August 2017

Big Data is in Big Trouble, Starting in the EU How the EU’s GDPR Threatens to Destroy Big Data Initiatives

and Business Opportunities, in the EU and Elsewhere

Stratecast Analysis by

Jeff Cotrupe

Big Data and Analytics (BDA)

Volume 5, Number 3

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 2

Big Data is in Big Trouble, Starting in the EU How the EU’s GDPR Threatens to Destroy Big Data Initiatives and Business Opportunities, in the EU and Elsewhere

Introduction1 Governments around the world, reacting to the failure by much of the private sector to adopt (or follow) meaningful privacy reforms, have, for more than a decade, sought to ramp up their involvement in privacy matters. One example of this is the EU’s Data Protection Directive (DPD), which the EU established in 1995. As we have previously analyzed, the DPD, which is still in effect, is a fairly comprehensive public sector approach to privacy.2 In contrast with the patchwork quilt of privacy regulations covering various industries and scenarios in the US, the DPD is also a cohesive set of standards governing privacy across an entire world region.

In the view of the EU, however, the DPD was no longer sufficient to protect the privacy of EU citizens. So, in order to “…protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established,” the EU expanded those privacy protections with its General Data Protection Regulation (GDPR).3 The EU Parliament approved the GDPR in April 2016. To allow the region and the world to adjust to the sweeping changes it contains, the EU established a two-year acclimation period, and will begin enforcing the GDPR on 25 May 2018.

This Stratecast report offers our assessment of the content and impact of the key provisions of GDPR, in the EU and around the world. Included in each assessment is our determination of whether the impact of the provision is a net positive or a net negative on the ability of organizations to leverage big data; and by implication, on economic growth, first in the EU, and then through ripple effects across the rest of the world.

The EU’s GDPR Radically Expands its DPD The EU identifies those collecting and analyzing data as Data Controllers and Data Processors; and the consumers (users, citizens) whose data is being harvested as Data Subjects. The GDPR substantially extends (although in some cases, actually simplifies or consolidates) provisions contained in the DPD. The net effect of this action by the EU is the most comprehensive set of privacy protections ever enacted into law. We give GDPR a mixed review: some provisions quite positive, some quite negative, and others in between. The main content of this report provides a point-by-point analysis of the key provisions contained in the GDPR.

1 In preparing this report, Stratecast conducted interviews with representatives of 10 organizations. Please note that the insights and opinions expressed in this assessment are those of Stratecast, and have been developed through the Stratecast research and analysis process. These expressed insights and opinions do not necessarily reflect the views of the company executives interviewed. 2 Stratecast, BDA State of the Market: Privacy (BDA 4-01, March 2016), available here 3 EUGDPR.org, GDPR Key Changes, available here

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 3

The GDPR: A Provision-by-Provision Assessment We take no issue with the key provisions of the GDPR, outlined in Figure 1, with regard to Consent, Right to Access, and Breach.

Figure 1: Overview of EU 1995 DPD and Impact of GDPR; Key Provisions 1-3

Provision Under 1995 DPD Impact of GDPR when Enforcement Begins in 2018

• Individuals must unambiguously (definitively) give consent to data collection.

• Personal data must be used solely for specified, explicit, legitimate purposes.

1. CONSENT The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

• Data subjects have the right to: know who controls their data; know the recipients of their data, and the purpose of the processing; have inaccurate data rectified; have recourse in the event of unlawful processing; and withhold permission to use data in some circumstances.

• Individuals should be informed before their personal data is disclosed to third parties for the purposes of direct marketing.

• Individuals have the right, for a modest fee, to ask any company to send details about what data it holds about them, and what the data is used for; and to obtain these files within one month.

2. RIGHT TO ACCESS The right for Data Subjects to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the Controller shall provide a copy of the personal data, free of charge, in an electronic format.

If individual financial data has been compromised, the impacted financial institution must inform government regulators within three days of discovering the security breach.

3. BREACH Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach.

Sources: GDPR.org and Stratecast

1. The provision with regard to CONSENT requires that the request for consumer consent of data collection and usage must be rendered in an intelligible and easily accessible form, and with the purpose for data processing attached to that request. This is simply in keeping with common-sense privacy-respecting principles, as we have analyzed recently,4 calling for those collecting user data to help users clearly understand what data they’re sharing and what those collecting that data intend to do with it. This provision also responds to research showing that it would take nearly a month (composed of full 24-hour days) for the average consumer to actually read the miles of legalese thrust at them in order for them to obtain various apps and services in a typical year.5 Complying with this requirement is not an impossible task; in fact, a model already exists in the form of the Plain

4 Stratecast, We Have Seen the Future of IT, and it is Big Data, Part 2: A Blueprint for Privacy, in the IoT and Everywhere (BDA 5-02), July 2017, available here 5 The Atlantic, Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days, available here

Complying with the requirement for Consent, as specified in the GDPR, is not an impossible task; in fact, a model already exists in the form of the Plain Vanilla regulation in the financial services industry.

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 4

Vanilla regulation in the financial services industry. That regulation requires banks and financial institutions to describe their products and services in clear, simplified language so consumers can understand what they are agreeing to.6 There is no excuse for all organizations in the private and public sectors not to begin doing the same.

ASSESSMENT: NET POSITIVE

2. The provision regarding RIGHT TO ACCESS simply says that consumers have the right to know if an organization is collecting data about them; if so, to what end; and to obtain a copy of their own data from the organization. The only nit we have to pick with this provision is that it duplicates some of what the Consent provision already sets forth. However, neither of these first two provisions even goes so far as to say that those collecting consumer data may not do so; at their core, they are about transparency. Some organizations may find it somewhat arduous to ramp up customer support organizations in order to provide rapid response (and rapid data outputs) in response to Right To Access requests; but in our view, they should have done so long ago—right around the time they began collecting and using personal data.

ASSESSMENT: NET POSITIVE

3. The provision with regard to BREACH is in keeping with what many financial institutions are already practicing with regard to financial data breaches—but, importantly, extends it to all organizations, and makes it applicable not just to financial data but to all personal data. This one is going to be a shock to some organizations, requiring them to ramp up systems and processes to fast-track notification not just to customers but to anyone whose data they are collecting. We contend that the fact that some industries, most notably financial and healthcare, currently operate with privacy requirements that other industries do not, is an artifact of the United States’ patchwork-of-regulations history, and is not the optimal model. We believe that no longer allowing other industries to sidestep responsible management of personal data is a positive step, albeit one that some will find challenging.

ASSESSMENT: NET POSITIVE

6 Stratecast, Financial Services Digital Marketers: Four Opportunities to Improve the Customer Experience (BDA 3-05, June 2015), available here

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 5

We give the next four key provisions of the GDPR, as outlined in Figure 2, mixed results.

Figure 2: Overview of EU 1995 DPD and Impact of GDPR; Key Provisions 4-7

Provision Under 1995 DPD Impact of GDPR when Enforcement Begins in 2018

• ‘Right to be Forgotten’: individuals have the right to have Google and other search engines remove links they do not like (e.g., that represent them in a negative light) and thus stop those links from showing up in search results.

• Data subjects have the right to withhold permission to use data in some circumstances.

4. RIGHT TO BE FORGOTTEN/DATA ERASURE Entitles the Data Subject to have the Data Controller (any company) erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or simply a data subject withdrawing consent.

NEW UNDER GDPR > BUT PERTINENT TO THIS DPD PROVISION: Data must not be stored for longer than necessary, and must be used solely for the purposes for which it is collected.

5. PRIVACY BY DESIGN Calls for the inclusion of data protection from the onset of BDA system design, rather than as an addition or afterthought. The Data Controller shall implement appropriate technical and organizational measures in an effective way to meet the requirements of this regulation and protect the rights of data subjects. Controllers must hold and process only the data absolutely necessary for the completion of their duties7 as well as limiting access to personal data only to those who actually need to perform the processing of the data.

NEW UNDER GDPR > 6. DATA PORTABILITY The right for Data Subjects to receive the personal data concerning them, which they have previously provided in a commonly used and machine readable format, and the right to transmit that data to another Controller.

DATA ON ETHNICITY/AFFILIATIONS/ETC. It is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual orientation.

7. < REMAINS IN EFFECT UNDER GDPR

Sources: GDPR.org and Stratecast

1. The provision regarding RIGHT TO BE FORGOTTEN/DATA ERASURE creates grey areas and technical challenges that may prove unworkable for all:

• In one way, this provision is similar to the Breach provision, in that it takes a concept from the DPD pertaining to one industry and applies it to all industries. However, while we believe the Breach provision is a welcome development, we take serious issue with this one. The DPD provision with regard to Data Erasure applied to, or was being applied, mainly to things like Google. Even if solely applied to Web searches, however, that requirement left Web providers at the mercy of a user’s subjective opinion regarding potentially any piece of content online, in that a user did not have to prove falsehood or harm. Beyond this, the

7 Known as data minimization

Imposing the Right to Be Forgotten/Data Erasure requirement on all businesses that collect data about citizens in the EU imposes an extreme burden on companies seeking to use data they may, in fact, own.

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 6

DPD provision also introduced technical complexity in the form of the content tagging and other processes required to implement data erasure from a technology standpoint. Some observers who accuse Google of suppressing certain search results for partisan political purposes in the US would argue that suppressing certain data is certainly not a stretch for Google. However, imposing this same requirement on all businesses that collect data about citizens in the EU imposes an extreme burden on companies seeking to use data they may, in fact, own.

• Further, there is the issue of privacy contamination: suppose information, perhaps a photograph, which a consumer decides must be erased, is a picture that shows not only that consumer but also other people? Which party gets to decide whether that content must be erased? Or what if the information a consumer decides must be erased gets used in conjunction with other corporate data in order to develop a product or service; is the balance of the data used in that process now subject to erasure as well? We believe this provision is possibly the textbook definition of the phrases ‘a slippery slope’ and ‘the law of unintended consequences.’ And rather than simply being relegated to the scrap heap of history, this provision could cost companies massive amounts of money chasing a nebulous, impossible-to-specify privacy ideal.

ASSESSMENT: NET NEGATIVE

2. The provision regarding PRIVACY BY DESIGN is sound, in our view:

• Requiring companies to implement “appropriate technical and organizational measures” to protect privacy is sufficiently nebulous that it may be hard for the EU to pin companies down as to whether they are complying with this.

• Requiring that Data Controllers must hold and process only data that is essential to their business processes—and must expose personal data only to those in their organizations who directly need to work with the data—seems not only reasonable but reflecting basic human intelligence in this privacy-conscious era.

• This provision mirrors the best practices called for by representatives of commercial solutions providers, and one of those who invented the technologies that have evolved into the IoT, in our recent analysis.8

• This provision also mirrors the guidelines recently established in the US by the National Institute of Standards and Technology (NIST) with regard to building privacy protections into any data-impacting project for the federal government.9 The US deserves kudos for being the only nation yet to take a hard look not just at what private sector companies are doing with regard to privacy, but also whether its own

8 Stratecast, We’ve Seen the Future of IT, and it is Big Data, Part 1: Will IoT Privacy Issues Steal the Future? (BDA 5-01, June 2017), available here 9 NIST, An Introduction to Privacy Engineering and Risk Management in Federal Systems, available here

The US deserves kudos for being the only nation yet to take a hard look not just at what private sector companies are doing with regard to privacy, but also whether its own projects measure up in that regard. There is no reason all parties cannot do the same going forward.

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 7

projects measure up in that regard. Particularly since the GDPR does not establish a hard-and-fast obligation to redesign existing systems, but to architect systems with privacy in mind going forward, we believe there is no reason all parties cannot do the same.

ASSESSMENT: NET POSITIVE

3. The provision with regard to DATA PORTABILITY duplicates part of the Right To Access provision with regard to consumers’ right to receive their personal data from those collecting it; and we have no issue with that other than that it appears redundant. We also have no issue with a consumer’s right to receive this data from one company in a “commonly used and machine readable format,” and to transmit that data to another company. If, however, the EU were to construe Data Portability as an obligation by companies collecting data on EU citizens to electronically transmit said personal data to any other company of the citizen’s choosing, that raises red flags:

• On the surface, this provision sounds simple enough; but the only way to achieve this while ensuring the privacy of all of this personal data in motion—consumers’ personal data being transmitted between companies—would be to establish an EU-wide personal data-sharing system to which every company doing business in the EU would have to integrate its internal systems. The irony is that the success of hackers at accessing systems of all types10 makes it likely that such an EU-wide system would be compromised, thereby exposing the personal data of the vast majority of EU citizens to identify theft and fraud on a massive scale.

• If the EU has an EU-wide data sharing system in mind to enable electronic, automated data portability, there is some precedent for this in the Local Number Portability (LNP) and Mobile Number Portability (MNP) initiatives implemented in the US and many nations worldwide, whereby customers can switch communications service providers (CSPs) and take their existing phone number with them. However, the logistics and cost associated with these exercises have been massive, and are ongoing—and this took place in telecom, where CSPs share common frameworks and, often, common technologies, with the chance to synergize frameworks and technologies in industry groups such as the TM Forum. This eased the integration processes needed to provide LNP and MNP. Imposing a similar initiative on companies of every type, with widely varying technology footprints—and with the only commonality being that they all collect data on citizens of the EU—would be, if not impossible, incredibly arduous.

10 Information is Beautiful, World’s Biggest Data Breaches, available here

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 8

• Other challenges inherent in this situation are personal identity fraud and impersonation. How does the Data Controller confirm that the person requesting personal data is truly who he or she claims to be? It could be someone who has taken over the Data Subject’s account and acting as an imposter in order to attain that Data Subject’s personal information. Another risk is: if an attacker can automate data requests, might they be able to flood the Data Controller’s processing infrastructure, with an impact similar to a DDoS attack? Of these two risks, the personal fraud risk could be greater and more onerous in terms of putting technology and practices in place so the request process works with integrity. Setting the bar too high on proving and confirming identity makes it more expensive for Data Controllers, and more inconvenient for Data Subjects. Conversely, set the bar too low, and the fraudsters can be active with greater ease.

ASSESSMENT: NET NEGATIVE

4. The provision regarding DATA ON ETHNICITY, AFFILIATIONS, and similar characteristics appears, on the surface, to be a no-brainer; of course we would not support data usage that uses personal characteristics and closely-held choices or beliefs to negatively impact consumers (users, citizens). However:

• This provision is not saying that. It says “it is forbidden to process” personal data revealing these things: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual orientation.

• Human beings in most developed nations have been routinely sharing some of this information since birth (or having it shared on their behalf) with health providers, career databases, census takers, and other government agencies—and, for example, every time they apply for a job.

• Some of these forbidden personal data components are precisely what marketers need in order to truly tailor offers in order to make them relevant. Some are highly personal and unchangeable, and go to the core of who a person is. Others are valuable in terms of gaining behavioral insights, addressing the desire of many that companies not paint them with a broad brush by marketing to them based on high-level, mass-market demographics.

This provision does support the principle outlined in our recent analysis,11 which says data transparency and ethical usage are not enough; that mere data collection itself is a problem, and that privacy needs to start there. However, cleansing databases of all of these types of information—and hoping the organization gets it right by covering all possible relevant forbidden data, under pain of massive privacy penalties—is going to be onerous for most, and unnecessarily so.

ASSESSMENT: NET NEGATIVE

11 Stratecast, We’ve Seen the Future of IT, and it is Big Data, Part 1: Will IoT Privacy Issues Steal the Future? (BDA 5-01, June 2017), available here

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 9

With the final three key GDPR provisions, as shown in Figure 3, our reviews are not mixed; they are negative across the board, for the reasons given.

Figure 3: Overview of EU 1995 DPD and Impact of GDPR; Key Provisions 8-10

Provision Under 1995 DPD Impact of GDPR when Enforcement Begins in 2018

NEW UNDER GDPR > BUT PERTINENT TO THIS DPD PROVISION: Any person who has suffered damage as a result of an unlawful processing operation is entitled to compensation from the liable data controller.

8. PENALTIES Organizations in breach of GDPR can be fined up to 4% of annual global “turnover” (revenue) or €20 Million (currently $22.38 million), whichever is greater, for what the EU terms the most serious privacy infringements, such as: - Not having sufficient customer consent to process data - Violating the core of Privacy by Design concepts Organizations can be fined 2% of annual revenue for things the EU considers less serious infringements, including: - Not having their records in order12 - Not notifying the supervising authority and data subject about a breach - Not conducting an impact assessment (how their collection and use of data will impact users/citizens) - These rules apply to both Controllers and Processors, so cloud providers are not exempt from GDPR enforcement.

NEW UNDER GDPR > BUT PERTINENT TO THIS DPD PROVISION: Territorial applicability centers on data processing within the context of an establishment. The topic has arisen in a number of court cases.

9. INCREASED TERRITORIAL SCOPE Extends jurisdiction of the GDPR to all companies that process the personal data of Data Subjects residing in the EU, regardless of where the companies are located or where the data processing occurs. In other words, any organization on the planet, processing data anywhere on the planet, must comply with the GDPR. Businesses located outside the EU that are processing the data of EU citizens must appoint a representative in the EU (and EU Data Controller).

NEW UNDER GDPR > BUT PERTINENT TO THIS DPD PROVISION: Data controllers are required to record their data processing activities with local Data Protection Authorities (DPAs); which can be difficult with varying notification requirements across different EU member states.

10. ESTABLISHMENT OF DATA PROTECTION OFFICERS Under GDPR, it is no longer necessary to submit notifications/registrations of data processing activities to each local DPA, nor to provide other notifications to DPAs.

Sources: GDPR.org and Stratecast

1. The provision regarding PENALTIES is intended to show the world the EU means business when it comes to privacy; but its unintended consequence might be to show the world the EU means ‘no business’. Potential fines for organizations the EU deems to be most seriously in breach of the GDPR of “up to 4% of annual global turnover [revenue] or €20 Million (currently $22.38 million), whichever is greater,” would put a dent in the finances of even the largest organizations, and could put small to midsized companies out of business. Our recent analysis

12 A reminder of too many movies about harrowing border crossings: “Your papers are not in order…”

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 10

decried the relatively small penalty paid by global electronics powerhouse Vizio.13 So, on balance, the substantial penalties specified in the GPDR could be seen as a step in the right direction. However, the scope of the penalties is only part of the equation in any regulatory scenario:

• The suitability of the regulations to which the penalties are attached is the other part. In the case of the GDPR, we take issue with most of its provisions, and have serious concerns about the arbitrary nature of some of those provisions; as well as how the EU appears to be poised to make decisions about how penalties are levied. That being the case, any set of financial penalties might be unacceptable in the GDPR’s current configuration.

• These penalties might accurately be perceived as yet another tax on companies trying to do business in the EU, since it may be difficult or impossible for any company to be able to guarantee its compliance.

• The penalties also beg the question of how the EU intends to enforce compliance with the GDPR; i.e., what judicial and enforcement body will ‘bring privacy offenders to justice’, and collect on the penalties?

ASSESSMENT: NET NEGATIVE

2. The provision regarding ESTABLISHMENT OF DATA PROTECTION OFFICERS appears, on the surface, to be the most positive in the lot. It remedies the existing issues whereby all companies had to notify separate local Data Protection Authorities (DPAs) throughout the EU of their data processing activities. Now, companies will have to report their data processing activities to only one Data Protection Officer. However, this is akin to rearranging the deck chairs on the Titanic—and, as a bonus, it also reflects another example of arbitrary application of the GDPR:

• The fact that a company in the private sector would have to report to a data authority or officer of any kind smacks of anything but ‘free’ enterprise; and starts resembling, for lack of a better term, data censorship.

• The detail behind this provision states that it is “…only for those Controllers and Processors whose core activities consist of processing operations [that] require regular and systematic monitoring of data subjects on a large scale or of special categories of

13 Stratecast, We’ve Seen the Future of IT, and it is Big Data, Part 1: Will IoT Privacy Issues Steal the Future? (BDA 5-01, June 2017), available here

The provision regarding PENALTIES is intended to show the world the EU means business when it comes to privacy, but its unintended consequence might be to show the world the EU means ‘no business.’

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 11

data or data relating to criminal convictions and offences.” The notion that the EU would, in effect decide, for arbitrary reasons, to deploy more referees to look for penalties when some players are on the field—thus increasing the probability that those organizations may face privacy fines—ought to raise red flags from here to Moscow.14

ASSESSMENT: NET NEGATIVE

3. The provision regarding INCREASED TERRITORIAL SCOPE means, in short, that the EU will apply the force of law embodied in the GDPR to any organization located anywhere on the planet that is collecting data on EU citizens. Since the EU is one of the world’s major financial centers, and most companies serving international markets are likely already doing business in the EU, this has the effect of making the GDPR the de facto privacy ‘law of the land’ worldwide—without anyone outside the EU having been given a vote on this far-reaching legislation. The second piece of this provision that is troubling is the requirement that businesses located outside the EU, which are processing the data of EU citizens, must appoint a representative in the EU: an EU Data Controller. This is in keeping with an often-stated desire in technology markets for ‘one throat to choke’. In this instance, it is more correctly seen as ‘one nearby throat for the EU to choke’, if it believes a company is violating privacy. This raises issues and questions:

• If a company located in another region of the world is convicted by the EU of privacy violations, and the company refuses or delays payment of the massive fines the EU has in store for violators, does the EU intend to collect from the violator’s EU Data Controller? Is that the underlying reason for the requirement of an in-region representative?

• If so, that would have massive legal and financial ramifications that could make obtaining, and being, an EU Data Controller a risky and prohibitively expensive proposition. That could make it impossible for many companies based outside the EU to do business there.

Implications for Businesses Considering Big Data Initiatives Why should businesses care about the privacy regulations being adopted in the EU? Quite simply, big data is the new IT infrastructure. Big data running in a cloud environment, and accessed with advanced analytic tools and technology, is the new IT architecture. Companies unable to adopt such technology are ill-prepared to compete in a global market. The EU, by adopting privacy regulations that effectively shut down most of this technology, is not only penalizing companies wishing to do business in the EU; it is likely not doing much to protect the privacy of citizens who are voluntarily making public very intimate details of their personal lives on social media.

14 Or choose the key city from any nation laboring under a totalitarian regime, to complete the sentence.

Since the EU is one of the world’s major financial centers, this has the effect of making the GDPR the de facto privacy law of the land worldwide—without anyone outside the EU having been given a vote on this far-reaching legislation.

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 12

While this is sufficiently concerning with regard to the EU, it is also worth noting that the UK has indicated that, even in the wake of Brexit, it, too, will implement GDPR.15 So, any organization hoping to bypass the EU, and continue business as usual in Europe, by way of London, can forget about that as an avoidance strategy.

Stratecast cautions any non-EU company proposing to do business in the EU, or considering offering services or products to EU citizens, to proceed carefully. Before proceeding, be absolutely certain you understand the implications of the GDPR regulations on your business. Violations incur penalties that can threaten the survival of the company; at the very least, conforming to the regulations will introduce substantial costs to the business. In the long term, Stratecast believes that the GDPR will be very damaging to the EU economy.

Our recent analysis offers a Privacy Blueprint with specific recommendations as to what all impacted parties should be doing right now about the full range of privacy issues; and that Blueprint includes a GDPR Survival Plan for organizations doing business in the EU.16 We are confident that Plan will equip some organizations to weather the stormy privacy times ahead in the EU, and continue to prosper in the region. The combined weight of the various provisions of the GDPR, however, is certain to make other organizations swallow hard, and finally make the decision not to (or no longer to) do business in the EU.

15 White & Case, UK to implement GDPR regardless of Brexit, available here 16 Stratecast, We’ve Seen the Future of IT, and it is Big Data, Part 1: Will IoT Privacy Issues Steal the Future? (BDA 5-01, June 2017), available here

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 13

Jeff Cotrupe Industry Director – Big Data and Analytics Stratecast | Frost & Sullivan jeff.cotrupe@frost.com

17 Stratecast, We Have Seen the Future of IT, and it is Big Data, Part 2: A Blueprint for Privacy, in the IoT and Everywhere (BDA 5-02, July 2017), available here

Stratecast The Last Word

The author has heard statements about a number of concepts, among them Communism, that the concept in question sounds great in theory, but in actual practice has proven problematic. The same might be said about the EU’s GDPR. In theory, protecting the privacy of the citizens of the EU—or, for that matter, anywhere in the world—is, in the eyes of most observers, and certainly in ours, a worthwhile objective. However, most of the key provisions of the GDPR add up to a directive that, in our assessment, doesn’t even sound good in theory.

One meta-issue we have is with the provisions themselves. To cite just one, the Right to Be Forgotten raises issues of both privacy and technology logistics that we believe will make it unworkable. It is understandable that citizens do not want things appearing online that portray them in a negative light. Trying to impose what amounts to data censorship on all companies, however, in response to any request by any citizen, at any time, for any reason, could make it impossible for businesses to use data they own for any legitimate business purpose. It strikes us that, rather than imposing draconian regulation on all companies, the EU might instead demand fairer treatment of (not data, but) ‘News Subjects’ by major newspapers in London and other major population centers—whose uber-aggressive approaches to what constitutes news almost certainly provided partial inspiration for this provision.

Our other meta-issue is best expressed by the following analogy. If one is not a fan of how international soccer referees often appear to arbitrarily apply (or not apply) the rules of the sport—nor be accountable to teams nor fans with regard to explaining their decisions—then the GDPR may not be one’s cup of tea. The arbitrary nature of some of the provisions of the GDPR—including that only some and not all companies will be forced to report their data activities to DPOs—does not sit well with us; and should not sit well with any organization currently doing business in the region. It is discriminatory and invites both overly zealous regulation and abuse.

Our recent analysis offers a Privacy Blueprint that incorporates a GDPR Survival Plan.17 We urge every company doing business in the EU to consult that analysis, because it offers concrete ways to equip one’s organization for full enforcement of the GDPR, which commences in May 2018.

BDA 5-03, August 2017 © Stratecast | Frost & Sullivan, 2017 Page 14

About Stratecast Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper-competitive Information and Communications Technology markets. Leveraging a mix of action-oriented subscription research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only attainable through years of real-world experience in an industry where customers are collaborators; today’s partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? For more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com.

CONTACT US For more information, visit www.stratecast.com, dial 877-463-7678, or email inquiries@stratecast.com.