Be careful what you read

Philip Howard

Written By:
Published: 22nd July, 2016
Content Copyright © 2016 Bloor. All Rights Reserved.

On occasion I have had to take vendors to task for over imaginative marketing of their various products. SAP is probably the most egregious current example of this with its over-hyping of HANA but at least that's just a single product/company. However, in the more than twenty years I have been an analyst I have never faced such a deluge of stuff as with GDPR (general data protection regulation).

Some of the things I have seen written about GDPR are sensible, some is self-seeking, some is misguided and some is downright appalling. Most of them fail to discuss the issues that need to be addressed from a technical perspective.

The worst thing I have seen was a simply awful press release from something calling itself "The Center for Data Innovation". This effectively congratulates the UK for leaving the EU on the basis that the UK will now be able to escape (I paraphrase) from the dead hand of European privacy restrictions. As you might expect, the organisation is American (though I suppose Russian might be another possibility in this context). My immediate reaction was to wonder if these are the same sort of people who don't believe in Darwin. In any case, the press release is just plain wrong.

Most of the rest of the stuff I have seen about GDPR falls into two categories. Either it's from legal eagles, who obviously think (no doubt rightly) that they can make a bunch of money out of GDPR, or it's from vendors who are offering a "solution". Let me knock the latter on the head: there is no single solution or tool that will resolve all your GDPR issues. Even data masking and anonymisation, which some suppliers (those who sell data masking) seem to think is a silver bullet, is only a partial solution at best: you can't, for example, do one-to-one marketing if data is anonymised.

Similarly, consider the use of cookies. My reading of the regulation is that you would have to explicitly explain why you are using cookies as a part of gaining consent. Simply saying that "this website uses cookies" will not be sufficient. So, you explain the use of cookies and a user says no. You cannot store that negative response so you will have to display the cookie request every time that user comes to your site. That's going to really annoy people. The thought processes behind cookies are going to have to be re-examined.

The truth is that complying with GDPR will require a strategic approach and, by definition, strategies require more than a simple assemblage of tactics: they require a more holistic vision. We have a paper, currently in draft, that explores the data management implications of GDPR in some detail. Multiple tools and techniques will be required for organisations seeking to comply with the regulation.

Post a comment?

We welcome constructive criticism on all of our published content. Your name will be published against this comment after it has been moderated. We reserve the right to contact you by email if needed.

If you don't want to see the security question, please register and login.