Thoughts on the GDPR

Heard some people, while I was eating a burrito this evening, talking about the effects of the General Data Protection Regulation (GDPR) coming into force in the European Union next month.

We’ve been discussing this at work lately, as I suspect most businesses are currently, as the GDPR will have huge effects on every modern business in the EU. The service economy is going to have a nice time adjusting to the new rules. It’s going to have a huge impact, and much of what I’m hearing is that it is pretty unclear which direction the implementation of this rule is going to go.

But since I have my doubts about potentially reasonable ideas being used in a well-intentioned manner, here are a few things I think will happen:

1. A bunch of shitty lawyers are going to make a shitload of money off of frivolous lawsuits enabled by the high asymmetric penalties of the GDPR. I’m sure plenty of privacy-justice warriors are going to emerge and abuse the rules.
2. People are going to troll the shit out of this system.
3. A lot of personal data will end up being even easier to tie together using a single primary key / selector (email address, first name + last name, phone number, etc.) because companies will want better mechanisms for eliminating all of that data. Of course, this will just make it easier to gather adversarial intelligence, if a company’s data is compromised.
4. The big cloud players will get bigger, providing turnkey solutions to erase all data related to an individual. Scale will win the day.
5. The small players and Mom and Pop shops will struggle to comply with the GDPR, as usual, and eventually turn over more data to the big cloud players and SaaS offerings.
6. Companies might actually start adding automatic expiration to idle accounts, which would solve a huge number of issues in data privacy anyways. If companies like Yahoo or Facebook actually did this, and stopped trying to juke the stats on userbase growth, a lot less data would have been lost. Simply letting accounts decay, as in the natural order of things, would eliminate huge swaths of leftover identity theft and sources of email spam.

But as far as the GDPR goes, I don’t think we’re going to get any closer to having this for our in-cloud data:

Would be nice if we could do this to all of the data about us online, huh?

Anyways, maybe next time.