiently to allay the fears of those who worry about privacy. We will see more moves by both Facebook and governments over the next year or so – the story is not over.

Given there are now so many businesses based on the usage of personal data it is extremely likely there will be cases of data usage in a way which contravenes GDPR. One of the actions which a regulator can take in the event of a data breach or misuse is to enforce the suspension of personal data processing. For social media, data aggregation or online search firms, this could present a complete inability to do business. If you can’t process personal data, you can’t take orders, make sales, or pay people. Effectively an action of this kind means a suspension of business.

Going further than GDPR, I am also seeing a gradual (and in some cases reluctant) shift by businesses and governments outside the EU to treat personal data with more respect and thus more regulation. The US regulatory framework is shifting very slowly towards the European model, and almost certainly towards having a federal regulation. In the US there is more to lose from an economic point of view – as many of the firms most affected are based there – so any regulation is likely to be less stringent than GDPR. GDPR’s underpinning by the European human right to privacy is also missing in the US, so the foundations of any data protection law will be different.

The reluctance from businesses comes from those who have built entire multi-million business models on personal data, and from any business that rails against regulation. Reluctance is also shared by governments who don’t want to damage and impact this multi-million dollar business. However, citizens, consumers and activist groups are concerned at the apparent imbalance between big business and individuals’ privacy rights.

As the furor over privacy in social media and big tech continues, I see tentative but persistent steps towards further legislation designed to protect individual privacy. We are not done yet. But there is a clear trajectory towards a more moral and regulated use of personal data.

Duncan Brown

Duncan Brown is Forcepoint’s Chief Security Strategist in EMEA, and leads the firm’s C-level engagement in the region. He advises customers on business strategy, and how this can be enabled and accelerated through the appropriate application of technology. He acts as adviser and coach to CISOs,...
Read more articles by Duncan Brown

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.