Reading through the General Data Protection Regulation (GDPR) can fill a business owner with an equal mix of confusion and anxiety. The GDPR’s choice of phrasing offers a seemingly unending supply of non-prescriptive language that feels open to interpretation, as well as likely misinterpretation. Additionally, the entire GDPR rollout has been accompanied by such a media-ready focus on potential punitive measures (fines, penalties, etc.) that while its relevance and practical application to the business owner may not yet be totally clear, it is impossible to prepare for its arrival without some degree of concern.
While much of the GDPR’s actual wording can be endlessly interpreted for specific meaning, it is worth examining one specific phrase that has received a fair bit of attention from business owners – the use of the term ‘state of the art’. This is a great example of language usage that is both extremely relevant to the practical application of the GDPR within the business landscape and, at the same time, indicative of this concept of ‘pliability with purpose’; of leaving enough wiggle room for interpretation.
From 1995 to 2018: Keeping Data Protection in Line with the Times
Before we examine individual word choices, it is important to understand the context of the regulation. The GDPR replaces the 1995 EU Data Protection Directive 95/46/EC. This EU directive, drafted over two decades ago, is from the time of Netscape, AOL, Yahoo, dial-up internet, and so on. A time when both the technologies and security processes employed by organizations are a faded memory for most consumers and business owners today. A time before Google and the Internet of Things (IoT), when concepts of data and information privacy were as connected to paper files and folders as they were to the nascent world wide web.
The GDPR aims to strengthen, update and unify the previous EU directive. It broadens the scope and definition of personal information protected, increases the powers of enforcement by the relevant supervisory authorities and increases the maximum penalties to the headline figures often quoted – €20m or 4% of annual revenue (whichever is greater) for major infringements. Equally as important, the GDPR attempts to remain relevant for decades to come by incorporating sufficient flexibility in its language to accommodate future technological advances that have not yet been dreamed of.
Phrasing of the Regulation: ‘State of the Art’& Equivalent Terminology
This intent to ensure future relevance has left many casual readers of the GDPR with the distinct impression that this regulation is vague and open to debate. However, if the GDPR were to specify particular technologies that a business should use to safeguard its data, it would not allow for significant shifts in commercially available technologies. Being too specific could result in the regulation losing its effectiveness and becoming obsolete. Article 32, Section 1 of the GDPR is a good example of its approach:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”
Here ‘state of the art’ emphasizes that the GDPR aims to stay relevant to all times and acknowledges that what is state of the art, high quality or cutting edge today may not be considered as such a few years from now. Businesses should take into account best practices and the optimal solution, method and/or process to safeguard the personal data they hold and to mitigate risks.
However, as certain phrases in the above extract go to show, this does not necessarily mean employing the latest premium technology, regardless of cost or how appropriate this is to the organization. The “costs of implementation” are specifically mentioned as a factor to be considered here, as is “the nature, scope, context and purposes of processing” and “the risk of varying likelihood and severity for the rights and freedoms of natural persons.” For example, third party automated profiling of financial data for the purposes of a mortgage application may carry higher risk than an organization processing its own employee data. Similarly, data that cannot be changed or reset – such as a national ID or Social Security number, or biometric data such as fingerprints – would have a critical impact on the individual concerned if it were exposed in error.
Organizations need to demonstrate that they have implemented “appropriate technical and organizational measures” to protect data. They should use appropriate technology – hardware and software – and also organizational processes, data flows, employee training and so on, set in the context of their business size and complexity, and the level of risk. The GDPR allows organizations to demonstrate compliance by looking to current industry best practice standards and guidelines to ensure a thorough and well-documented approach.
Applying ‘State of the Art’
Many smaller and medium sized businesses (SMBs) may feel they are prevented from complying with the GDPR because they cannot afford cutting edge technology and premium enterprise products. It is critical to understand that, with the GDPR, there is not one box to tick or one silver bullet technological solution for any/all organizations. The GDPR’s conditional language serves to prompt organizations to show that they are doing their best to protect EU personal data, that they are applying a data protection mindset and making an effort to discover, prioritize and manage vulnerabilities and risks of data loss and breaches. In the short term, that means applying today’s best practices, processes and available technologies. As to what that means for the future, the GDPR implies, is anyone’s guess.
