Click to learn more about author W. Curtis Preston.

The General Data Protection Regulations (the GDPR) of the European Union may not have solved all data privacy issues in the European Union, but it has definitely cemented the all-important idea of data privacy into the world’s collective consciousness. On this two-year anniversary of the GDPR, it seemed appropriate to take a look at its goals and how well it has achieved them. In addition, there is a bit of proof that the rest of the world may finally be taking data privacy seriously as well.

The Fundamental Idea

The main idea behind the GDPR is that you — and you alone — own your personal data. This means that only you can give other entities the permission to collect this data and use it for a business purpose, after which you can revoke said access and ask them to delete that personal data.

People were concerned about giant corporations that make vast amounts of money collecting, collating, and analyzing the personal information of millions of people — and then selling or renting access to that information to other companies. The adage of “If the service is free, you are not the customer — you are the product” is very true. While the GDPR is for all companies that store personal data, it’s clear its main target was companies whose entire business model is the collection and use of personal data — such as Facebook and Google.

For the most part, these giant corporations collected this very personal information without your consent. At best, it was collected because you didn’t uncheck a box that was left checked by default (something not allowed under the GDPR). Many email lists were opt-out versus opt-in, meaning that you were added to them without your permission, and you needed to request to be removed from those lists — even though you never asked to join them in the first place.

Unsolicited emails and phone calls are one thing, but the idea that your very personal online activity was being tracked and, in turn, used to identify and market to you directly was perhaps the most insidious idea. Click on a few websites about flowers, and next thing you know, you are being emailed by various florists and seeing advertisements about online specials. It appears that even your phone is in on the game, listening to everything you say and then tailoring your ads appropriately. Talk about an invasion of privacy!

The Scope

If you are a business that directly markets to citizens living in the European Union, you are subject to the GDPR, or at least that’s what it says. (Some court rulings have suggested that the commission does not have the authority to enforce the GDPR outside its borders.) This technicality, however, hasn’t seemed to stop many companies that are headquartered outside the EU from complying with the requirements of the GDPR. This is probably due to the social pressure put on said companies by their potential customers. Citizens living in the EU have started getting used to being asked for permission to collect and use their personal data, so they’re not going to take kindly to companies that do otherwise. Therefore, while the EU might not be able to legally enforce the GDPR on a company in a country that is not part of the EU, it looks like things are self-regulating in that regard.

The Fines

A year ago, we wrote about the tens of millions of dollars in fines that have been levied against corporations. While there have now been many fines in the tens (or hundreds) of millions of dollars, no fines have appeared to approach the maximum fine of 4 percent of the annual turnover of a given company. That seems to be the silver bullet that the commission is saving for only the worst offenders. Having said that, there were still some huge fines, such as €123 million against Marriott and €204 million against British Airways. Looking at the list of findings from 2019, it is clear that enforcement of the GDPR is continuing to ramp up, and the size of the fine is going to be proportionate to how negligent the company was towards protecting personal data.

Still a Question About Backups

Not a single backup, archive, or snapshot product of which I am aware is able to selectively delete a record from a snapshot or a copy of structured databases such as Oracle, Salesforce, and Marketo. Despite a belief by the typical person on the street that a GDPR erasure request requires a company to erase all copies of that data, no company on the planet is able to do this in any sort of reasonable way. Yes, they could theoretically restore every backup, edit the database in question, and then back it up again. That is beyond infeasible, despite what some may say.

Two years ago, the commission told a reporter that they would soon publish additional guidance on how the GDPR views backups, but such guidance has yet to materialize. There has also been no case law that references a backup or archive in all of the GDPR fines, so that is of no help.

As someone who has specialized in backup and recovery technology for over 25 years, my opinion is that backup systems are designed to remember, and asking them to forget is asking them to go against their fundamental design and purpose. Doing so is incredibly expensive and endangers the very purpose the backups serve. This is why I am still of the mindset that companies need a business process designed to make sure people that were supposed to be forgotten do not end up being accidentally remembered by the backup, archive, or snapshot system.

The Collective Consciousness

There are two examples of how much the GDPR has affected the collective consciousness of the world: the California Consumer Privacy Act (CCPA) and season 3 of Westworld. CCPA is a relatively new regulation that is similar to the GDPR, with a few modifications. It adds the concept of a household to the entities whose personal data must be protected, and it is more prescriptive in reasons why a company could be allowed to keep personal data even if someone asks it to be deleted. Several other countries have also enacted similar legislation.

Spoilers are ahead for Westworld (season 3).

Who or what was the ultimate villain of season three of Westworld? Was it Dolores, the Man in Black, or Hale? No, it was Rehoboam — the giant database tracking the personal behavior of everyone on the planet. Tracking people’s personal behavior and making judgments based on that behavior was seen as the ultimate evil that must be destroyed. I will say part of me wonders if there’s a backup of Rehoboam somewhere. Otherwise, Bernard having the encryption key to said database doesn’t make much sense. But I digress.

The GDPR is here to stay, and it’s definitely having an impact in the EU and other countries. People have started taking back control of their personal data, which was the whole point of the GDPR, to begin with.  Let’s see what another year of enforcement does to make things even better.