If you REALLY need this explaining…

We are in the midst of the “savvy consumer”. This has been proven with the photos of Xbox and PS4 shelves, bereft of all games after Black Friday.

Except for one.

EA Games has really messed up with the “Star Wars: Battlefront II” game.

By all accounts (I haven’t bought it), the game is riddled with micro-transactions, pay-to-play and enforced periods of waiting to move forward in the game (unless you unlock the stopwatch by purchasing additional ‘stuff’).

Apparently, the game will take either $2100 to complete via micro-transactions, or over 4,000 hours of waiting for (seemingly) arbitrary periods of time as a ransom to unlock playing.

People – lots of people – have protested long and loud about this. Paying $60 for a game should provide you with the game, not provide the game manufacturer with the opportunity to entice younger players to innocently abuse their parents’ credit cards.

Possibly worse still, the child may be humiliated in the schoolyard because they are waiting to move onto the next phase of the game, whilst their wealthier friends are moving on because parents have paid the additional fees (anything for a quiet life). Or the child has found how to use their parents’ credit cards and haven’t yet come to the end of the credit card transaction period. The bill will come home and show that EA Games has been using the child as a siphon for their parents’ money, surreptitiously.

Disney, which owns the Star Wars brand, is apparently a little ‘miffed’ that their brand is being sullied, especially in the run-up to the new movie in December.

Various state regulators are looking to strengthen rules around gambling, as “Star Wars: Battlefront II” features random, paid-for, “loot boxes” which give the player tools and collectibles for the game, for a fee. This, to many minds, is gambling.

Let’s remember – “Child + Gambling = No-no!” in most nations. It hasn’t stopped EA from trying…

Perhaps, most heinously, the purchaser of “Star Wars: Battlefront II” unwraps the game, inserts the DVD and finds that the game comes without someone quite significant to the storyline.

That’s right… Darth Vader isn’t in the game as it ships..!

What does this have to do with GDPR, I hear you yawn?

It’s to do with reputation.

Very few people reading this will work for games manufacturers. That’s not the point of this article.

Most people work for an organisation which relies on a good reputation – how else do we retain good business?

EA’s reputation, at the moment, is in the gutter. Share price has fallen, games aren’t selling and those in the know metaphorically spit on the ground whenever the brand is mentioned. The Belgium government is looking into accusations of operating a gambling franchise, rather than a gaming franchise. Whether EA have broken the law or whether the “loot boxes” aren’t illegal is beside the point. It’s bad publicity for EA games.

Imagine, if you will, a data breach. Something like TalkTalk. Now, the TalkTalk breach didn’t massively effect company profits, but this is in a regulatory environment which isn’t as powerful as GDPR and isn’t overseen by other vested interests. The current Data Protection Act (1998) came as the result of an EU directive. In layman’s terms, it means that the EU pretty much said,

“We really need every state to have laws. Here’s some guidelines – sort the rest out yerself…”

The GDPR comes as a regulation which – with very few exceptions, “derogations” – is standard across the EU.

If TalkTalk happened after May 2018 then the ICO would get involved, but Chapter 7 of the regulation talks about ‘consistency’ of application across the EU, so if a German telephony provider had the same breach and was fined €8m there would be a precedent for the ICO to consider in their fining regime. It’s not a rubber-stamp along the lines of “Germany fined €8m, so here’s an €8m fine for you, TalkTalk”, but it is a compelling guide for future fines.

This is wandering into “Negatives”, mister…

Yes.

Yes it is, however, it’s an ill wind that blows somebody some good.

Imagine you have gone through all of the data mapping, the Data Protection Impact Assessments and written appropriate policies and procedures. Your IT team have put in place state-of-the-art protection for everything from a mobile phone to a server farm. To anyone looking in (if security allows them to!), your business is an exemplar of data privacy and digital protection.

In the past, this has all been “Well, it’s what is expected” and no one mentioned it outside of the IT team and the CIO.

Boasting about IT was almost like saying, “Look! Look here! Our office has walls!”

Will Marks and Spencer put out a Christmas advert about their multi-factor authentication?

Will John Lewis have a snowy, Winter scene of Father Christmas having to run a retina scan to get down a chimney?

Of course not.

But…

If a company has a major data breach, their competitors can use this as justification that they ‘care’ about their customers. Frame any positive you can think of within the parameters of the GDPR and it can and – I’m betting – will be used as evidence that Brand A is more concerned with your well-being than the recently-breached Brand B.

We care for you and your data. That’s why we take it seriously, unlike ‘others’ we could mention…

It won’t be as crass as that. It will be subtle, but it will creep up the advertising. Being a respectable custodian of customer’s data will help retain customers but also attain customers, too.

You might say, “Well, it hasn’t worked so far!” and you would, of course, be right.

The eyes of the Media glaze over when it comes to IT security and data privacy unless there is some salacious element to it, or an embarrassing fine. This sort of breach will come more into focus after May 2018 and I can foresee Jane Hill on the BBC intoning, “Under the new data privacy regulation from Europe, the General Date Protection Regulation…” and then explaining in detail the hows, whys and ‘how muches’ of the data breach.

A tough fine will catch attention.

People will slowly, almost by osmosis, start to appreciate their rights and the responsibilities of the organisations into whose care they entrust their data (and that’s before the ambulance chasing lawyers get involved in suing for data breaches in class actions).

At that point, GDPR will be a positive marketing tool.

A company which appreciates that long-term investment in data privacy will give them the seal of approval of a growing, more educated market will set themselves apart.

Even if that company is breached and the ICO finds that the breach was so specific, so unforeseen and that the organisation had done everything humanly/technically possible to prevent it, the exposure to the public of this “Black Swan” event will only build further trust.

If someone trusts you, they are usually happy to be in your company. They feel safe. The future is predictable around you. You have shown that you have their best interests at heart.

It may be a considerable investment in the near/mid term, but investment in data privacy will pay off in spades under a new regulation and with a new, slowly-becoming-more informed market.

Don’t forget – in four or five years’ time we will be seeing first-time home buyers who will have known no other environment under which their data resides. To be reckless with their data will be to kill off the market of the next, and succeeding, generation.

Investing in the processes, policies and technical elements of data privacy is future-proofing.

It will keep customers happy.

It will drive sales.

As time passes, it will be a considerable determinant of whether a company succeeds.

Do it now. Start beating your organisation’s chest with the news that you are trustworthy, have the customers’ best interests at heart and want to maintain their happiness.

Because? All together now

Happy Customers = Sales

You never know – it may come in handy?

As a long-standing IT practitioner, the main thing I’ve learned over my time is – don’t trust computers.

I’m not the only person with this earth-shattering insight, to be fair. Veritas, Cheyenne, Seagate and many other companies have made a very valuable SKU from their backup software.

The IT professionals out there have made a virtue from backing up anything and everything to tape, disk or Cloud (or diskette, if you go back far enough). I can’t fault them/us for that. Computers screw up. The ferrous oxide on which we all relied for storage occasionally throws a wobbly and loses information; people sometimes find a file called “Do NOT Delete on Pain of DEATH.TXT” and… delete it.

Business has adopted the back-up as a means to protect the business. I have no argument with that, whatsoever. I’m not trying to pick a fight with storage vendors.

The problem is, with GDPR, that the “back up everything” mentality is no longer fit for purpose when it comes to private data.

Article 5 of the General Data Protection Regulation is specific about “Principles relating to processing of personal data” (being specific within the context of the regulation seems to be a rare commodity).

Article 5 (1)(e) states that personal data shall be:

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)

Article 89 (1) states:

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

If you care to read the Regulation further, Article 89 then refers to the local derogations which can be made under Articles 15, 16, 18, 19, 20 and 21 (inclusively).

So… Unless you have a particular interest in the wording and application of the Regulation in the broadest sense, or your name is Rumpole and you work at the Old Bailey… So what?

The regulation is saying that organisations can’t keep data beyond its intended use. Under Article 5 (1)(e), if you have told a data subject that you will keep their data for one month – and you have the legal grounds to do so – you keep it for one month, end of.

End of..? Not quite. Article 89 states that if there is a public interest, statistical, scientific or research purpose behind keeping the information then you can keep the data, but it has to be on the principle of data minimisation and you need to seriously think about pseudonymising the data. A pseudonym would render my name (Mark Evans) as Citizen X, for example. All of my attributes could be used for research, as long as a concatenation of those attributes doesn’t single me out and destroy the pseudonymisation.

For example:

Pseudonymisation: Citizen X

  • Male
  • 45-54 years of age
  • Based in the West Midlands
  • Works in Data Protection and Cyber Security
  • 6ft tall
  • Bald, shaved head
  • Speaks with a Black Country accent
  • Speaks at conference
  • MBA qualified
  • Writes articles on GDPR on LinkedIn

As you can see, it doesn’t take long before pseudonymisation breaks down and I become more easily identified.

So? Come on – benefits of GDPR?!

Think of the money invested in storage by most organisations. Think of the “Whoah – just in case!” data stored across any business and there is a cost. In these days of Cloud backup where the cost per Gb is miniscule, guess what? There’s still a cost.

Article 4 (12) defines a ‘personal data breach’ as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Okay, so a ‘breach of security‘ leading to loss, deletion, disclosure, or alteration is the key here. I’m sincerely hoping that you’re all already on the next page, here.

What type of data can’t be accidentally or unlawfully destroyed? Can’t be lost, altered, disclosed, transmitted, stored or otherwise processed?

Data which no longer exists. Data which has served its purpose and been disposed of. Data which has been lawfully destroyed.

As far as private data is concerned, the GDPR is mandating that companies achieve a lean, process-driven approach to the use and removal of the data.

Long-term storage in Amazon, Azure or whatever will be fractions of a penny per Gb for some organisations.

There is an old saying, “That which is given freely is rarely valued.”

Business has long held private data as freely given – who doesn’t want a special offer on saving four pence on pasta sauce from a supermarket? – and has, by erosion of respect for the data above what money it generates, allowed a situation to happen where large organisations are sitting on a mountain of data which is now an attack vector for GDPR…

  • Get rid of the data which informs you of nothing
  • Save on storage
  • Make data searches faster (less data, faster searching)
  • Make data searches on current information! Who needs to know that Citizen X bought a brand new Morris Ital in 1982 (I didn’t, but that’s data that might trip someone up, somewhere)
  • Make backup and restore operations more focussed
  • Be able to prove to the ICO, to senior managers and shareholders that not only are you protecting the business legally, you are looking to put a cap on the spiralling cost of storage, backup, operational overhead from backing up and restoring data
  • Become a leaner operation
  • Know where the data is, what it is for and when it is no longer relevant
  • Remove “noise” from business decisions
  • Become an expert in your own data

There may be an argument for keeping historic data for trend analyses. Fine… Get m’learned friends in to formulate the requirement within the parameters of the regulation. Get your technical people in to formulate the appropriate security. Get HR in to own the processes for dealing with any “off piste” activity from employees around the data and its usage. Get data scientists to put the data into a context where “Citizen X” doesn’t map directly to “Mark Evans”. I foresee an opportunity for universities to gather information (with appropriate permissions from data subjects where required and contractual bases for using the university as a data processor, obviously) in order to process data on behalf of organisations… Another potential cost saving.

So… What’s the benefit GDPR brings?

A mandate for lower storage cost, operation, processing, risk. More time-bound, current information. Less opportunity for data to succumb to anything in Article 4 (12).

The days of “You never know – it may come in handy?” for personal data are coming to an end.

I think people who sell storage may not be so happy, but if people are buying less storage volume, this might prompt the move to faster SSD uptake in the storage market, a potential money-spinner?

I, for one, will be professionally overjoyed to see organisations deleting data they no longer need. It will show a maturity of custodianship which is long overdue.