Not Sure What GDPR Ensures

There is a vital difference between knowing what you should do and knowing how to do it. There is also a crucial distinction between knowing what others should do and ensuring they do it. People have long appreciated and understood these differences. For example, Moses returned from Mount Sinai with divine tablets of stone commanding “thou shalt not kill”, but none of the human laws passed since have ever ensured the end of murder. However, such niceties seem to be lost on advocates of the EU’s General Data Protection Regulation (GDPR). Consider the following press release from the International Organization for Standardization (ISO), a body that really should understand the meaning of words:

Data privacy by design: a new standard ensures consumer privacy at every step

That is a bold start. Privacy will be ensured not just once or twice over, but at every step!

On the eve of new EU regulations, and in the wake of recent large-scale data privacy breaches, a new ISO committee is leading the way with guidelines…

Guidelines? Are we sure that guidelines will be sufficient to ensure privacy?

A team of privacy experts has been formed to develop the first set of preventative international guidelines for ensuring consumer privacy is embedded into the design of a product or service, offering protection throughout the whole life cycle…

So whilst organizations are supposed to comply with GDPR already, the guidelines are just a work in progress. Why would a compliant entity want more guidelines in future? It can only be because the requirements of the law are so sketchy that we all need more detailed instructions.

The new ISO project committee, ISO/PC 317, Consumer protection: privacy by design for consumer goods and services, was developed by ISO/COPOLCO, the ISO committee that deals with consumer issues in standardization. Its remit is to develop a standard that will not only enable compliance with regulations, but generate greater consumer trust at a time when it is needed most.

At the top of the press release we were told privacy would be ensured. By the fourth paragraph it is only being enabled. The real concern is that too many bodies want us to trust the way personal data is handled although that trust is not really deserved. In such circumstances, it would be better if consumers feared the abuse of their data, and acted accordingly.

Speaking via video at an ISO international workshop dedicated to the issue, held in Bali, Indonesia, this week, internationally renowned Canadian privacy expert Dr Ann Cavoukian welcomed the move.

“The majority of privacy breaches remain unchallenged, unregulated and unknown,” she said. “Regulatory compliance alone is unsustainable as the sole model for ensuring the future of privacy. Prevention is needed.”

This is true enough. But this is another way of saying that organizations should diligently prevent non-compliance because nobody can be relied upon to identify non-compliance.

Pete Eisenegger, ISO/COPOLCO’s lead person for data protection and privacy and member of ISO/PC 317, said that implementing the standard will help companies comply with regulations…

So ISO began by ensuring, then switched to enabling, but is now satisfied with only helping compliance.

This is another example of standards bodies deliberately confusing the necessary with the sufficient. They want it to be necessary that every organization adopts their standards, but do not promise that adherence to a standard is sufficient to meet the stated goals. In other words, they want organizations to be penalized as non-compliant with a law if they choose not to adopt a standard, but do not promise that compliance with the standard will guarantee compliance with the law.

The Old Testament of the Bible offers a relevant observation.

What has been will be again,
what has been done will be done again;
there is nothing new under the sun.

– Ecclesiastes 1:9

We should remember the words the British Standards Institute (BSI) used to describe the previous wave of European data protection laws:

The purpose of data protection legislation is to ensure that personal data is not processed without the knowledge and, except in certain cases, the consent of the data subject…

The old data protection rules, adopted two decades ago, were an abject failure. At the time, those rules were lauded by a legion of professionals who insisted they would succeed. We should learn from history, and be skeptical about the current chorus of advocates for GDPR. The new data protection rules will ensure nothing, meaning every individual and every corporate entity should protect themselves by trusting nobody.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.