Data protection law needs trust to work: that’s why it’s failing

6 min read

Scrabble tiles spelling out the word trust with some out-of-focus blue flowers in the background
Scrabble tiles spelling out the word trust with some out-of-focus blue flowers in the background

I recently saw a post by the great Phil Lee about EDPB proposed updates to their GDPR data breach reporting guidance. The proposal is to require non-EU controllers to report breaches to each EU regulator where the breach affects individuals in their country.

Understandably the proposal has already been widely criticised and it got me thinking about why UK and EU GDPR are in such a mess at the moment. There are, in my view, many reasons, but it struck me that a major reason is a lack of trust. Lack of trust between regulators; between organisations and regulators; and between individuals and organisations.

We’re even seeing a lack of trust seep into the privacy profession. There are increasingly polarised views, expressed aggressively, on the ‘right’ interpretation of an aspect of law. Those who don’t agree are scorned and treated with contempt. Privacy pros are blocking each other on LI for having different views, and there seem to be tribes forming of ‘us’ and ‘them’ based on how purist or pragmatic you are.

‘No-one can regulate like we do’

The regulators have never really trusted each other. In my experience, there is a long history of each one thinking only they are competent to regulate and enforce on matters relating to their citizens. (I can’t give you any hard evidence for this, it is based on my 7 years at the ICO as head of the international team and my interactions with other regulators as part of that job.)

When the one-stop-shop proposals were floated in GDPR drafts and then in the published version, many of us working in regulators privately laughed and said ‘that’ll never work’. It is not gratifying to be proved right. Back then, we talked to each other privately if we had concerns, and criticisms were shared among colleagues from other regulators in side discussions at meetings. We didn’t go public in newspapers on what we thought of each other. And we didn’t report each other to the Commission and publicly ask for a fellow regulator’s enforcement activity and approach to be investigated.

The lack of trust between regulators risks derailing aspects of GDPR and makes the EU approach a laughing stock. Instead of focusing on where there is real risk and harm, regulators have been sidetracked into games of who can get the most headlines, or appear the toughest, while changing very little for the people who are supposed to be at the heart of data protection law.

‘Organisations deliberately try to get round the law’

The regulators’ lack of trust of organisations has led to them thinking most organisations resist their legal requirements and are only interested in exploiting data. Their solution is to impose more burdens, more paperwork and more onerous requirements that often have very little to do with protecting data and looking out for individuals. They refuse to put the effort into understanding business models, new technologies, and actual day-to-day business data processing, and focus on their role as an enforcer rather than an educator.

The proposed change to the EDPB breach reporting guidance is an obvious manifestation of regulators’ lack of trust in organisations and each other. (Phil’s second excellent post on the topic is here.)

Regulators also often put out opinions on how data protection affects or interacts with other areas, but without consulting experts in those areas. This lack of trust in outside experts damages regulators’ credibility and leads to unworkable expectations that organisations ignore.

Many organisations though want to get things right. They want to do right by their customers and they understand the importance of customer trust. They do though have a business to run and they can’t all be experts in data protection law. They need clear guidance on key requirements and to understand what the regulator expects. They want to know what good and bad looks like and to be able to ask questions in good faith without fear of enforcement for doing so if it turns out they got it wrong. They need to be able to trust the regulator to help them get it right.

Regulators also don’t help themselves by assuming complainants are telling them the truth or the whole story. The ICO in particular has a bad habit of sending aggressive letters that assume the complainant is in the right, the organisation has got it wrong and immediate remediation is always required.

‘Regulators get in the way of innovation’

Where they can’t trust the regulator, organisations see them as actively working against business. They claim the law gets in the way of growth and innovation. They see the regulator make statements on what they can’t do, not on what they can do. They associate regulators with burdens and unnecessary red tape.

Regulators who focus on enforcement only see the bad actors; they don't get the good-news stories. So it’s not surprising some of them see business as the bad guy. They deal with excuses and resistance regularly, and this reinforces their belief that organisations can’t be trusted.

Regulators who make more effort to look for and publicise good practices, and organisations who do the right thing and shout about it can help to rebuild trust on both sides.

‘Businesses just want to screw you over, it’s all about profit’

Individuals don’t trust organisations to handle their data fairly, responsibly and securely. Trust has been broken by endless data breaches, a growing awareness of how much profit there is in selling data, and an increase in information you need to provide to do almost anything online. (Retailers: how hard is it to provide a guest checkout, really?!)

Also, the lack of coherent and clear information to individuals about GDPR and their rights has led to a massive upsurge of people who think they know more than they do. They go from 0 to aggressive in one e-mail, and assume organisations who don’t immediately do what they demand are breaching the law. They insist they have rights to have all their data deleted on demand, and they complain to the regulator without providing all the facts. They are not helped by an increase in portals claiming to help you ‘take back control’ and ‘own your data’ by sending requests to hundreds of organisations in one click (often ones you have no relationship with). People just don’t believe organisations who try to explain the complex nuances of GDPR rights to explain why they can’t fulfil the request.

Organisations often don’t help themselves with poor transparency, privacy information written in legalese, poor customer service and a defensive attitude. Their statements on customer trust sometimes don’t align with their practices.

‘Individuals don’t really care about privacy, they put their lives online’

Organisations with a poor approach tend to mistrust people with genuine complaints. The ubiquity of social media and the way we live our lives online leads some organisations to think people don’t really care about their data and they’re just after money or preferential treatment.

The cost-cutting of recent years seems to have led to much poorer customer service. Individuals have difficulty finding contact details for organisations and struggle to speak to an actual person. Staff are failing to recognise data-related complaints and queries and failing to take them seriously. I’m sure I’m not the only one who has been fobbed off with a generic customer service reply to a specific data question and left thinking ‘did you even read my message?’.

None of this leads to customer trust and it’s not surprising that individuals and organisations are increasingly antagonistic towards each other.

Where do we go from here?

Trust is notoriously easy to lose and hard to regain.

Organisations doing the right thing need to keep at it, and not lose hope that their approach will pay off. Organisations doing badly need to sharpen up.

Individuals need to count to 10 before letting rip and not assume they know what they’re talking about.

Regulators need to wind their necks in from the infighting and focus on the real risks and harms. Don’t compete to see who can give the biggest fine or get the most headlines; educate, promote good practice and use enforcement action that actually changes practices.

A little more unity from privacy pros wouldn’t hurt either.

Ultimately, data protection is not immune from society. As trust disintegrates around us in governments, institutions, and each other, the world of data protection does the same.

Until we can all trust each other a bit more, GDPR in practice will remain a mess.

As someone who now helps organisations who want to get it right, my advice for the path to trust remains the same. Put the individual at the centre, focus on getting to the right outcomes for them, and do right by them.

Photo credit: Alex Shute from Unsplash.