GDPR - aggression, blame-shifting and obfuscation ahead?

Profile picture for user cmiddleton By Chris Middleton December 19, 2017
SugarCRM  CEO Larry Augustin welcomes GDPR, but the side-effects may be grim, he says.

SugarCRM CEO Larry Augustin may have refocused his business on the skill-augmenting aspects of AI, but the first half of 2018 will be all about one thing, he says: GDPR, the forthcoming General Data Protection Regulation from the European Commission.

And the world he’s preparing for may turn out to be a legal war zone of obfuscation, blame-shifting, and corporate trickery for some ill-prepared or belligerent organisations, a controversial prediction to make.

For its part, SugarCRM will be ready for the new regulations to kick in in May, he says:

For the Spring release, we’ve done a lot of work on enabling people to be GDPR compliant. Part of being able to deliver compliance is following processes, workflow, and answering questions such as, what do you do when this happens? Our strategy has been to create a set of features across the product that are about managing personal information and privacy, and enabling auditing, logging, tracking, deletion of data in places, obfuscation, and so on, and then putting best practices, processes, and policies around those to comply with GDPR.

So as a CEO looking at Europe – and now separately at the UK – from outside, how does he think decision-makers should think strategically about data protection, privacy, transfer, and governance? The answer is to see GDPR as stage one in an ongoing process: this isn’t something to just take on the chin come the Spring and then walk away from, he says:

GDPR isn’t a one-off. We expect that people will continue to care more, and governments will continue to legislate, around personal information and privacy. GDPR is going to go through many phases of interpretation and refinement. Other forms of legislation will appear, so what we don’t want to do is just build for GDPR, but tools that enable the managing of data, personal information, and privacy, which can be applied to different specifics as they emerge.

For us, it’s a positive, because we’re creating capabilities that enable companies to better manage all of that. But in the mid-term, I think everyone in the business world is going to have to pause and think, and maybe spend much of the year figuring out how to meet GDPR requirements.

But Augustin doesn't believe that all organisations are ready for this sea-change in the way that they will be allowed to gather and use customer or citizen information:

People are not ready. They’re trying, they’re putting a very good-faith effort into being ready – a lot of effort. But there is fear, because the legislation is new and a lot of it is open to interpretation. There’s this big sense of: ‘I don’t know what to do. I think it’s this, but I’ve talked to people and they’ve all given me different answers... so I have to make a lot of assumptions. I’m not sure what compliance looks like.’ Well, that’s a scary place to be, when the penalties are so high.

Trouble ahead

That begs the question of what business and technology leaders are doing about it? Augustin’s answer reveals what 2018 will look like for some strategists. The news isn’t great, and there may be a big fight brewing.

I sense that organisations are going down one of two paths. One is those leaders who say, ‘I’m going to make my best effort and trust that the regulators will give me credit for it. And through whatever process, I get more clarity and I find I haven’t achieved what the regulators want, that the effort will get me a pass to go do it’. My sense is that they’ll be given credit for good-faith efforts, because this is all new: there are so many people in that boat.

But there’s another set of companies that are saying, ‘You know what? This stuff is too ill defined. We’re just going to wait. And rather than invest money now that’s going to be wasted, we’re going to take the risk. We don’t know what it means to be compliant, so we’re just not going to do it.’

The ‘do nothing’ camp won't just be larger organisations, which plan to face down the regulators, he adds:

I don’t think it’s necessarily larger companies. I sense that it’s organisations that are more B2B – industrials and manufacturing, non-consumer businesses – and therefore dealing less with personally identifiable information. And they will try to make a case that the data they’re dealing with is all business-required.

I think they’re being aggressive when they do that. They’re going to take an aggressive interpretation and say, ‘Look, this is ill-defined, it doesn’t apply to us that much’. But that doesn’t work with GDPR. They’ll have to comply eventually, but they’re willing to take that path.

Potentially, GDPR may throw a spanner in the works for another group: the countless organisations in the sales, marketing, and advertising sectors, together with those departments in every type of enterprise. Many of these companies will wake up in a new world in May 2018, one in which they’ll have to demonstrate that the purpose of their data-gathering is justified, while dealing with the inevitable spike in citizen demands for data to be permanently erased. And there's more complexity ahead, Augustin points out:

If you add another purpose, you’ll have to record it and get permission for that purpose. There’s a lot of concern over it, and technically many of these things will be very, very hard.

For example, if you ask for your personal information to be deleted, every company has backups, and systems where data gets written to archival media stored offsite. You can ask them to delete your data but they actually, physically, don’t have a way to do that. They can delete it from current operational systems, and as backups time out, it will eventually disappear, but most of them have no way to eliminate a piece of data that’s stored in an archive. Mechanisms were built so that you can’t do that.

“I don’t think there’s going to be a solution that works for everyone, but you may be able to mitigate some of this stuff with a best, good-faith effort towards compliance.

I know companies that are now creating obfuscation methods in backups. It’s effectively like encrypting pieces of the backup, so if you destroy the key, you can never get the data. And they believe that’s equivalent to deletion, as they’ve destroyed any way to extract the data. But we’re all going to have to figure this out.

Blame game

GDPR seeks to redress the balance within an information economy in which many organisations have long regarded the seizure of consumer data as a God-given right, while – in many cases – giving nothing back and syphoning ads into customers’ eyes, ears, and pockets through every conceivable channel. Over the past quarter century, many consumers have come to recognise that their data is the world’s de facto currency, and that they’ve given it away for little more than noise and intrusion. GDPR is on those consumers’ side, and forcing organisations to stop and think about what they are doing can only be a good thing.

However, the problem is that legislators are largely leaving it up to software companies to sort out the mess for their customers, which may shift the onus of responsibility – perhaps even liability – onto those providers’ shoulders. Should governments and regulators step up and take a more conciliatory, educational role? Augustin thinks so:

I would love to see that. I would love to see more guidance. Part of the challenge for us is that a lot of our business is B2B. When our customers are maintaining data on a person, it’s usually in a business context. There’s a component of GDPR that applies to business judgement. For example, if you’re the purchasing agent in a business, and you have a contract, then there is a business relationship that has to be facilitated by Person A knowing who Person B is. That can’t go away – among other things, for legal and auditing reasons. So there is a conflict there.

Having more clarity, and explaining what the intent of something is and explaining how it should work... it would be good to have more guidance there. In practice, the way these things work is the legislation happens, people make their best effort, or take some risk, and it gets defined over time, as things go to the courts.

There is also the inevitable concern that some vendors, particularly those on the database or data management side, may be held responsible by their own customers, if users find themselves to be non-compliant with the regulations – even though it will be the end-user’s responsibility. Augustin agrees:

I think in any of these things where the requirements are vague and the penalties are high, people are absolutely going to look at trying to shift responsibility. Absolutely. There’s already a process going on in some companies where they’re reaching out to their business partners with GDPR ‘contracts’, if you will, saying, ‘I want you to agree that we’re using your data in a GDPR-compliant way, and you’re probably going to ask me the same thing, so that we can agree how we use each other’s data, and that we’re compliant’.

But that’s passing off responsibility... that’s saying, ‘We’ve agreed that we’re using this data in a GDPR-compliant way, so we’re shifting responsibility to you as a business supplier or partner.’ That shift is happening today. We’re even getting those things from companies ourselves! And we’re probably going to have to send them back.

My take

Welcome to the new world. Read up, take guidance, think strategically, plan NOW for May 2018 and for the long term, and DDN (Don’t Do Nothing).

Meanwhile, take Augustin’s advice: be careful what you sign.