For a long time, GDPR experienced the same fate as a struggling script in Hollywood, constantly locked in what film industry insiders describe as ‘turnaround hell’. It was debated and rewritten endlessly. Even once agreed in principle, it languished for quite a while and no one paid much attention.
Then, about 9 months ago, everyone realised that there was a big train coming down the tracks, and businesses started responding by engaging support and working through compliance programs of their own, and reaching out to their supply chains and business partners in the process. This sudden recognition coincided with a moment of clarity as the public suddenly woke up to how their personal data is being used and in some cases abused. Personal data became a big deal for everyone, even if few outside the industry admitted to truly understanding how the protection of personal data stacks against the digital economy. Some, as the unfocused questioning aimed at Mark Zuckerberg when he recently appeared before the US Congress showed, tried and failed.
It’s about control
The question GDPR is really asking is how are you properly managing the personal data that’s been entrusted to you and can you demonstrate that you are? In the era of cloud computing and IoT, data is constantly flowing from one end user to another, making it that much harder for businesses to ensure the security of data with full confidence and transparency. Part of the global reaction against data-powered companies has been the suspicion that data escapes into different hands and different places and quickly becomes untraceable. Ultimately, everyone from the public to legislators wants greater reassurance that when data leaves your laptop or mobile and goes around the world, it is treated with the same respect as any other currency or commodity.
You may think, that considering the industry response to GDPR, that regulators would determine that it is “job done”, but most suspect regulators will enforce GDPR aggressively. Margrethe Vestager, the EU’s competition commissioner, has pulled no punches previously when holding big tech companies to account regarding the use of data - especially if they are deemed to have used this to create unfair competitive advantage. Safe Harbor turning into the Privacy Shield, Max Schrems, the Austrian student and data warrior taking on Facebook, Edward Snowden, Cambridge Analytica and now with GDPR taking effect and giving regulators strong enforcement options – they’ve all led us to this point. The likelihood that GDPR will be ‘weaponised’ against the biggest and most high profile of market participants is high. In the words of Vera Jourova, the EU’s Justice Commissioner, Brussels has “handed a loaded gun to its member state data protection authorities” to enforce the GDPR.
Should the UN oversee data regulation?
GDPR is the start, but some are asking whether we will we see further convergence and a global standard emerge, as was the case with climate change at the end of the 2000s. In the years to come, will a regional regulation become subsumed into an international one? If all data is global, should some part of the UN or some similar sort of body have control of data regulation, including personal data? It’s probable that major regional political groups wouldn’t want to cede power, and it’s certain that many countries wouldn’t want to play ball. But with public outcry over data privacy reaching unprecedented levels, there’s no doubt the idea is already being played with by various decision-makers – any business that wants to understand GDPR end-game needs to be thinking about this eventuality too.
The data centre industry has assumed a key role and responsibility in helping customers wrestling with this issue. Equinix is a multi-billion-dollar company but unlike most firms our size and most of our customer base, we obtain and manage very little personal data – we’re a major multinational with the personal data footprint of a virtual corner shop. But much of the personal data in the world passes through the servers in our data centres, and that makes us motivated and well placed to understand how to interpret and navigate GDPR for ourselves and our customers.
All companies need to understand their compliance around managing their personal data and while all will need to meet the standards required by GDPR today, the expectations on companies to manage personal data will only grow. The real challenge is how businesses will be able to balance and make the trade-offs between the continuing demands of compliance with these standards, and how they build them into the day to day operations. All the while they have to keep in mind the continuing advancement of the digital economy and what that means for being able to actually have control over their data. Those looking to understand GDPR today and tomorrow need to ask themselves two key questions – what are the regulators and politicians likely to do now, and what will the global data movement and the continuing advancement of the digital economy force them to do next?