GDPR - Active Empowerment vs. Passive Consumerism

by ndf - Academic Healthcare CISO

Now that the enforcement phase of the European Union General Data Protection Regulation (GDPR) is active, what have we learned?

We have learned that a tool meant for European citizens to empower themselves and take control over how third-parties handle their data has been reduced to another checkbox exercise, where one portion above all, the European Data Protection Directive, Directive 95/46/EC, the Right to be Forgotten, was emphasized.

The other portions that were emphasized were data flow analysis and data loss prevention.

Most of all, enforcement and fines have been used as a tool to get companies to buy goods and services they do not need in order to comply with it.

When you take a critical look at GDPR and what it means, you have to understand that you cannot buy technological solutions to address the issues in the spirit of the legislation.

The emphasis on individual rights comes from the misusage of information by the National Socialist party during (((World War II))) to monitor and control the population, shape public opinion, and kill dissenters and anyone with non-Aryan blood.  (Editor's Note: Which is why they were allied with the Japanese...)

The Stasi, the secret police of the German Democratic Republic, better known as East Germany, continued this infamous legacy, as did the former Soviet socialist republics.  While the opinions of Americans may be shaped by George Orwell and Facebook, the opinions of E.U. citizens have been shaped by misuse of information for the purposes of genocide and suppression.

It is this mindset that drove the European Union's 1995 Data Protection Directive.  It also drove the backlash against U.S. companies in the wake of the Edward Snowden revelations, which caused the European Court of Justice to invalidate a 15-year-old agreement to allow Safe Harbor data transfers between the U.S. and E.U. in 2015.

It is meant to de-emphasize the passive consumerism and force companies to:

• Provide clear explanations to consumers on how their data will be used.
• Allow consumers to become active participants and see what data companies have on them and give them the right to affirmatively consent and determine how their data will be used, or deleted.
• Not overwhelm the consumers with clickwrap agreements and 50-page "End User Agreements" as part of the terms and conditions of service usage.
• Promptly notify consumers in case of a verified breach.
• Be able to explain where data resides, how it is used, and how it is protected.
• Assure consumers that only minimum necessary data needed for processing is collected, and that what is collected is adequately protected.
• Explicitly demonstrate how they assess and address risk.

What Have We Seen So Far?

My inbox has been flooded with privacy policy notices that are opt-in by default.

This is precisely what GDPR is meant to stop.

A number of software developers and companies have made rash decisions to deny goods and services to E.U. citizens because they do not feel that they can comply with certain terms and conditions of GDPR.

I have received more vendor emails on how I can make my organization GDPR-compliant just by buying some software.

I have received more vendor emails on how I need to buy their software or my company will be fined millions of euros.

What Are the Effects?

We have taken legislation that is meant to empower the consumer, protect against government overreach, and turned it into something else.

GDPR is meant to take a step toward removing passive consumerism - which is where people click on agreements that neither they nor a qualified legal scholar can fully understand, that removes their ability to control how their data is being used, which allows third-parties free reign to monetize it or use it without realistic, explicit consent.

Passive consumerism is putting blind trust in companies who rely on quarterly earnings reports to determine their value/share price, ability to borrow money from banks, and attract further investment.  It has no interest in the consumer, but rather the self-preservation of the companies who have custody of their data.

We have turned the intent of GDPR compliance, which is empowerment and protection against overreach and misuse, into yet another package of goods and services that a "security" company can sell so that the same companies can continue passive consumerism under the guise of being "GDPR Compliant."

What Does GDPR Really Take?

Real compliance takes fully understanding your organization and having a consumer-first mindset toward empowering customers and team members, and being transparent with information while vigorously protecting individual rights to privacy and consent.

You cannot buy this.

You have to develop this within your organization, starting with top leadership.

It is really hard and complex to do well, which is why:

• If you or your company do not have this mindset or consider empowerment or privacy to be basic human rights, your organization will never be compliant.
• If you cannot explain where data resides or provide a mechanism to provide it to your customers in a standard readable format, then you will not be compliant.
• If you cannot demonstrate an ability to assess or address risk, you will not be compliant.
• If you cannot use clear language to explain your services, how they work, and how to discontinue usage of them, you will not be compliant.

Facebook, for all of their past sins, has done a very good job of providing this information.

Microsoft, Apple, and other large service providers have also done so.  Microsoft especially needs to be applauded for indicating that the GDPR applies to all of their customers.

GDPR is about changing the mindset to empower consumers, as well as respect and protect individual rights.

Other countries and multinational organizations, India in particular, have laid the foundations for their own versions of it.

Empowerment is the future, and we need to be ready.