A timely raincheck on the GDPR: the law of unintended consequences

As we approach a six-month point since the full implementation date of the GDPR, it is interesting to see evidence of the legislation having much greater consequences and advantages than those for which it was originally intended. Stemming from the Post-World War II human rights movement, the GDPR in its most fundamental form can be seen as a beneficial facility for handling the core issue of risk management between data and people. In this instance, risk is both an opportunity to be exploited as well as a downside to be mitigated. To support this contention, one may cite recent instances of the GDPR having practical impacts way beyond that of its original draftsmen.


On the launch of the 1995 GDP Directive, Viviane Reding, the EU Data Commissioner, stated that only 17% of Europe at the time had a computer – and only 8% were on the internet. Today, if we consider the Internet of Things (IoT) and widespread use of mobile devices, these percentages have changed dramatically. A seminal difference between the 1995 Directive and the 2016 regulation is the exponential growth around the ease of communication, coupled with the sheer volume of data being generated.

To most observers, the GDPR is solely about compliance. However, one would propose that it is far more wide-reaching, especially in terms of the assertion of rights by the private individual. For example, in October 2018 two class actions were enhanced by the Twitter generation’s capability of amassing discontent via social media. One Twitter account in the UK entitled “Google You Owe Us” is currently seeking US$ 1.3 billion in compensation from Google for allegedly collecting sensitive data on 4.4 million iPhone users in England and Wales.  Meanwhile in Italy, an account launched a class action against Facebook – activated by Altroconsumo – over data loss as a result of the improper use of registered users’ information and, in turn, the lack of security and privacy. A claim for EUR200 per user reflected the indiscriminate use of private data and the consequential reputational damage from users seeing their data used illegally.

Customer centricity

The concept of a “360-degree view of the customer” has been mooted for at least two decades. But it is interesting that both a conference in London aimed at Chief Data Officers and a financial institution think tank in Rome recently indicated that this standard is far from being delivered within major enterprises. While not referenceable within the GDPR itself, the regulation does have the effect of causing entities – both public and private sector – to accelerate their visibility, classification and ability to achieve “policy enforcement” in relation to the multi-format data held by organisations dealing with the retail sector.

On the one hand, it is a matter of the individual asserting rights to data erasure, reaction and portability. However, for the data controller there is, in fact, an opportunity to work with the technical automation departments in order to create better analytics capabilities. Improving speed, accuracy and identifying prioritised volumes through analytics positively impacts both data life cycle management and security. For the latter, this is vital not only for cyber defence, but also when it comes to protecting applications, databases, the data itself and the employee.

FinTech revolution

The CEO of an insightful Indian systems integrator in late October this year quoted the proposition from private American venture capital firm Andreessen Horowitz in 2015: “The battle between every startup and incumbent comes down to whether the startup gets distribution before the incumbent gets innovation”. The FinTech revolution this statement exemplifies involves both threat and opportunity. One would argue that this is a function of being able to corral data from diverse internal and external sources, and being able to classify, govern and deduce innovation – in a safe manner.

Consequently, the GDPR’s standards of data accessibility, execution and accountability unwittingly improve the prospects for such exploitation of data for innovation. When recently discussing the difference between “waterfall vs agile sprint innovation”, the CIO of a major Irish bank shrewdly observed that sprints are desirable, but need to be contained within guidelines to avoid the “splintering” of data. The GDPR actually provides a control environment for this. As the CDO of a global British bank described some months ago, while the GDPR is a necessary dictator of compliance, it also underpins the bank’s private wealth management product innovators’ ability to access and process highly sensitive data. With the availability of auditable data management and Identity Access Management tools, this can be undertaken successfully while also ensuring compliance.

Management of market volatility

A final indication of the unexpected valuable impact of the GDPR is in the field of mergers and acquisitions. If there are three “real and present” issues – if not dangers – they are the inevitable move to the cloud; the innumerable permutations of Brexit; and the global impact of the Trump Administration trade policy “realignment”. All have the effect of commercial market disruption and stock market volatility.

Yet, it is not only market traders who can benefit from this, but also data scientists, along with progressive CIOs and CISOs needing to react to changes in ownership. A key issue of M&A execution is the isolation of data and its security. As the head of governance at a global energy company put it, the necessity to identify and cleanse mass data for GDPR purposes provides an ideal catalyst for enforcing clarity on the data assets being sold, merged and acquired as a result of these three issues.

Thus one may propose that the GDPR is a means to many ends and not just a means in itself. While it is the case that the defensive/compliant aspects of the regulation are top of mind, savvy specialists in data analytics, data infrastructure alignment and security may also see the business advancing prospects that the regulation can create.


By  David Kemp, Business Strategist, Micro Focus

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/