Privacy and GDPR

If Bruckheimer did GDPR…

Screen Shot 2018-03-07 at 10.58.49

In line with intent, it prompted a fun thread. Including Paul Gillingwater wondering out loud if the GDPR, like Y2K, would get its own movie. Who would star? What would the plot be?

Wellll…most of you good folk know I’m not shy about indulging my right brain when writing posts on here. Love a bit of creative indulgence to smooth out the analytical graft. So this was my response ref that plot with a fair wedge of straightforward truth.

If Bruckheimer did GDPR…

…or, more elevator pitchily:

Imagine if Jerry Bruckheimer and Michael Moore did a data protection themed Wolf of Wall Street meets The Big Short meets Men In Black meets Mission Impossible meets La La Land meets corporate reality.

[Caveat: No actual work went into the following, none of it is much like the films mentioned, if I have facts, dates and other stuff wrong, its artistic license, similarity to things is purely accidental and not intended to blah, blah, blah]

Setting the scene

Flying over massive data centres and diving to giant undersea pipes. Data draining down huge CGI funnels into a handful of private and government owned planet-sized buckets. Buckets that spring intentional and unintentional leaks, pouring data into cascading layers of other buckets disappearing out of sight.

Cut to the nineties and noughties operating system duopolists, social media supremos, search founders, and leviathan online shopping firm bosses. CEOs on a private island WWF style trash talking each other against a backdrop of extreme wealth and indulgence.

Cut to a Big Short style piece to camera. A brief and basic history of the attention and data land grab up to the early 2010s. Cut back to them throwing handfuls of thumb drives containing gigabytes of personal data onto a bed and rolling round on them, sitting in front of a giant bank of monitors and zooming in, Professor X style, to watch folk doing stuff in their own homes, and strutting around shouting into a mobile headset, while they negotiate the purchase of a small country…or other more realistic stuff done by mega rich folk who scooped all of our data before anyone worked out it wasn’t a great idea to give so few businesses so much power. Businesses that are so wealthy and influential they have almost no-one to answer to.

Next we fast forward. Illustrating the escalating attention and data turf war, featuring new wave social media, valuation mega bucks, IPO woes, Snowden, unimaginable wealth and equally unimaginable data oceans, Schrems, the IOT coming of age (clip of Cortana/Alexa/Siri in a red light district style tableau beckoning passers-by, cutting to marauding sheep-like herds of Mirai infected security cameras, then to internet connected pacemakers, inside chests, with flashing red DDoS lights), mobile phones communicating at broadband speeds and semi-intentionally collecting and sharing mountains of data, algorithms becoming orders of magnitude more complex and powerful, but a long way from intelligent (clip of the ‘AI’ taken down because it learned to be racist, self-driving car crash, robot fail, medical research win).

All against a backdrop of geopolitical tension, data driven social engineering to create an ever greater liberal/conservative ideological divide, and profiling to support national security, but also enforcement of immigration and other kinds of social control (animated clip of a Russian bear, American eagle, British bulldog, and Chinese panda, creating a smokescreen for worker bees then fighting to steal data honey from their own and each others’ hives).

Then there were the breaches (Yahoo bucket getting unintentionally drained of account details for most, then more, then ALL users, Wannacry beating up hospitals, plus a montage of other big data heists in the last few years) all happening over a fragile worldwide network (zoom out from an image of the USS Enterprise – but named The Internet – to see it’s actually a small scale model on the deck of an 18th Century frigate of the same name. An exhausted crew run, shout, pull on ropes, and panic because it’s taking on water and being attacked by pirates – credit to Roland Dobbins for that analogy) then fade to black.

2015

Bring the lights up on 2015. Women and men are plucked from data protection teams in the bowels of all kinds of organisations, whisked to data protection HQ, assessed, and if deemed worthy, kitted out, MiB style, with glasses, grey suits, and blue briefcases adorned with gold stars encircling the gilt letters G D P R. Their mission: to find and fix organisations who don’t do fair, transparent, and defendable data protection. Cut to a panoramic view through the top floor plate glass, determined agents standing avenger-like in the foreground. Superimposed thumbs up, thumbs down, ‘Meh’, and shock horror faces – or poo emojis? – on buildings as far as the eye can see.

Then cut to a calendar as pages flip. Oct, Nov, Dec, Jan 2016, interspersed with pictures of agents reimplated into their original organisations, others dispersing across Europe, and one or two heading further afield as illustrated on a pew pew map. Cut to agents arriving in Jetson style spaceships, descending from dark interiors and saying “Take me to your leader!” to cautiously rubbernecking natives. Then: “I am here to talk about GDPR”. Cue screaming, then running, then pausing, then bafflement. The agents step cautiously forwards, the natives jump back, but eventually, still looking unsure, they dare to shake hands.

February 2016

The Brexit referendum is announced. We zoom in on UK natives, still outside their offices, huddling round TVs in an electrical shop window, all shouting at once. The agents, despite increasingly extreme efforts, fail to grab their attention.

April 2016

The GDPR text is finalised and agents make it to reception desks. Months pass and they make it past reception, then up the stairs to higher and higher floors, using increasingly Mission Impossible-ish tactics, while sharp suited big 4 bods look down grinning from the express glass elevators.

June 2016

The UK referendum. Cue montage of stunned silence Vs flag waving and cheering. UK corporations immediately catapult agents Road Runner style out of windows. “You still need to complyyyyyyyy!” screams one unfortunate agent as he plummets to his death.

July 2016

Incursion attempts resume. Cut to US corporate bosses laughing hysterically at the agents who made it stateside pressing their noses up against the glass. Then cut to the presidential election result and back to one portion of execs still laughing, while the other looks like someone just shot their dog.

May 2017

A year to G-Day. A few pairs of GDPR agents are already hard at work in offices, or sat with bosses finalising plans. Others are just making to the top floor. They burst into boardrooms and deliver their message. For some, a warm welcome, hands shaken, and an invitation to sit. For others, complete silence, then the wall slides open and gun-toting automata stomp out. Agents are mowed down, Robocop style, by machines they suspect (but can’t prove), are controlled by the marketing team.

Sept 2017

Execs are hounded paparazzi-style by hoards of vendors and consultants in sharp suits. Cut to LA LA Land style travelator scene. Surviving agents are running against the direction of travel, getting nowhere, with a scrolling backdrop of nastiest GDPRubbish and GDPRmageddon-ish click bait. Many slow, some stumble, and a few fall.

Present day

Some execs are hiding behind doors with their fingers in their ears chanting “La La La”. Visibly rocking back and forth while brochure wielding sales folk try to break in. Some are standing at the railing of their super yachts, smoking cigars and waving at the agents onshore, disappearing from view. Some (from the machine defended boardrooms), are seen at hospital bedsides. Humbly asking bandaged agents what they need to do, though a marketing exec is dressed like a ninja and hiding under the bed with a loaded syringe. Others are well on the way, or most of the way there with work that had to be done. Mainly the folk who had agents on staff before the whole GDPR thing kicked off.

Meanwhile…

Panning away out of the window to a street scene with car drivers, cyclists and pedestrians, including a group of pre-schoolers, highlighted in digital squares and labelled with their name, address, and national ID number. Squares coded red/amber/green to reflect the assessed threat level, thanks to real-time face and gait recognition correlating with historically accumulated surveillance data.

Fly across into a flat where a woman is asking Alexa about symptoms of depression, while in the bedroom her husband is logging onto Facebook with the same email address and password he then uses to log onto Paypal. Then through the wall into the next flat, where a stereotypically muslim teenager is searching for information on ISIS, because he’s curious about the terrorist group he’s constantly accused of being a part of, panning to the front of his house we see “Go home ragheads” spray painted on the door. Moving on to a tween in the next flat who’s just got a WhatsApp message telling her she’s so ugly she’d be better off dead, next to a message from a boy.  The camera dives through the boy’s avatar to reveal a 50 year old man at a laptop in a dark room with pictures of kids on the wall. He’s sympathising and saying perhaps it’s time to meet in real life so he can give her a hug to cheer her up.

Swing over to a baby being walked in a pram outside. Facial recognition tells us her name, address, age. It records her image, and as she grows, it refreshes the image, analyses her gait, and records ear shape, among other identifying biometrics. Siri records her voice print, laugh, and personality profile based on daily interactions. As a medical backstop her mother stored cord blood with a medical service provider, so she could have easy future access to her stem cells. The supplier got unnoticed default consent in the contract to create a genetic profile and share it. That data is intentionally leaked to a number of smaller buckets belonging to other 3rd parties.

23860032 - water is coming out of a bucket with holes

Travel down the wires to the huge data centres pictured at the start. Back down, via the CGI funnels into the planet-sized buckets, then through a hole into a smaller bucket. Dive in and the binary resolves into a desk in a secret service listening post. Key word ISIS flashes up and a flag is put on the account. Move to another office. They pick the flag up and trace originators of his search results to a faction radicalising children who are then effectively neutralised, but the boy is permanently labeled a threat. In another smaller bucket are darknet lists of reused credentials. There’s a Bitcoin transaction and the purchaser gets a letter to his home enclosing a credit card in the name of the careless Paypal user. Cut to the account owner going to pay with Paypal and finding out he can’t log on, then there’s an SMS from the bank to tell him a mortgage payment was missed.

Via another sub-bucket, an Insurer is reviewing the latest update from their social data broker. There’s a new flag for depression against a medical policy holder. After matching the information to other data scraped from public social media sources, and browsing data, they significantly increase her health insurance premium. Their broker goes on to share the same data with hundreds of other customers including Employer Inc. Swing away to watch an HR contact at Employer inc spot the depression flag on the data broker report. Cut to the woman opening a letter from Employer Inc. informing her she didn’t get the promotion she applied for.

Into another bucket and the police identify the abusive catfisher behind the teenage WhatsApp profile. They knock down his door at dawn and cart him away, but in her room the tween girl is buried under a mountain of relentless abuse she doesn’t know how to cope with or stop. Her eyes slide to the scissors on her night stand, then down to pre-existing scars on her arms.

Into another bucket filled with leaked data, again in the darker parts of the web, where a pristinely clean and complete set of infant data is being sold at a premium. Pan to a bedroom 18 years in the future, where a girl is dressed smartly and heading for the door. Data collected years before ended up with multiple 3rd parties with different attitudes to data protection. Illustrated by data seen flowing from the original neonatal stem cell company to a bucket labelled Genetic Data Mart, and a Genetic Data Mart employee downloading Baby X’s data to a thumb drive, then posting it to the lucky buyer.

The baby, now grown into the well-dressed young woman, goes to open a bank account and finds out her identity, including her biometric information, and her genetic fingerprint has been stolen and used by criminals. She is credit blacklisted and flagged as a fraud risk with pretty much every organisation she will ever want to interact with. In addition certain genetic predispositions to illnesses, character traits, and capabilities have been leaked to the highest bidder, so career prospects and other interactions with the world are limited and biased before she even considers looking for a job.

Flashback

1518128638636

Fast rewind to the agents bursting into boardrooms. What will they really find? Is it as bleak as it’s painted? Decades old data protection laws already set out rules prohibiting most of the wrongdoing dramatically summarised and imagined here, but where was the stick? Where was the carrot? Most firms caught out barely felt the gentle slap on their incredibly thick-skinned and expensively defended wrists.  Where was the inducement to be transparent about planned data use, properly protect data, report breaches, and genuinely respect the rights and freedoms of the data subjects who provide the lifeblood running through their institutional veins?

Legal, transparent, fair, proportionate. Use limited, accuracy defended, integrity protected, confidentiality respected. Recourse to see what they hold, to say STOP, to say no, to say forget it and go. AND (this is the biggie in the GDPR world), prove you can do all that, AND prove it’s getting done.

Will it all be a dream?

Most folk believed, or at least hoped you already did all this, a hangover from the days of face to face respect and carefully considered communication. Most organisations with customers have mission statements and objectives aspiring to it all, but the information age and real or aspirational data monetisation dragged us wide-eyed past the time, effort, and outlay needed to build commensurate checks, balances, and controls. So these are mutually valued rights and principles worthy of voluntary change, things ever increasingly prioritised by virtual customers today. So what will it be? We’ll have to wait and see.

Irregardles of the outcome, good agents continue to work incredibly hard on behalf of you and me. Nudging strategy, culture, and controls around to where they need to be. But where there’s wilful disregard for what we all hold dear, what will be done? Will the regulators be well enough politically insulated and funded to create a useful level of deterrence, or will the attention grabbing 4% revenue stick end up blunted like credibility of the boy who cried wolf? We all sincerely hope the answer is ‘NO’.

Pan out to an image of the world with major communication links overlaid like neural pathways. A double decker red bus, as parody of the Tesla car, appears and orbits. When front and centre, the camera focuses in on the slogan “We send the EU £350 million a week” that morphs into “Your privacy is important to us”, and finally “Nothing to hide, nothing to fear”.

THE END


Next up (if folk don’t darn well get their data protection act together):

DeadPool GDPR

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.