Commvault GO 2018: Warped consumer expectations may evolve GDPR compliance

The EU's General Data Protection Regulation (GDPR) has already had a noticeable effect on organisations just five months since it came into force.

Headlines have focused on a slew of companies, from Ticketmaster to Facebook, suffering massive data breaches, raising the prospect for heavy fines being levied. But while it's easy to get caught up in speculation, for the remainder of firms it's business-as-usual as they continue to reckon with what 'compliance' means, and find their feet post-25 May 2018.

With time, organisations may find that consumers' expectations will set out a new state of "compliance" that goes further than what is demanded by the letter of the law, according to Commvault's global data governance officer and GDPR guru Jo Blazey.

Before GDPR, and even now, if the public knew anything about data protection it was that businesses couldn't do anything with personal information without appropriate consent, she said. But consent is only one of the ways a business can utilise personal data - with other bases for use on the table, termed 'legitimate interests'.

"The concern now is that with public interest higher, and thinking you have to give consent to everything, will that eventually be where we will land?" Blazey says.

"That even if you don't need it - you feel you have to ask for it - because that is what your customer base is expecting to do for each use. And I feel that is something that will play out more and more."

Blazey was joined on a panel by Commvault's solutions marketing manager Matt Tryer, Laing O'Rourke's infrastructure analyst Mike Thorpe, and COOLSPIRiT's brand strategy manager Alex Raben. They were sharing their thoughts on the few first months of GDPR in hindsight at Commvault's third annual flagship Commvault GO conference, hosted this year in Nashville, Tennessee.

Access denied

Another key development from 25 May, according to Blazey has been a "flurry of individuals raising subject access requests (SARs)", adding her biggest concern is that compliance begins to wean away with time.

"I think they did hit a higher spike than people were expecting. My sense is that it's tailed off a little bit in the same way that all the emails coming into our inboxes are tailing off," she said.

"That is possibly what scares me the most - that there has been a very long road to get to 25 May - a lot of senior stakeholder support for GDPR programmes in business - but in a way there's a view that you've got to the finishing line - and the world hasn't caved in on 26 May.

"And I think if you've spent a lot of time putting a programme in place, introducing new policies, changing cultures and the way things are done, the biggest risk is that it doesn't somehow stay high on the agenda, and I think we probably all realise there's nothing worse than having a policy, or a process, that doesn't get complied with."

Her comments reflect findings published last month that the majority of companies are failing to fulfil SARs in time. Just 35% of EU-based companies are fulfilling SARs within the legal 30-day timeframe, which is true for 50% of companies based outside of Europe, according to cloud and data firm Talend.

Know your rights

The spike in SARs Blazey referenced is mirrored in observations made by the University of Leicester's systems specialist for infrastructure Mark Penny, a Commvault customer.

Alongside a rise in 'right to be forgotten' requests, which was to be expected, he spotted a pattern of strange queries emerging.

GDPR gives data subjects the right for organisations to wipe any personal data they hold under certain circumstances, but Penny noticed a curious flurry of requests from students who were in the very process of applying to join.

"This was all new, and it was then understanding those requests that come in, whether the request is genuine, and is permitted to be a right to be forgotten," Penny tells IT Pro.

"If a student is in the process of applying to come to us, and is in the middle of that process - realistically they don't have a right to be forgotten because they are currently in a process to join the university. We did have some queries come in like this, where people who were actually in the process to apply to join us, were then asking to be forgotten.

He laughed at the phenomenon, adding these were mostly A-level students, and that the regularity for this specific kind of request was "bizarre".

Just as we may expect with a prospective increase in needless barriers of consent to data collection, the rise in invalid 'right to be forgotten requests' could be pinned on an overall rise in the level of data protection awareness, but one that is foggy and nebulous.

Indeed, the Information Commissioner's Office (ICO) earlier this year celebrated higher awareness levels around data rights than ever before among the general public. But this said little about the quality of this awareness.

The lack of true understanding, among other factors, Jo Blazey argued, may lead to companies dissociating their compliance procedures from the letter of the law, and into uncharted territory, based on what is expected of them rather than demanded.

"I think what has took me slightly by surprise is that it has increased public awareness," she says. "People are worrying about data breaches. With everyone's inboxes getting so jammed up with companies begging to contact them, people now know there is a thing call GDPR.

"But people still don't understand what that amounts to. And I think that's a little bit of a shame if that's where it ends up landing."