[In-house perspective on GDPR and related coverage from Matt Fawcett, senior vice president and general counsel for global data company NetApp:]
Remember Y2K? As the months ticked down to the end of the millennium, and doomsday clocks appeared on the evening news, we kept reading stories like this predicting the worst. Be ready for disaster, we were told. An entire industry of Y2K specialists sprang up, with an estimated $500 billion spent worldwide on Y2K readiness. Almost two decades after the hysteria, “Y2K” is a little more than a punchline.
Fear blinds us to what matters
When I read the fevered coverage about GDPR, I think about Y2K. Once again, we are being told to brace for a disruptive event with the potential to ripple across industries. Once again, we are seeing fear-driven spending on a massive scale, this time directed to consultancies and law firms that have suddenly rebranded themselves as “privacy experts” and “GDPR compliance specialists.” Once again, the doomsday clocks are ticking.
...fear is a terrible foundation for strategic thought.
Here is the real lesson from Y2K: fear is a terrible foundation for strategic thought. Fear clouds our vision; it does not illuminate. Deadline-driven panic rarely leads to anything constructive or enduring. With Y2K, so many were focused on the millennial bug that they missed the larger shift: the move away from the old-line mainframe era into more distributed, server-based IT architectures.
Now, they are focusing entirely on the specific issues of GDPR compliance, missing the bigger and more important challenge: the need for a new approach to data governance, including data security, sovereignty, and privacy.
Yes, the coming May 2018 deadline is significant, but many companies are over-rotating on this one issue at this one point in time. They are stuck in old world thinking, emphasizing point fixes when they need to think much bigger. Desperate to deliver “compliance” in time, and realizing they are behind, they are throwing money at the problem, and finding many vendors happy to take it. So you see law firms, consultancies, and technology providers swoop in, happy to fill the fear vortex with billable hours.
Our digital future is being shaped by two opposing forces
To see the full scope of the challenge, you must first appreciate the macro context. The world is changing in fundamental ways. The emergence of AI and the intelligent, connected hybrid cloud world is shifting how we live and interact with each other and our surroundings. And data powers it all.
We are seeing the rise of two powerful but clearly opposed forces. First: the incredible growth in demand for rich, deeply relevant digital experiences. We all want the convenience, customization, and immediacy that is only possible when app developers have real-time access to our personal data.
Second: the international data privacy, sovereignty, and protection backlash. Around the world, consumers, citizens, and regulators are demanding a much higher degree of accountability for user data. Burned by countless abuses, intrusions, and breaches, people want to take back control of their data and their privacy. And lawmakers are listening and acting.
We are living in a new world shaped by these two forces. We have yet to reach equilibrium; it is unclear when we will.
The only certainty is uncertainty
The new laws that are coming, of which GDPR is but one, are imperfect and flawed responses to a complex problem. What is missing from the current conversation on GDPR is that it is not about a point in time, or a specific set of rules, or certain geographic boundaries. It is about the journey towards reconciling these two opposing forces.
The way these laws will be enforced, and even the laws themselves, is virtually certain to change over time. The ubiquity and scale of data demands it. Hybrid cloud architectures, edge computing, native language platforms, and new applications enabled by 5G, will all create new scenarios problematic to current regulatory structures. The sheer complexity of the issues involved demands it.
History also shows us the shortcomings of legislation in trying to address emerging privacy issues. Much of the U.S.’s current privacy laws were a direct response to the preoccupations of McCarthy-era America, focused heavily on wiretapping.
So we have laws regulating audio recording, but very few restrictions on video capture, despite its arguably more sensitive nature. Legislators struggle to design laws for today’s era of unprecedented technological innovation. Courts, inherently backwards-looking and governed by precedent, will struggle to interpret these laws, creating further uncertainty.
We need holistic thinking
There are lots of ways to comply with GDPR. I recently read one Big Law memo suggesting companies consider abandoning their operations in the EU, which seems stunningly defeatist to me. What is needed is not a limited, two-dimensional focus on “compliance now” – it’s a broader, more holistic emphasis on “data governance forever.”
May 2018 isn’t an end date. If 80% of companies are not fully compliant by that date, is the EU going to tax 80% of its corporate revenues on day 1? I don’t think so. The EU enforcement authorities are scrambling just to hire people in their enforcement teams. So they are struggling with the “deadline” too.
Companies need broad, thoughtful data governance regimes...
GDPR attempts to regulate specific data sets of specific people in specific places. It is simultaneously too narrow and too broad to be the touchstone for a company’s data governance strategy. We need intelligence and accountability across the full lifecycle of data. Every part of the process, from the data that you choose to collect all the way through where and how it is archived, needs to be integrated into an overall plan.
Companies need broad, thoughtful data governance regimes, not just to protect EU citizen PII, but company trade secrets, customer data, and everything else that needs to be secured and managed.
Working towards an elusive balance
This is an area that resists simple answers. We will keep demanding the hyper-immediate, deeply relevant experiences that only mass scale data “exposure” can provide, while also becoming more protective of our privacy. Balancing these two seemingly opposed impulses is one of the great challenges of our time.
This balance can seem impossible but there are some promising examples. Estonia’s national “single entry” scheme is effective and wildly popular. It ties together all critical services for citizens into a single connected system, enabling the highest level of access and relevance while keeping individual privacy safe through encryption and stiff criminal penalties for abuse. If this model is copied by other governments and private sector organizations it offers a hopeful example for the future.
[As senior vice president, general counsel, chief compliance counsel, and secretary for NetApp, Matthew Fawcett is responsible for all legal affairs worldwide, including corporate governance and securities law compliance, intellectual property matters, contracts, and mergers and acquisitions. He has overseen the development of NetApp Legal into a global high-performance organization with a unique commitment to innovation and transformation.]