Expertise is out of fashion at the moment, drowned out by charlatans, shysters and the volubly ignorant. The General Data Protection Regulation (GDPR) and Brexit afford ample opportunity for all of them. It is perhaps no coincidence that nuisance telephone calling is on the rise again – if there are suckers out there prepared to accept that a “No deal” Brexit is a good idea, or that the GDPR obliges you to write to all your customers, then why not try and sell them so-called “Green Deal” window replacements over the phone?
There are plenty of good people offering useful help with the GDPR – lawyers who understand the law, first-rate privacy consultants who had expertise in this area before the letters “GDPR” were ever strung together, and data management companies who offer tools and consultancy aimed at discrete GDPR obligations such as identifying private information.
There are many GDPR shysters as well – people claiming to be “GDPR certified”, or to have solutions which magically solve all your compliance obligations out of the box; a friend was assured by her local computer consultant that her domestic laptop was now fully “GDPR-compliant”.
Peak GDPR nonsense was achieved last week with a tweeted report of a consultant who claimed to have “Met the GDPR”. The story may, of course, be apocryphal, but people claim to have “met” death, or a ghost, or Elvis on Shergar in the supermarket, so why not a corporeal version of the GDPR? Does it have two horns and a toasting fork like Don Camillo’s Devil, or one horn like a unicorn, I wonder. The claim to have “met the GDPR” is not the most ludicrous statement I have come across in the last couple of years.
Brexit has unleashed a mass of nonsense, not least about the potential consequences of the UK leaving the EU without a deal. It will all be good, Brexit’s proponents claim. All sorts of people claim or imply expertise in International trade agreements, and deride any suggestion that adverse consequences will appear once Brexit takes effect. True experts patiently explain the reality but the same nonsense recurs the next day.
Some of them, Jacob Rees-Mogg and John Redwood for example, stand to make money from the disruption of Brexit and will say anything to whip up the, ah, less thoughtful of their followers. Others, like, say, Brexit secretary Dominic Raab, are bright enough to know they are peddling nonsense, but faithfully mouth the government’s script because that is their job; yet others really are too stupid to understand what they are saying.
Sir Bernard Jenkin falls into the middle camp – not particularly stupid, but devoted to Brexit and willing to say anything which stirs up the mob (he is said to be the reason why Richard Curtis includes a loser called Bernard in all his film scripts).
I mentioned Bernard Jenkin specifically because he has compared the Brexit to the Year 2000 or Y2K scares. He said on the BBC’s Today programme “We will look back and wonder what the fuss was about – a bit like the millennium bug, remember all the experts on the millennium bug?”
This is not just nonsense of the highest order, but nonsense which inadvertently exposes the UK government’s lack of any preparation for Brexit. The reason Y2K was not a disaster was that many experts around the world spent thousands of hours anticipating what might happen just after midnight on 1 January 2000 and made sure that no adverse consequences ensued. By contrast, the British government triggered the Leave process with no plans at all and no assessment of the consequences for government, businesses and individuals of leaving the EU. It is fairly typical of the government’s PR management that one of its senior members should draw attention to this while trying to argue the opposite.
Brexit is a self-imposed disaster-in-waiting, and likening it to the millennium bug breaks down anyway on that ground. There is, perhaps, a more sensible comparison to be made between the millennium bug and the GDPR, a comparison worth making if only to illustrate the difference between the two. Both were external forces, both were known about long in advance, and responsibility for anticipating both of them lay with those likely to be affected.
Before it took effect, the GDPR was spoken of in apocalyptic terms, as if the heavens would fall in on 25 May 2018. Part of this was thanks to an understandable approach by marketing departments who like to invent a crisis in order to show how their company’s product or service will solve it.
Those who prepared for the GDPR, either because the GDPR was coming or because they are just well-run organisations, suffered no adverse consequences on 25 May. Neither, of course, did those who had done nothing. You might go on for months, or even years, paying no attention to the GDPR and meet no overt difficulties.
For many, the difficulties will emerge more slowly: clients and shareholders will start asking awkward questions; increasing numbers of subject access requests will come in, raising questions which the organisation either cannot answer at all or can only answer with an immense amount of work, possibly exposing embarrassing loopholes as they go; and one day there will be a data breach and the management will find itself simultaneously fire-fighting the practical effects, stumbling to comply with the GDPR post-breach requirements, and trying to present a coherent story to journalists, customers and shareholders.
Y2K came and went without disaster, largely because its anticipated consequences were headed off by hard work. Brexit will probably happen, largely because those who are driving it either stand to profit from it or simply have no more idea of its consequences than the weak idiot who triggered it with the Article 50 notification. The government has failed to prepare for it, and there is not much the rest of us can do beyond laying in stocks of food and medicine.
The GDPR has something in common with both Y2K and Brexit, not least the use of emotive trigger words and a fixed commencement date. Its difference is that the sky did not fall in on that date, as would have happened with Y2K and as will happen on 29 March 2019 if the UK crashes out if the EU with no deal. Yes, it would have been good to have been ready for the GDPR on 25 May, even if full compliance was not capable of definition, but GDPR compliance is increasingly just a component of good corporate governance. It is never too late to start.