Is GDPR a draconian regulation?

Is the General Data Protection Regulation (GDPR) that came into effect on May 25, 2018 draconian in nature? The simple and straightforward answer is ‘yes’, if we look mainly at the astronomical penalties in place. Otherwise, anybody should welcome this bold and timely step to protect the individual’s identity and privacy, which can come only from the collective wisdom and determination of the EU.

Failure to comply with GDPR can result in a fine ranging from 10 million euros to four per cent of the company’s annual global turnover. Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious manner. But, most importantly, infringements of the rights of the data subjects, unauthorized international transfer of data, etc. would attract a fine of four percent of global turnover or 20 million Euros, whichever is greater! Like in any law, GDPR also has ample room for subjective interpretations when it comes to a litigation. This leaves many uncertainties for those who want to run a digital business. This simply means, if organizations need to survive, they need to be extremely alert, every single day, right from the design stage or be prepared to argue cases after cases as it comes! Good for lawyers!

Obviously enough, the aforesaid fine is a hell of a lot of money that most startups would never see in their lifecycle, unless Lady Luck is really on your side and you became another FB or Twitter! And, if you become a multi-million or -billion digital company, a few 20 millions is something which you should always keep ready to be paid off against claims that can surface from any corner and in any form, no matter whether you have ten or hundred experts monitoring GDPR compliance. From this point at least, GDPR, in its current form, can simply wreck innumerable small firms, thereby allowing giant organizations, who can afford to have the entire paraphernalia for GDPR compliance, to monopolize the market. It could be a favorable situation for the rich to get richer and the poor to get poorer. The digital business already has the ‘winner takes it all’ problem! Perhaps, the GDPR was intended to control the personal data theft and manipulations by the large players, but now might ultimately help them indirectly. The only difference now is that they are forced to do the business more responsibly! That at least is good!

GDPR could be capable of draining key resources of smaller companies to maintain skills, including for having Data Protection Officers. It not only adds to their overheads but will also be a perennial distraction from their core activity. I am almost sure that many small digital companies operating from co-working spaces or even from small offices will vanish into the thin air. Many creative guys wouldn’t want to venture into even simple digital businesses because they have to handle names and e-mail addresses, all of which form part of personal data that need to be carefully protected. What can any business do without a name and an e-mail address of its customers? A month ago, an exceptional educational portal based in the Netherlands, mailed to me saying that they won’t store any user data and that every time I want to search I should key in all parameters of my interests. I wouldn’t be interested in using that site anymore!

Instead of focusing on rolling out an innovative technology solution that can be perfected as you get user feedbacks, at least thirty percent of young brain functionality will now be used for conformity and compliance. This isn’t what we were talking about all these years in the information era in the context of creativity, innovation and tech-businesses.

That said, since a few years we seemed to have reached the cusp of a learning curve of a rather unregulated digital world. Some technologies that we have fondly called disruptive and have revolutionised our lives are facing new challenges from social, political, cultural, behavioural and privacy angles. The information revolution has transformed all our lives and gave easy access to a wealth of global data, information, news and views. At the same time, these were also channels for uncontrolled and free expression! The unrestrained, untamed and often irresponsible scribbling in the social media has practically ended up like graffiti on the street walls! Networking should be uniting! But in this case, it became a network of innumerable cobwebs of fickle emotions, lies and hatred. This is a grand situation to capture individual data and inclinations, use them not only for promoting products, but also for making money out of personal data and manipulating elections. The potential around data analytics is so alluring that even political parties and governments would like to play around with it. Shouldn’t we then have something like the GDPR?

My argument, therefore, would be that something like GDPR should have been there a bit earlier. It should now be extended as an international regulation with more and more countries joining the movement, but with much more rationale around the penalties and other administrative clauses. As such, it works against small and micro businesses, which often is the backbone of many successful economies! Now, the natural question is whether or not we should have sound regulations for such businesses to function responsibly. The answer is a big yes. But then, the regulations and certifications you need to fly an aircraft and drive a car have to be very different!

While we are vehemently debating about GDPR, there are ‘democratic’ countries like India that now want to put a surveillance on their citizens’ cyber inclinations. Newspapers report that a tender is now open inviting companies to develop and install a tool to do this[1]. Reports say that the tool should have the “capability to crawl World Wide Web and social media to monitor and analyse various trends emerging and to gauge sentiment among netizens”, it will also be able to distinguish between “positive, negative and neutral social media conversations”. So, where are the Indians heading at this point in time?

We certainly need to harness the potential of technologies in a much more responsible manner and with good ‘intentions’ as the plethora of tools available have the potential of deadly ammunitions that can make or break a world, perhaps a bit insidiously! I leave my article with a quote from Ayn Rand in her book ‘Atlas Shrugged’ in 1957: “When you see that in order to produce, you need to obtain permission from men who produce nothing — When you see that money is flowing to those who deal, not in goods, but in favors — When you see that men get richer by graft and by pull than by work, and your laws don’t protect you against them, but protect them against you — When you see corruption being rewarded and honesty becoming a self-sacrifice — You may know that your society is doomed.”

[1] https://timesofindia.indiatimes.com/india/govt-to-hire-social-media-monitors-for-all-716-districts/articleshow/64296350.cms