I worked through the Y2K crisis. I call it a crisis because so many of us were worried and millions, probably hundreds of millions of dollars were spent by companies trying to ensure their software systems would work when the date changed to 2000/01/01 00:00:00. I was on call that night, celebrating the new year at home, not drinking because I was slightly worried my paranoid boss would call me in. He didn’t and there were few issues around the world in systems, perhaps because of the build up of the crisis and lots of prep work. I went through a similar set of concerns when the Sarbanes-Oxley act was passed in the US. Not much came of it, and companies spent a lot of time and money preparing.
Over the last two years, it has been deja vu as the GDPR moved towards the enforcement date last May. Lots of companies, including my own employer (Redgate Software) were concerned and spent time and resources getting ready. The enforcement date came, with some early complaints being filed, but few fines. Perhaps the preparation paid off, but more likely it just takes time for audits to occur and complaints to be investigated.
It appears that the first big fine has been handed down to Google. Recently the CNIL (the French data protection regulator) fined Google 50 million euros for not compliance with the GDPR. Their reasoning was that Google didn’t provide enough information about their data consent policies and didn’t give users enough control. They complained that the data is spread out in many different places and too difficult to understand. Other countries are investigating, and Google is going to appeal.
Personally the presentation and dissemination of information from Google should be top notch. That’s their job: to search, assemble, and present data. As someone that has paid for Google Apps and email, has used Google Analytics, and generally tried to understand some of the other products, I think too many engineers and not enough technical writers work at Google. I think they are surprisingly bad at making it easy to understand how to accomplish some task, including finding out some information about my account or my data. I’m not surprised that they were fined, since I think they have had an opt-out philosophy and the many different groups inside the company have considered the data gathered to belong to Google, not the human about which it refers.
I don’t know how this will play out, but as a person, I do hope that companies will be asked to clearly disclose what data they have, how they use it, and to delete it when the business purpose is complete. I’d prefer that I had more control and understanding of my data, including the crazy cookies and other mechanisms that track my browsing across sites. While some companies use this to provide customization, there is plenty of potential for misuse here, and I’d like it to stop.
As a data professional, I’d like to have clear understanding of how to treat and protect data. I’d prefer that we better secured it, didn’t use live data in development environments, and we built better habits as technology professionals. Data is truly and asset, and one that can easily help businesses grow, but it also has the power to be abused. I’d like that to stop with sensible rules that I can work within.
Let me know how you feel today.